DOC RABE Media - Fotolia

How can two-factor authentication systems be used effectively?

Two-factor authentication systems require more than using codes sent through SMS and smart cards. Expert Michael Cobb explains how to properly and effectively implement 2FA.

In the recent past, we have seen many institutions using smart cards and one-time passwords (a code sent to a registered mobile number via SMS) as two-factor authentication systems. However, going by one of your previous articles, this kind of 2FA doesn't fulfill the requirement of true two-factor authentication, since both the card and mobile device are owned by the same individual. What are your views on the effectiveness of this method? Are there better ways to do two-factor authentication?

As I explained in my earlier article on two-factor authentication (2FA), the ways in which someone can be authenticated fall into three categories based on what are called the factors of authentication:

  1. Knowledge factors, or something you know, such as a password, PIN or personal knowledge question, such as the name of your pet.
  2. Ownership factors, or something you have -- this could be an ID card, a hardware or software token or a phone.
  3. Inherence factors, more commonly called biometrics -- personal attributes, such as fingerprints and face and voice recognition. This also includes behavioral biometrics, such as keystroke dynamics.

For a positive identification and to be classified as a two-factor authentication system, these systems have to verify elements from at least two of these factors. So verifying a user's password (knowledge factor) and proving they have possession of the correct hardware token (ownership factor) is 2FA, but verifying a password and the name of the user's pet isn't, as both are knowledge factors.

Plenty of online authentication systems send a code number via SMS to a user's mobile phone, which then has to be typed into a login page as part of the authentication process. This establishes that the user is in possession of the phone registered with that account -- this is an ownership factor, since the code does not count as a knowledge factor. To qualify as true two-factor authentication systems, the second identification check has to be something other than ownership, such as a password or biometric factor.

SMS-based verification is popular because it's cheap, easy to implement and provides a straightforward user experience, but these features don't necessarily mean that it is robust. In fact, although SMS codes are convenient, the National Institute of Standards and Technology's (NIST) recently released Special Publication 800-63-3: Digital Authentication Guidelines recommends that SMS should no longer be used in two-factor authentication systems. There are various problems with the security of SMS delivery that make it vulnerable as a means of establishing identity, including mobile phone number portability, attacks like the Signaling System 7 hack against the mobile phone network and malware that can redirect text messages.

NIST's recommendation will lead to an increase in use of other authentication technologies, including biometrics, USB security tokens and smart cards. Many are taking advantage of the FIDO (Fast Identity Online) specification, which supports a wide range of authentication technologies, particularly as no user information or encryption keys are shared between the service providers. The presence of high-quality cameras, microphones and fingerprint readers on many of today's devices means biometrics may well become the primary authentication factor soon.

Any enterprises that use authentication systems that rely on only one factor of authentication should do a risk assessment to see whether their system provides the relevant level of security for the data or application to which it is controlling access. Enterprises running networks with sensitive resources should consider upgrading to multifactor solutions that can provide context and constant behavioral checks.

Factors such as geolocation, type of device and time of day add context that helps determine the level of trust and whether the user should be authenticated or blocked. Behavioral biometric identifiers, like a user's keystroke length, typing speed and mouse movements, can be discreetly monitored in real time to provide continuous authentication, instead of a single, one-time authentication check during login. These are fast becoming essential checks to prevent unauthorized access to enterprise and user data.

Next Steps

Find out how enterprises are using behavioral biometric technology

Compare the pros and cons of two-factor and multifactor authentication

Learn how to keep user roles and privileges aligned in your enterprise

Dig Deeper on Identity and access management