How 2-Factor Authentication Boosts Endpoint Security
… scrub dormant accounts and overprivileged users first, because attackers rely on these for entry and cover. Next, be pragmatic with identity. There are alternatives to passwords in the market and the use cases and identity stakes for an MSSP should prompt hard questions.”
One alternative is to use mobile apps for two-factor authentication, which offer the ability to deploy authentication solutions to mobile phones that aren’t as cumbersome for IT departments when compared to legacy solutions. However, authentication apps that use push notifications have a security disadvantage in their view: An active user could accidentally approve an attacker’s sign-on request when the approval notification appears.
“In contrast, physical keys are not susceptible to SIM swapping or accidental approval,” said Keegan Keplinger, data visualization lead, threat intelligence at eSentire, which offers cybersecurity protection as a service. “The physical key requires that an attacker has physical access to the user — an unlikely scenario. Simplicity and low cost of mobile solutions make them an enterprise favorite despite their flaws in security. Biometric solutions may be more secure, but they come at a higher cost. The best tradeoff between security and affordability is the physical key, given the requirement of physical proximity to the user.”
2-Factor Authentication and Biometrics
When speaking solely about two-factor authentication, the advantages and drawbacks to different solutions vary. For biometric identification – like facial recognition, iris/retinal scanning, and fingerprint matching – the benefits are the scalability with multimodal applications to increase identification accuracy, versatility of being able to assign various permissions per user, and ROI in terms of reducing fraudulent activity within the workplace as biometrics are an identifiable means of verification.
“However, the technology for biometric 2FA is not secure enough or advanced enough yet for biometric data to be used as a source of identification or as a secondary form of identifying an individual for higher-level security,” said Monique Becenti, product and channel specialist at SiteLock, a provider of website security and protection solutions. “Recently, the database of the Biostar 2 biometric data lock system was found exposed and researchers were able to change data and add new users — a function that cybercriminals could exploit to gain unauthorized access with fraudulent fingerprints.”
And replacing passwords with biometrics is very controversial because they can be stolen just as easily as someone can steal your credit card. This can happen because biometric data can be easily replicated – including fingerprints from selfies, facial characteristics, and other identifiable traits – just by capturing an image.
“Additionally, in many data center environments, biometric authentication methods may be impractical,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “This leads people to not enable them and fall back on password-only authentication.”
Like other biometrics, facial recognition can be useful because it can’t be …
Two factor methods are an improvement. It appears that most successful attacks are automated, so why not make it harder for automated attackers to be successful? Consider inserting a five second delay before allowing a password failure retry. This will not be a serious burden on the forgetful or fumble-fingers user and it to lead to improvements as will Captchas.