Remote authentication traditionally depends on two factors: something the user knows, such as a password, and something the user has, such as a hardware token. This is called two-factor authentication (2FA).

In practice, something that the entity knows typically serves as the primary method of authentication. Passwords have long reigned supreme because they are simple to create. There has been some progress in the area of token-based authentication, but this method has yet to gain widespread acceptance. This might be due to the need to securely disseminate hardware tokens to users, not to mention the cost of the token and reader.

Before we speculate on the future of this technology, let’s take a look at the evolution of several forms of two-factor authentication.

SMS Authentication

As the internet grew more pervasive, passwords became ineffective — even when accompanied by a static digital certificate. A password could be easily stolen by a threat actor, who could then fully impersonate the user if the password was the only bar on the gate.

In one of the first forms of 2FA, one-time passwords (OTPs) were sent via short message service (SMS) to users’ phones. Of course, a user was required to enter a valid phone number to receive the SMS push, but there was no real way to verify that the number truly belonged to that user.

This kind of 2FA became popular rather quickly. It offered the feeling of additional security without inconveniencing users. Twitter, Facebook and Google adopted the method. In fact, the Social Security Administration was poised to adopt it as a primary method to authorize transactions.

However, threat actors quickly realized they could break SMS authentication by intercepting text messages containing OTPs. It wasn’t long before they developed malware that could hijack and redirect SMS messages, and launched social engineering campaigns to trick phone companies into rerouting texts. Recognizing these risks, the National Institute of Standards and Technology’s (NIST) “Digital Identity Guidelines” depreciated the method altogether.

And so the race for a replacement out-of-band authentication method began.

Authentication Apps

Authentication apps represented the next leap forward. These apps use the time-based one-time password (TOTP) algorithm, which combines a secret key with the current time via a cryptographic hash function to generate temporary, single-use passwords.

Like SMS authentication, this method is vulnerable to threats. If the implementation does not limit login attempts, for example, a threat actor could break it with a brute-force attack. In addition, the session that occurs after login is prone to hijacking. Fraudsters can also obtain passwords through phishing attacks, as long as users enter them immediately rather than storing them for later use.

Security Keys

Google has done a lot of work on hardware dongles called security keys (SKs). These keys protect users from threats such as phishing and man-in-the-middle (MitM) attacks by “binding cryptographic assertions to website origin and properties of the TLS connection,” according to a two-year study by the company.

The dongles are designed for the masses with an emphasis on privacy, security and usability. They interface with computers via a USB port. These devices are available from a range of vendors and typically cost between $6 and $18 per unit, far below the total cost of ownership of a smartcard solution. The actual hardware is interoperable and doesn’t greatly impact the overall system.

Of course, there is a catch: The webpage or other entity using the key must leverage a protocol to access the information and obtain cryptographic attestation. However, the protocol has been standardized by the Fast Identity Online (FIDO) Alliance as the Universal Second Factor (U2F). In addition, Google has open sourced a reference implementation of the standard.

Security keys are currently supported only by the Chrome browser and the login systems of certain web service providers such as Google, GitHub and Dropbox. More widespread adoption would increase their effectiveness.

The Future of Two-Factor Authentication

While potential methods such as sensor-based authentication have yet to impact the market due to hardware limitations and other obstacles, we are more likely to see a much-needed universal 2FA system emerge. Some critical systems even require it now, but those are special cases motivated by particular security needs. Unfortunately, the potential of 2FA will remain largely untapped until the masses demand it as part of their everyday computing.

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…