The extra factors are implemented to prove the user’s identity beyond a simple password. The definition states that to be two-factor authentication it must require the user to provide at least two of the factors listed above.
http://www.portalguard.com
2. Table of Contents
A Recent Spike in Two-factor Authentication Interest 3
What is Two-factor/Multi-factor Authentication? 6
What’s the Hold-up? Organizations are Facing Major Hurdles 9
Experts Say “Two-factor is the Bare Minimum!” Or is it? 13
Knock Down the Barriers: What does a Solution Need to Have? 16
A Look at Two-factor Solutions: Benefits & Shortcomings 19
Conclusion 23
2
Avoiding Two-factor Authentication? You’re Not Alone
3. A Recent Spike in Two-factor
Authentication Interest
3
Avoiding Two-factor Authentication? You’re Not Alone
4. An eye-opener, this hacking example created
buzz around two-factor authentication and the
need for it. The Google Trend for “two-factor
authentication” shows a clear spike in August
and new level of continuing interest ever
since. The search term “two-factor
authentication” is now being searched in
Google on average 49,500 times per month.
Predictions about the global two-factor and
multi-factor authentication markets are also
showing substantial growth. In a recent report
from TechNavio the global two-factor
authentication market is expected to grow by
20.8% over 2011-2015, driven primarily by
regulatory requirements2.
The multi-factor authentication market is set to
reach $5.45 billion by 2017 according to
MarketsandMarkets research. 3
Why the push for two-factor beyond regulatory
compliance? Verizon’s Data Breach Investigations
Report shows an increase in corporate data
breaches. In 2012 there were 855 incidents of
corporate theft with 174 million records being
compromised. 98% of those came from hackers
using various hacking methods to break in.4
“In the space of one hour, my entire
digital life was destroyed.” It’s August of
2012 when Matt Honan, editor at WIRED,
reports on his recent attack where it took
hackers a mere 60 minutes to hack into
his Google account and from there
proceed to wipeout his digital identity, all
with the goal of gaining access to his
sought after Twitter account.1
4
Avoiding Two-factor Authentication? You’re Not Alone
5. So with all of the evidence
showing that there is an
everyday threat to our digital
identities and data…why is
two-factor authentication not
widely implemented?
Even Google has declared war on passwords
with its recent implementation of two-step
authentication, a recommended feature for
securing your Google account. Partnerships
with hardware token vendors such as Yubico
show that Google is looking for a way to avoid
their own data breaches as was seen in 2012 5.
Other major websites are following suit
including Facebook, Twitter, Dropbox, PayPal,
and more.
So with all of the evidence showing that there
is an everyday threat to our digital identities
and data…why is two-factor authentication not
widely implemented? Why is it that every
organization has passwords but has not taken
the next step towards strengthening
authentication? The following chapters take a
look at the arguments for and against two-
factor authentication. Two-factor
authentication or not? That is the question.
References:
1 http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-
hacking/
2 http://www.prbuzz.com/technology/95904-new-research-on-two-
factor-authentication-market.html
3 http://www.marketsandmarkets.com/PressReleases/multi-factor-
authentication.asp
4 http://blog.pistolstar.us/blog/data-breach-investigations-report-great-
data/
5 http://blog.pistolstar.us/blog/declaring-war-on-passwords/
“
”
5
Avoiding Two-factor Authentication? You’re Not Alone
7. According to Wikipedia6 the high-level
definition of multi-factor authentication is an
approach to authentication which requires
presentation of two or more of the following
authentication factors:
• A knowledge factor (something the user “knows”)
• A possession factor (something the user “has”)
• A inherence factor (something the user “is”)
The extra factors are implemented to prove the
user’s identity beyond a simple password. The
definition states that to be two-factor
authentication it must require the user to provide
at least two of the factors listed above. So for
example, the user would be required to enter in
their username, their password (something they
know), and a hardware token generated one-time
password (proving they have something). The use
of two distinct authentication factors helps
eliminate an organization’s security concerns
around granting access based on a single,
knowledge-based factor, the password.
A common example of authentication which is
mistaken for two-factor authentication is
knowledge-based authentication where the user
is asked to provide their username, password,
and answer to a knowledge question. This does
not meet the definition because the password
and answer are both factors the user knows.
7
Avoiding Two-factor Authentication? You’re Not Alone
8. Increasing in popularity, the one-time
password or OTP is becoming a preferred
second factor as it is only valid for one login
session or transaction. OTPs avoid the
shortcomings with static passwords, including
being unsusceptible to replay attacks. If a
hacker records an OTP which was already
used, they will not be able to reuse it since it is
no longer valid. OTPs can be delivered via SMS,
email, printed, hardware tokens, phone call, or
transparently using a browser plug-in.
Regulatory compliance is one of the driving
factors behind two-factor authentication and
is forcing organizations to implement stronger
authentication. For example the largest
division of the FBI, the Criminal Justice
Information System (CJIS) has an Advanced
Authentication compliance requirement which
is making law enforcement and local
governments take action. Effective September
30, 2013 Advanced Authentication will be a
requirement for all law enforcement
personnel accessing NCIC criminal justice
information outside of a secure location.
Other regulatory compliance standards such as
the FFIEC, PCI DSS, and HIPAA are also driving the
market towards two-factor authentication.
However, what if your organization does not have
these regulatory compliance standards pushing
you towards implementing two-factor? Do you
still feel like your data is sensitive enough to
protect with stronger authentication? Or do you
take on an “it’s not going to happen to me”
attitude?
8
Avoiding Two-factor Authentication? You’re Not Alone
References:
6 http://en.wikipedia.org/wiki/Multi-factor_authentication
9. What’s the Hold-up? Organizations are
Facing Major Hurdles
9
Avoiding Two-factor Authentication? You’re Not Alone
10. …the negative side effects of
implementing two-factor
outweigh the benefits.
There are numerous two-factor authentication
discussions occurring in the blogosphere. After
compiling comments from these
conversations, it is clear there are major
hurdles to implementing two-factor
preventing a widespread adoption.
All too common today are TV advertisements
for various medications where they definitely
solve an ailment but have a laundry list of side
effects. For example, the antidepressant Zoloft
solves a severe problem many suffer from.
However the side effects are extreme and
potentially life threatening. 8 Although some
patients may suffer from depression enough
to risk the side effects, this will most likely
deter those who are only mildly affected.
“Two-factor medication” can be seen in the
same light. Some have taken it because they
have been attacked, see themselves as
potential targets for large hacking attacks, or
are being forced to by regulatory compliance.
However the rest of the market has decided
the negative side effects of implementing two-
factor outweigh the benefits.
“
”
10
Avoiding Two-factor Authentication? You’re Not Alone
11. Many organizations have an “it’s not going to
happen to us” attitude and don’t feel the
everyday threat which is present. IT security
professionals are also reluctant to “rock the
user boat” and do not have a 100% sure-fire
way to solve their authentication challenges
without having to overcome the major hurdles
such as:
• I can’t distribute tokens
• I cannot justify the expense
• My ACLs aren’t properly configured anyway
• It’s too difficult for my users to use
• I have no buy-in from management
• My data isn’t sensitive enough
These hurdles come directly from the
organizations evaluating whether to
implement two-factor authentication. With
such strong opinions, it is clear that there is a
barrier keeping two-factor from being widely
implemented.
As one commenter stated “I love the idea of two-
factor but it is the least of my concerns. If you do
not have security configured once you are
authenticated – how hard it is to get there is of
little consequence. Our organization is not the
NSA so I do not have a huge potential for disaster
vs. the complexity of implementing additional
authentication. I just cannot justify the expense
and would find it difficult to get buy-in from
management”.9
From the executive or business side of most
organizations there is a lot of resistance unless
they have experienced the direct effects of an
attack or compliance audit. Many times the IT
security team is saying “Yes” while the business
side is saying “No”, citing the following factors:
• Exorbitant costs for the tokens and support
software
• It is an infrastructure add-on so there is little
skill in-house to implement and maintain it
• Provisioning the tokens is seen as a nightmare
• There are few examples of TRUSTED two-factor
authentication solutions which organizations
support and are not just vendors “tooting their
own horns”
11
Avoiding Two-factor Authentication? You’re Not Alone
12. These barriers exist due to the lack of a
solution the market can feel confident in.
While recent news and reports are heavily
advocating two-factor authentication, the “big
guys” are having issues with implementation
and security.
Facebook recently had a security hole found
related to the storage of phone numbers used
for two-factor “Login Approvals”. A hacker
proved he could use readily available reverse
lookup functionality to find the associated
Facebook profiles;10 truly an invasion of
privacy and open door for hackers.
Twitter is also one struggling to implement two-
factor authentication with some controversy.
Although recent hacks of Burger King and Jeep’s
Twitter accounts 11 show a need for stronger
security, some reports are claiming that the data
is not sensitive enough to protect and it would
just hurt the user experience. 12
With reports in the news like this, it is difficult to
know which direction to go in. However, if you
had a solution which removed most of the
hurdles and made it easier to implement two-
factor authentication, would you? With such a
solution available in the market, would two-factor
authentication become the new bare minimum?
References:
8 http://www.zoloft.com/
9 http://blogs.technet.com/b/steriley/archive/2006/04/20/425824.aspx
10 http://www.pcworld.com/article/2012084/facebook-removes-
twofactor-authentication-mobile-numbers-from-search.html
11 http://www.csoonline.com/article/729193/jeep-joins-burger-king-on-
twitter-hacked-list-inspires-mtv-bet-to-fake-breaches
12 http://www.zdnet.com/two-factor-authentication-wont-protect-twitter-
google-oneid-7000011358/
12
Avoiding Two-factor Authentication? You’re Not Alone
13. Experts Say “It’s the Bare Minimum!”
Or is it?
13
Avoiding Two-factor Authentication? You’re Not Alone
14. What do the experts recommend? They help
confuse the matter further by offering varying
opinions about whether two-factor should be
the new bare minimum when it comes to
security or if passwords alone are enough.
Some experts argue that two-factor
authentication is the bare minimum to
improve security even though it may cause
some disruption in your organization and user
experience. The proof for this argument is
simply looking at the advanced attack
techniques hackers are implementing such as
man-in-the-middle and keystroke logging
attacks.
Primary reasons experts as well as vendors are
pushing two-factor authentication include
compliance standards, increasing risks, users
having too many passwords to remember,
an uptick of private information on the internet,
and solutions on the market are becoming easier
to use.
In a recent LinkedIn discussion, one expert put
the blame on the organizations’ IT departments
claiming “Two-factor is the minimum but IT is
taking the easy way out and not wanting to rock
the boat. There is a lack of leadership in taking
the reins and saying this is a must have. It seems
that organizations do not fully understand the
very real threat that every organization is under
each and every day. Organizations need to rock
the boat.”
14
Avoiding Two-factor Authentication? You’re Not Alone
…whether two-factor should be
the new bare minimum when it
comes to security or if
passwords alone are enough.
“
”
15. Other experts say that passwords, the single
factor, are enough. Two-factor in their eyes is
not required in all situations and should not
become the new “bare minimum”. In their
opinion it does not make sense for many
organizations to spend money on two-factor
authentication before using passwords
properly or doing a risk assessment to
determine how strong their authentication
needs to be.
A strong alpha-numeric password could take
months to crack and this is often where
malicious attacks are focused, on the
password file versus the login prompt. So
measures such as a stronger firewall or
intrusion detection system are much more
important than locking down complex
passwords.
Organizations seem to be being pushed
towards more complex authentication
solutions when their issue is simply
a bad implementation of passwords or inaccurate
risk assessments. These experts argue it doesn’t
make sense to take a “more controls no matter
what” attitude but instead implement the single
factor, the password, properly in the first place.
Discussions are split when it comes to which data
needs to be protected. One opinion is that the
authentication only needs to be as strong as the
data it is protecting. However, many times it is
the benign data, such as a timesheet application,
which can create an unexpected backdoor into
the organization.
15
Avoiding Two-factor Authentication? You’re Not Alone
16. Going back to Matt Honan’s story, he blatantly
disagrees that passwords are enough stating,
“Since the dawn of the information age, we’ve
bought into the idea that a password, so long
as it’s elaborate enough, is an adequate means
of protecting all this precious data. But in 2012
that’s a fallacy, a fantasy, an outdated sales
pitch. And anyone who still mouths it is a
sucker—or someone who takes you for one.”13
Having been a victim of an attack himself he
speaks directly from that point of view. Matt
had implemented strong passwords with
multiple characters, symbols, upper and
lowercase letters, and more which was still not
enough.
The issue comes from the fact that his accounts
were all linked and the password recovery
process was flawed. Once the hackers had access
to one account they had access to all of them.
Experts who often discuss implementing
passwords forget that a password can be a single
point of failure in the age of hyper-connectivity.
Which opinion do you agree with? Are passwords
enough? Or do you agree with the public victim,
Matt Honan? Should two-factor authentication
be the bare minimum?
16
Avoiding Two-factor Authentication? You’re Not Alone
References:
13http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
17. Knock Down the Barriers:
What Does Two-factor Authentication
Solution Need to Have?
17
Avoiding Two-factor Authentication? You’re Not Alone
18. At the recent RSA Conference 2013 in San
Francisco, one of the resounding themes was
the expansion of authentication solutions. The
idea of replacing the old password as a login
method is one that is feverishly being worked
on by many vendors. However the main
struggle for vendors is handling the tradeoff
between usability and security. 14
Matt Honan identified this after explaining
that security has two tradeoffs, convenience
and privacy. For example, if you implement a
password policy which is unusable, the
security solution fails and is abandoned or
circumvented. Privacy also limits what an
organization can leverage for two-factor
authentication. Many organizations are
terrified of alienating their users and like the
idea of offering a simple, private solution
versus a secure one.
Overall there is a lack of confidence in the
marketplace as some of the leading solutions
have experienced major hacks leaving behind
doubts about the authentication methods being
secure.
There is no “holy grail” solution for people to feel
good about purchasing. It is unfortunate to see
many organizations take the “it will not happen to
us” approach because there is no simple answer
to two-factor authentication.
18
Avoiding Two-factor Authentication? You’re Not Alone
19. When the question was posed “What do YOU
need out of two-factor authentication?”,15 the
common themes were that a solution needs to
be:
Secure
Simple to use to avoid resistance from users
Inexpensive
Seamlessly integrated with all systems
Able to solve the provisioning/enrollment
problem of tokens
Without the requirement of massive
infrastructure
Easy to deploy and manage
Combined with single sign-on (SSO) for
increased usability
Reliable
Using tokens which are easy to create,
deploy, revoke, and replace
19
Avoiding Two-factor Authentication? You’re Not Alone
References:
14http://bitzermobile.com/blog-musings-from-rsa-2013/
15http://blogs.technet.com/b/steriley/archive/2006/04/20/425824.aspx
Luckily there are options emerging on the market
which are attempting to provide the following. It
is important to take a look at the options and be
careful with vendor selection. Are you ready to
take the next step and evaluate the vendors on
the market?
20. A Look at Two-factor Solutions:
Benefits and Shortcomings
20
Avoiding Two-factor Authentication? You’re Not Alone
21. Rounding out the information in this eGuide is
a look at the benefits and shortcomings of two
of the leading methods in the marketplace
today. With numerous vendors to choose
from, identifying a solution can feel like a
daunting task. This information is offered to
help you see both sides of a mobile phone
one-time password solution and a USB
hardware token solution.
Mobile Phone Two-factor Authentication:
Leveraging the user’s mobile phone as the
hardware token that is used to deliver the OTP
has become increasingly popular. As most users
already have mobile phones, this avoids the
headaches of purchasing and distributing
hardware tokens. The OTP can be delivered as an
SMS text message, phone call, or provided
through an application on the phone itself.
On the downside, this changes the user
experience and requires them to not only have a
mobile phone, but also make sure it is available at
the time of login, with available service, and fully
charged and powered on. Often times this causes
user frustrations as usability is impacted. There
can also be charges incurred as each SMS
message can generate an associated fee to be
delivered. Although minimal, with larger user
populations this can grow exponentially. Many of
these solutions are hosted and cost anywhere
from $10-$25 per user per year on a recurring
basis.
21
Avoiding Two-factor Authentication? You’re Not Alone
22. USB Hardware Token:
This new version of the hardware token is an
effective alternative to the older styles,
because it does not require batteries to
operate. Instead it receives power from the
USB port of the user’s computer, and requires
just a touch of the user’s finger to enter the
OTP into the desired field without requiring
client-side software or drivers. This makes the
solution portable and ideal for public
computer usage. Solutions on the market are
now smaller and more durable as well.
Of course this still has the main issues of any
hardware token which includes the
purchasing, distribution, and management of
the token as an extra piece of hardware the
user is responsible for. Being required to
constantly plugin a device interrupts the user’s
experience especially when the token is lost or
left behind at home. The other primary issue is
the cost of these devices.
Initially tokens cost upwards of $50 each. Now
even with a price tag of $25 per token, it is still an
unacceptable cost for small organizations.
22
Avoiding Two-factor Authentication? You’re Not Alone
Ideal Solution:
What would the ideal solution be? There are
some key factors which make the ideal solution
the use of a transparent browser plug-in to
deliver the OTP. Being completely transparent to
the user avoids any impact to the user experience
and maintains usability.
Looking at this type of solution compared to
mobile phone or USB token solutions it is clear
that it would:
23. • Require no infrastructure, or hardware other
than the user’s computer
• Be easy to use as it requires no interaction
from the user, eliminating the potential for
user errors
• Install on separate machines so you can
control which devices have access
• Remove the need to carry a separate device
or token to authenticate
• Not dependent on a token or phone
accessibility
• Not change the user experience
23
Avoiding Two-factor Authentication? You’re Not Alone
Just as there are multiple access scenarios in
every organization, each of the described
authentication methods may have a place in your
organization. Flexibility is paramount when it
comes to choosing the right solution. With
vendors pushing their products in the market and
gaining in popularity, the key is to choose a
solution which allows you to easily deploy
multiple authentication barriers while
maintaining the balance between usability and
security so as not to impact the user experience.
25. With the publicity around Matt Honan’s 2012
hacking incident and opinions that passwords
are not providing adequate security, the
market is buzzing about implementing two-
factor authentication. Driven by the threats of
attacks and regulatory compliance, many
organizations are beginning to look into the
two-factor market to see what solutions are
available.
However, two-factor authentication has not
been widely implemented as it has major
barriers for many organizations related to cost
and usability. With the discussions of experts
split, it is a confusing time to decide what is
best.
It is clear that there is not yet a popular “holy
grail” solution available. Solutions need to be
many things including inexpensive, secure,
reliable, and easy to implement.
When choosing a solution, look at the options in
the market, such as mobile phones or USB
tokens, and weigh the pros and cons. A
recommended solution would be one which is
transparent to the user and is part of a platform
which can offer you flexibility and options to
handle all of your organization’s access scenarios.
With a lack of confidence in the current two-
factor authentication marketplace this is a space
to watch as emerging vendors seize the initiative
and battle to emerge as the next leader who will
help shape the authentication landscape in the
years to come.
25
Avoiding Two-factor Authentication? You’re Not Alone
For vendors, the success of their
solution will come from the ability to
balance both security and usability
while delivering various two-factor
authentication methods.