A Better Security Practice: Two Factor Authentication


The Heartbleed security bug in 2014 created widespread awareness about Internet credential vulnerabilities.  Certainly, changing your passwords regularly can help stop the information brokers who are selling your login information to the next hacker. However, a better option is using a second factor of authentication. Major service providers like Microsoft and Google fully support two-factor authentication.

WatchGuard explains how two-factor authentication (2FA) works with VPN clients. “When a user authenticates from the VPN client, the VPN client sends the username and password to the Firebox. The Firebox sends the username and password to the RADIUS server. If the user and password are valid, and if two-factor authentication is enabled for the user, the RADIUS server sends an access-challenge message to the Firebox to request the second factor. The Firebox uses information from the access-challenge to prompt the VPN client for the second authentication factor.”

However, two-factor authentication does have its difficulties. Certain assumptions are being made or benefits are implied that can mislead companies and consumers. There are several misconceptions about it that exist. Here are five common myths associated with two-factor authentication:

No. 1: If you have suffered a breach, turning on two-factor authentication for your users is a good quick fix. The truth is that most sites cannot simply “turn on” two-factor authentication. Deployment of two-factor authentication requires several components in place at the same time.

No. 2: Two-factor authentication is not susceptible to common threats. Two-factor authentication does improve security, but it is not perfect. Several factors can still make the system vulnerable.

No. 3: Two-factor authentication is synonymous with ‘incorporation of a second device’ and cannot be accomplished effectively on a single device. The use of smartphones and similar personal devices make it more practical to load keying information in a manner that is tamper-resistant enough to provide a high degree of security.

No. 4: Most two-factor solutions are similar, with only minor differences in approach. The past few years have brought considerable innovation to two-factor authentication. Many solutions involving SMS messages or other telephonic means are available. Others provide two-factor authentication using either a mobile application containing a cryptographic secret or through keying information stored in the user’s browser.

No. 5: Two-factor authentication is an annoying compliance requirement with little material benefit to the business. While some businesses do treat two-factor authentication as only a compliance requirement, using a flexible authentication mechanism that requires two-factor authentication for higher risk transactions, while giving users the convenience of single-factor authentication for common, lower risk operations is a far better plan.

Two-factor authentication does improve security, but it’s not the solution in all cases. Adopting the wrong two-factor authentication solution can be a burden that yields no real security benefit. Understanding your users and the security threats you face is the key to a successful two-factor authentication deployment.

Sources:

http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/mvpn/ssl/mvpn_ssl_auth_2-factor.html

https://www.wired.com/insights/2013/04/five-myths-of-two-factor-authentication-and-the-reality/