Remote authentication traditionally depends on two factors: something the user knows, such as a password, and something the user has, such as a hardware token. This is called two-factor authentication (2FA).

In practice, something that the entity knows typically serves as the primary method of authentication. Passwords have long reigned supreme because they are simple to create. There has been some progress in the area of token-based authentication, but this method has yet to gain widespread acceptance. This might be due to the need to securely disseminate hardware tokens to users, not to mention the cost of the token and reader.

Before we speculate on the future of this technology, let’s take a look at the evolution of several forms of two-factor authentication.

SMS Authentication

As the internet grew more pervasive, passwords became ineffective — even when accompanied by a static digital certificate. A password could be easily stolen by a threat actor, who could then fully impersonate the user if the password was the only bar on the gate.

In one of the first forms of 2FA, one-time passwords (OTPs) were sent via short message service (SMS) to users’ phones. Of course, a user was required to enter a valid phone number to receive the SMS push, but there was no real way to verify that the number truly belonged to that user.

This kind of 2FA became popular rather quickly. It offered the feeling of additional security without inconveniencing users. Twitter, Facebook and Google adopted the method. In fact, the Social Security Administration was poised to adopt it as a primary method to authorize transactions.

However, threat actors quickly realized they could break SMS authentication by intercepting text messages containing OTPs. It wasn’t long before they developed malware that could hijack and redirect SMS messages, and launched social engineering campaigns to trick phone companies into rerouting texts. Recognizing these risks, the National Institute of Standards and Technology’s (NIST) “Digital Identity Guidelines” depreciated the method altogether.

And so the race for a replacement out-of-band authentication method began.

Authentication Apps

Authentication apps represented the next leap forward. These apps use the time-based one-time password (TOTP) algorithm, which combines a secret key with the current time via a cryptographic hash function to generate temporary, single-use passwords.

Like SMS authentication, this method is vulnerable to threats. If the implementation does not limit login attempts, for example, a threat actor could break it with a brute-force attack. In addition, the session that occurs after login is prone to hijacking. Fraudsters can also obtain passwords through phishing attacks, as long as users enter them immediately rather than storing them for later use.

Security Keys

Google has done a lot of work on hardware dongles called security keys (SKs). These keys protect users from threats such as phishing and man-in-the-middle (MitM) attacks by “binding cryptographic assertions to website origin and properties of the TLS connection,” according to a two-year study by the company.

The dongles are designed for the masses with an emphasis on privacy, security and usability. They interface with computers via a USB port. These devices are available from a range of vendors and typically cost between $6 and $18 per unit, far below the total cost of ownership of a smartcard solution. The actual hardware is interoperable and doesn’t greatly impact the overall system.

Of course, there is a catch: The webpage or other entity using the key must leverage a protocol to access the information and obtain cryptographic attestation. However, the protocol has been standardized by the Fast Identity Online (FIDO) Alliance as the Universal Second Factor (U2F). In addition, Google has open sourced a reference implementation of the standard.

Security keys are currently supported only by the Chrome browser and the login systems of certain web service providers such as Google, GitHub and Dropbox. More widespread adoption would increase their effectiveness.

The Future of Two-Factor Authentication

While potential methods such as sensor-based authentication have yet to impact the market due to hardware limitations and other obstacles, we are more likely to see a much-needed universal 2FA system emerge. Some critical systems even require it now, but those are special cases motivated by particular security needs. Unfortunately, the potential of 2FA will remain largely untapped until the masses demand it as part of their everyday computing.

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read