Five myths about two-factor authentication
Too many organizations allow themselves to be vulnerable to cybercrime because of prevailing myths about the cost, inconvenience, and efficacy of two-factor authentication; close examination reveals these myths to be just that — myths
As more and more people shop on line, more and more cybercriminals have noted the opportunity to exploit online victims. Identity theft and online fraud are on the rise. Between December 2007 and February 2008, researchers measured a 70 percent increase in phishing. When Internet users fall for phishing scams, they can unwittingly hand over sensitive personal information, including user names, passwords, credit card numbers and Social Security numbers. The costs are dear. A Gartner study reported that businesses lost $3.2 billion due to phishing in 2007. In addition to monetary costs, the targeted company also suffers damage to its brand.
Kerry Loftus writes in SC Mazgazine that facing a climate in which both opportunities and threats are growing daily, online businesses are looking for ways to strengthen the authentication they provide online — and among these is two-factor authentication (2FA), a stronger form of verification that has been successfully implemented within enterprises for fifteen years now. Two-factor authentication combines what the end-user knows — a user name and password — with what he has — a one-time password generated by a physical device. “A user can’t successfully sign on without both. It’s a combination that makes it very difficult for criminals to gain authorized access to accounts and information, because the thieves must possess not only the user name and password, but the consumer’s physical credentials as well,” Loftus writes.
To use 2FA, consumers acquire a credential — available in a variety of convenient formats — that generates a one-time password for every sign-on. During an online session, this one-time password is entered along with the user’s usual account name and password. Users achieve strong authentication and secure their identities when the site verifies the one-time password and matches it to the user.
Loftus writes that it is true that the 2FA models implemented over a decade ago do not meet the needs of today’s complex and convenience-oriented consumer environment. What she is concerned about is that there are too many myths about what it would take for organizations to implement the relevant, state-of-the-art online security. She highlights — and refutes — the five myths that have gained hold in the discussion about security in the organization (here we provide only the list of myths; see her article for the refutation of each):
Myth No. 1: The “token necklace effect” — consumers will need to carry dozens of credentials with them to log in to all their online accounts, and this will make 2FA a burden for users and impractical for site operators.
Myth No. 2: Judging from what enterprises have spent on their implementations, 2FA is just too expensive for the consumer market.
Myth No. 3: It is risky to invest in a 2FA platform based on today’s consumer preferences, when tomorrow’s consumer preferences could be totally different.
Myth No. 4: Whatever advantage the 2FA network model may offer, it is not enough to draw new members into these alliances.
Myth No. 5: Consumer 2FA is long on hype but short on real-world successes.
“These five myths all mirror outdated perceptions of 2FA, perceptions based on decade-old enterprise models that are irrelevant to today’s consumer paradigm,” Loftus writes. “Poking holes in these myths merely requires a balanced assessment of the risks faced by consumers, the cost of implementing 2FA, and the resulting quality of the consumer’s online experience. Doing so will reveal why it makes good business sense to protect a company’s customers — and its own vital interests — with a strong two-factor authentication solution.”