How 2-Factor Authentication Boosts Endpoint Security
… easily manipulated and directly identifies the user requesting authentication. However, not all devices support facial recognition and device cameras can break.
“Also, facial recognition software also is not 100% accurate,” said Clay Miller, CTO of SyncDog, a containerized mobile DLP solution for enterprise security. “It can have trouble accurately identifying faces especially when the user has grown a beard or gains weight. Additionally, some users may have concerns about sharing their biometric data with third parties. Iris scanning is another biometric authentication method with similar properties as facial recognition except eye scanners typically have more accuracy than facial scanners.”
One issue that plagues all biometric two-factor authentication methods is that if a user’s biometric data is stolen, it is a very invasive and permanent attack that renders that particular authentication method unusable to that person forever, according to Miller.
Emerging 2-Factor Authentication
In order to improve identity security for their customers, MSSPs are beginning to offer two-factor authentication layered with adaptive authentication.
“These techniques provide additional security without impacting user experience because they run in the background during the user authentication process,” said Ryan Rowcliffe, lead of solutions architecture at SecureAuth, a multifactor authentication solution. “Additional risk factors are checked, such as the reputation of the user’s associated IP address, geographic location, device recognition, as well as behavioral analysis. It enables customers to keep their desired workflow while simultaneously maximizing security, and without impeding the user, causing login frustration. This modern approach to identity and access management can be applied to applications, consumer portals, as well as endpoint devices such as logging into servers, desktops, and laptops.”
Push notifications, another emerging mobile-based authentication method, offer a cost-effective alternative to traditional passwords.
“And unlike SMS message notifications that contain a one-time-password (OTP), which can be visible on a locked phone screen, push notifications don’t contain an OTP,” said James Litton, CEO of Identity Automation, an identity and access management platform. “And the device must be unlocked to approve the authentication attempt. Push notifications are an effective password replacement, eliminating the risk of users falling prey to phishing, man-in-the-middle, and brute force attacks. However, they require an internet connection and a smartphone — which itself is vulnerable to attacks as users can inadvertently approve fraudulent requests.”
Two factor methods are an improvement. It appears that most successful attacks are automated, so why not make it harder for automated attackers to be successful? Consider inserting a five second delay before allowing a password failure retry. This will not be a serious burden on the forgetful or fumble-fingers user and it to lead to improvements as will Captchas.