August 9, 2017 By Larry Loeb 3 min read

Remote authentication traditionally depends on two factors: something the user knows, such as a password, and something the user has, such as a hardware token. This is called two-factor authentication (2FA).

In practice, something that the entity knows typically serves as the primary method of authentication. Passwords have long reigned supreme because they are simple to create. There has been some progress in the area of token-based authentication, but this method has yet to gain widespread acceptance. This might be due to the need to securely disseminate hardware tokens to users, not to mention the cost of the token and reader.

Before we speculate on the future of this technology, let’s take a look at the evolution of several forms of two-factor authentication.

SMS Authentication

As the internet grew more pervasive, passwords became ineffective — even when accompanied by a static digital certificate. A password could be easily stolen by a threat actor, who could then fully impersonate the user if the password was the only bar on the gate.

In one of the first forms of 2FA, one-time passwords (OTPs) were sent via short message service (SMS) to users’ phones. Of course, a user was required to enter a valid phone number to receive the SMS push, but there was no real way to verify that the number truly belonged to that user.

This kind of 2FA became popular rather quickly. It offered the feeling of additional security without inconveniencing users. Twitter, Facebook and Google adopted the method. In fact, the Social Security Administration was poised to adopt it as a primary method to authorize transactions.

However, threat actors quickly realized they could break SMS authentication by intercepting text messages containing OTPs. It wasn’t long before they developed malware that could hijack and redirect SMS messages, and launched social engineering campaigns to trick phone companies into rerouting texts. Recognizing these risks, the National Institute of Standards and Technology’s (NIST) “Digital Identity Guidelines” depreciated the method altogether.

And so the race for a replacement out-of-band authentication method began.

Authentication Apps

Authentication apps represented the next leap forward. These apps use the time-based one-time password (TOTP) algorithm, which combines a secret key with the current time via a cryptographic hash function to generate temporary, single-use passwords.

Like SMS authentication, this method is vulnerable to threats. If the implementation does not limit login attempts, for example, a threat actor could break it with a brute-force attack. In addition, the session that occurs after login is prone to hijacking. Fraudsters can also obtain passwords through phishing attacks, as long as users enter them immediately rather than storing them for later use.

Security Keys

Google has done a lot of work on hardware dongles called security keys (SKs). These keys protect users from threats such as phishing and man-in-the-middle (MitM) attacks by “binding cryptographic assertions to website origin and properties of the TLS connection,” according to a two-year study by the company.

The dongles are designed for the masses with an emphasis on privacy, security and usability. They interface with computers via a USB port. These devices are available from a range of vendors and typically cost between $6 and $18 per unit, far below the total cost of ownership of a smartcard solution. The actual hardware is interoperable and doesn’t greatly impact the overall system.

Of course, there is a catch: The webpage or other entity using the key must leverage a protocol to access the information and obtain cryptographic attestation. However, the protocol has been standardized by the Fast Identity Online (FIDO) Alliance as the Universal Second Factor (U2F). In addition, Google has open sourced a reference implementation of the standard.

Security keys are currently supported only by the Chrome browser and the login systems of certain web service providers such as Google, GitHub and Dropbox. More widespread adoption would increase their effectiveness.

The Future of Two-Factor Authentication

While potential methods such as sensor-based authentication have yet to impact the market due to hardware limitations and other obstacles, we are more likely to see a much-needed universal 2FA system emerge. Some critical systems even require it now, but those are special cases motivated by particular security needs. Unfortunately, the potential of 2FA will remain largely untapped until the masses demand it as part of their everyday computing.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today