December 4, 2017 By Mark Samuels 2 min read

IT decision-makers need to evolve beyond two-factor authentication (2FA) and design new ways to make the user verification process intelligent and risk-aware.

In an article for Harvard Business Review, Sridhar Muppidi, chief technology officer for identity and access management solutions at IBM Security Systems, noted that while existing 2FA systems provide some protection against cyber risks, they are not a panacea. Instead, he suggested that users explore a mixture of push notifications and advanced technologies to verify identities.

Attackers Exploit Two-Factor Authentication

Compared to a single-factor authentication method, such as a password used in isolation, 2FA relies on a second input to assure the system that an individual is authenticated to access a service. Muppidi noted that these one-time passwords are often the first line of defense for companies looking to boost security.

However, single-use passwords can be vulnerable to attack. Muppidi reported that cybercriminals have identified a vulnerability in the method phones used to authenticate identities. They are exploiting this vulnerability to steal valuable data and resources, including cryptocurrencies.

There is also a growing number of cases in which attackers contact mobile network providers and ask to transfer control of a victim’s number to a device under their control, reported The New York Times. Attackers can then receive SMS notifications intended for users, and use this information to reset and access online accounts.

Pursuing Alternative Authentication

Muppidi advised organizations looking to strengthen their authentication methods to tie the push notifications used in a 2FA system to the device rather than to the phone number. Specialist software tools, such as security applications with mobile authentication, can provide assurance in this area.

Smarter management of SMS push notifications is just the first step toward more effective authentication. IT decision-makers must consider modern solutions that include identity access and management technologies controlling access to resources.

Multifactor authentication (MFA) allows enterprises to use a range of techniques to authenticate users and identify where applications flag unexpected activity. Behavioral analytics can complement this approach, and allow IT teams to change security levels based on the value of data and the risks presented.

Improving Verification Methods

The development of verification techniques continues. For example, researchers at Florida International University and Bloomberg have generated a new 2FA system that works by prompting the user to take a picture of a personal object. The system, known as Pixie, could offer a more convenient and secure alternative to traditional authentication processes.

While waiting for these new advancements to come, Muppidi advised companies to establish a layered and risk-based defense. Enterprises should pursue a multifactor approach by using systems and analytics in combination to handle security concerns and combat risks. Additionally, IT decision-makers need to ensure that more of their information security budget is directed toward key prevention and detection techniques, such as behavioral analytics.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today