August 9, 2017 By Larry Loeb 3 min read

Remote authentication traditionally depends on two factors: something the user knows, such as a password, and something the user has, such as a hardware token. This is called two-factor authentication (2FA).

In practice, something that the entity knows typically serves as the primary method of authentication. Passwords have long reigned supreme because they are simple to create. There has been some progress in the area of token-based authentication, but this method has yet to gain widespread acceptance. This might be due to the need to securely disseminate hardware tokens to users, not to mention the cost of the token and reader.

Before we speculate on the future of this technology, let’s take a look at the evolution of several forms of two-factor authentication.

SMS Authentication

As the internet grew more pervasive, passwords became ineffective — even when accompanied by a static digital certificate. A password could be easily stolen by a threat actor, who could then fully impersonate the user if the password was the only bar on the gate.

In one of the first forms of 2FA, one-time passwords (OTPs) were sent via short message service (SMS) to users’ phones. Of course, a user was required to enter a valid phone number to receive the SMS push, but there was no real way to verify that the number truly belonged to that user.

This kind of 2FA became popular rather quickly. It offered the feeling of additional security without inconveniencing users. Twitter, Facebook and Google adopted the method. In fact, the Social Security Administration was poised to adopt it as a primary method to authorize transactions.

However, threat actors quickly realized they could break SMS authentication by intercepting text messages containing OTPs. It wasn’t long before they developed malware that could hijack and redirect SMS messages, and launched social engineering campaigns to trick phone companies into rerouting texts. Recognizing these risks, the National Institute of Standards and Technology’s (NIST) “Digital Identity Guidelines” depreciated the method altogether.

And so the race for a replacement out-of-band authentication method began.

Authentication Apps

Authentication apps represented the next leap forward. These apps use the time-based one-time password (TOTP) algorithm, which combines a secret key with the current time via a cryptographic hash function to generate temporary, single-use passwords.

Like SMS authentication, this method is vulnerable to threats. If the implementation does not limit login attempts, for example, a threat actor could break it with a brute-force attack. In addition, the session that occurs after login is prone to hijacking. Fraudsters can also obtain passwords through phishing attacks, as long as users enter them immediately rather than storing them for later use.

Security Keys

Google has done a lot of work on hardware dongles called security keys (SKs). These keys protect users from threats such as phishing and man-in-the-middle (MitM) attacks by “binding cryptographic assertions to website origin and properties of the TLS connection,” according to a two-year study by the company.

The dongles are designed for the masses with an emphasis on privacy, security and usability. They interface with computers via a USB port. These devices are available from a range of vendors and typically cost between $6 and $18 per unit, far below the total cost of ownership of a smartcard solution. The actual hardware is interoperable and doesn’t greatly impact the overall system.

Of course, there is a catch: The webpage or other entity using the key must leverage a protocol to access the information and obtain cryptographic attestation. However, the protocol has been standardized by the Fast Identity Online (FIDO) Alliance as the Universal Second Factor (U2F). In addition, Google has open sourced a reference implementation of the standard.

Security keys are currently supported only by the Chrome browser and the login systems of certain web service providers such as Google, GitHub and Dropbox. More widespread adoption would increase their effectiveness.

The Future of Two-Factor Authentication

While potential methods such as sensor-based authentication have yet to impact the market due to hardware limitations and other obstacles, we are more likely to see a much-needed universal 2FA system emerge. Some critical systems even require it now, but those are special cases motivated by particular security needs. Unfortunately, the potential of 2FA will remain largely untapped until the masses demand it as part of their everyday computing.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today