multifactor authentication two-factor authentication one-time passwords

Move Over Two-Factor Authentication

Veridium Author | July 5, 2016

Anyone asking how to better secure their email, Facebook, or Twitter account is going to receive the same answer – use two-factor authentication (2FA). This provides a single-use (one-time) passcode that is required after you’ve already entered in your username and password, to verify you are really the account owner.

But, as with most cybersecurity struggles, 2FA doesn’t really verify you are who you say you are.

SMS One-Time Passwords

Most consumer-facing 2FA systems are based around texting a one-time password (OTP) to the user after they have entered in their password. The user will have to have previously registered their phone number with the account to turn on 2FA, and this second verification is often only required when logging in from a new location. The OTP is usually a short string of numbers and letters, and once entered in, the user is “verified” and able to access their account.

However, there are a few flaws with this system. First, if a hacker gains access to your account before you’ve turned on 2FA, nothing is preventing them from turning it on, locking you out of the account far more effectively than if they just change the password. Second, if a hacker gains remote or physical access to your phone, they can just as easily get the OTP and enter it in.

Another flaw in this system is, what happens if you lose your phone? If you aren’t able to access the account from a device that is already logged in (and therefore won’t require the OTP), you won’t be able to turn 2FA off or change the phone number associated with it, and end up locked out of your account.

A business might use a similar setup, using a security token that generates a time-sensitive OTP, a keyfob that relies on Near Field Communications, or a chip-based card to authorize access. These solutions suffer from the same flaws though, and, because they are physicals tools, can be easily lost, costing the user time and the company money to replace.

The OTP system does add a layer of security to usernames and passwords, but in today’s age of nation-state level cyberattacks and increasing focus on individuals, rather than enterprises, as hacker targets, it isn’t enough.

Enter Multi Factor Authentication

2FA is a small part of a broader security methodology known as multi factor authentication (MFA). MFA can be expanded far beyond the scope of 2FA, however, to incorporate other authentication methods, like biometrics, to ensure you are who you say you are. From behavior, such as measuring gait or typing patterns, to fingerprint or face recognition, biometrics provide a much more convenient way to confirm a user’s identity. Not only that, when a system is properly deployed with spoofing deterrents, it allows you to truly verify, beyond a doubt, that the user is who they claim to be.

Biometrics are 100 percent unique, impossible to lose or misplace, and incredibly complicated to steal, especially with Liveness detection and other anti-spoofing safeguards in place. They can also be used to replace the entire login process, rather than being a secondary failsafe used in addition to usernames and passwords. This provides all of the additional security without any of the inconvenience to the user.

Bringing Mobile into the Mix

Mobile devices add an entirely new level to multi factor authentication when paired with biometrics. Thanks to Touch ID, 4 Fingers Touchless ID, and other mobile biometric platforms, we are able to easily and seamlessly integrate biometric authentication with mobile applications to verify identity for those apps and third-party systems. By deploying these systems as part of physical or digital asset access control, we add two pieces to MFA.

  1. Users are able to authenticate with a device they already have in their pocket every second of the day.
  2. We add a cost-effective hardware component to the equation that acts as a passive factor in the authentication process on its own.

By registering the mobile device itself as part of the authentication process, the device’s unique identifier (GUID), acts as a second or even third factor to further ensure user identity. Ultimately, this combination of increased security with a heavy focus on convenience will ensure a final piece of the security puzzle that 2FA never has – user adoption.

Ultimately, security systems are only successful if the account holders actually use them when logging in. Multi factor biometric authentication allows for easy adoption and integration to help even the most technologically inept user to feel comfortable embracing it.

Share this article: