The Rise and Fall of Two-Factor Authentication
2FA, Zero FA, and the quest to stop stop fraudsters before they ever get to the authentication stage.
With data breaches taking up more and more headline real estate across publications and industries, it’s inevitable that attention would increasingly turn towards preventative measures as well, and that’s exactly what seems to be happening. As data breach stories continue to emerge, we’re seeing a simultaneous rise in articles about how businesses and their customers can help prevent breaches from occurring.
Two-factor authentication (2FA) is one topic getting a great deal of coverage these days.
We’re all likely familiar with two-factor authentication, and in its simplest form, it’s a pretty self-explanatory concept. The “two” refers to an added layer of security protection, beyond username and password. What’s not so simple, is the question of whether 2FA actually works.
While there seems to be uniform agreement that 2FA is an improvement over just username and password, there are also real problems with both efficacy and adoption. As but one example, people are increasingly using smartphones for 2FA, but this is happening at a time when fraudsters are progressively targeting mobile phones. According to a Javelin Strategy & Research study, mobile phone account takeovers rose from 380K in 2017 to 679K in 2018! As to adoption, a SecureAuth Corporation 2FA survey found that 74% of organizations that use 2FA receive complaints from users about it, and almost 10% of users say they “hate” 2FA.
Into the fray has come a significant amount of innovation, though it remains to be seen whether these innovations will move the needle when it comes to keeping fraudsters at bay. GitHub recently announced new options for 2FA, as reported in an article from Help Net Security, in which it was noted that, “GitHub has started supporting the Web Authentication (WebAuthn) web standard, allowing users to use security keys for two-factor authentication with a wide variety of browsers and devices.” Slack is another notable example of a company rolling out 2FA innovations, as reported by VentureBeat:
“Slack today introduced a handful of security upgrades designed to make the workplace communication app more secure within enterprise organizations. The updates include two-factor authentication with Touch ID fingerprint scans, Face ID use of facial recognition software, and generated passcodes.”
While innovations of this kind are welcome, the truth is that even “classic” fraud techniques like phishing can still get around 2FA. A new article from CircleID titled “New Phishing Tools Can Now Bypass 2-Factor Authentication” provides an example in which, “a person who is redirected to a phishing page inputs his credentials while a threat actor captures these in real-time. A 2FA code is sent to the user, which he then enters into the phishing page, consequently revealing this to the attacker who uses this same code to log in to the legitimate website.”
Among the many innovations being discussed in the authentication space is the idea of “zero-factor authentication.” DataVisor CEO Yinglian Xie is a proponent, and spoke about the concept recently for The Paypers:
“The next-generation platform needs to rethink digital identity and authentication in a transformative way. Advances in technology must be able to combine machine and human intelligence to deliver zero factor authentication and not n-factor authentication. Current authentication methods expose too many loopholes — third-party apps, tokens, and APIs that can be leveraged by attackers. Adding more layers of authentication simply means that, as an industry, we have failed to build a path to building a better digital identity.”
Regardless of what form the next generation of authentication takes on, the challenges for businesses are ongoing. Today, large data breaches are commonplace, and personal and financial details are regularly offered and procured on the dark web at laughably small prices. In this climate of easy data, authentication strategies that rely on personal details are essentially doomed from the start.
Of even greater concern is the fact that, “once a fraudster gets through the authentication stage, the damage they can do is almost unlimited.” As described by DataVisor in a recent article on 2FA, “the solution is to stop them before they ever get to the authentication stage.” Relying on techniques and technologies such as unsupervised machine learning and holistic data analysis, it is possible to uncover patterns of coordinated activity that expose the fraudsters behind the fraud. In this way, we can reduce the need for authentication processes such as 2FA to the point where its efficacy is no longer at issue.