Two-factor authentication can enhance security, but it isn’t a magic bullet
Two-factor authentication is an important security measure; there is no question about that, as it provides an additional layer of security for accounts beyond the password. Factors include knowledge (of a password or PIN), possession (requiring a mobile device or security key) and inherence (facial, fingerprint or iris recognition). With two-factor authentication enabled, either a mobile device or a physical characteristic is required in addition to a password for login. But all two-factor authentication methods aren’t equally reliable. The more convenient the authentication method, the less secure it is likely to be.
The chimera of possession
Factor identification via text message, one of the most commonly used methods, comes with a significant vulnerability – your employee’s phone service provider. Remember, identification via text message relies on possession as a factor. If a phone or other mobile device is lost, the owner can simply go to her provider, buy a new device, and set it up using the same phone number. All of the information on the old device magically appears on the new one. Text-based factor identification will work exactly as it did on the old phone. And there’s the issue.
Moreover, your employees may receive text messages by means other than a phone – sometimes messages are routed to an iPad or an email, or even accessed online by users of VoIP services. The conclusion here is clear; one-time passwords sent via text message don’t prove that a device is in the hands of the rightful owner. Moreover, cunning hackers who already have other personal information may be able to successfully impersonate a phone’s owner and make changes with the provider that allows access to secure information.
The more devices on which a user installs two-factor identification, the more opportunities for security to be compromised. Other hacking technologies can gain access to text messages and intercept authentication codes.
Enhance your two-factor identification method for increased security
SMS-enabled authentication is better than no two-factor authentication, but fortunately, there are better authentication methods available. Five to ten years ago, many large financial services companies and corporations typically used code-generating hardware tokens — small devices given to employees which generated a new one-time password every thirty seconds. Today, these devices have been largely replaced with code-generating authenticator apps, which can easily be downloaded on employee mobile phones.
Another option is authentication through push approval. Applications like Duo Mobile and Microsoft Authenticator are notified when employees attempt to log in, and the app generates an option allowing the user to simply click for verification. This is a safer option on iOS devices, as there are malicious Android apps that can feign or hijack push notifications. Again too, these apps are only as secure as the phone.
The most secure type of two-factor authentication is a USB security key. This device plugs into the USB port of an employee’s laptop and is registered with an online service using a computer already “trusted” by the service. USB keys are relatively new to the market, support isn’t widespread, and they’re expensive. Growing pains aside, these security keys offer the most secure two-factor authentication available.
Reviewing access and login processes is a vital first step in beefing up system security and safeguarding your company’s data against predators. Throughout April, we’ll look at several measures companies can take to protect themselves and their clients.
About the Author
Dan is the man behind the scenes but if you’re a client of ours, you likely have spoken with him. Dan Tomaszewski is our V.P. of Application Support and has the enviable job of supporting our clients around the clock. With over 20 years of experience in the financial services industry, he has built a career on supporting traders and operational clients in optimizing post-trading infrastructures. Dan can help solve your most complex operational challenges through the implementation of a variety of post-trade solutions including trade reconciling, allocating, flow, clearing, and risk.