In a New York Times article last week, Brian X. Chen discussed the importance of consumers implementing two-factor authentication (2FA) in the wake of the disclosure that Facebook had insecurely stored hundreds of millions of user’s passwords.
While many organizations use poor hygiene when storing passwords, a large portion of these passwords are already widely available on the dark web due to previous breaches. Decades of experience shows us that the password is an archaic method of authentication and simply isn’t enough to protect against today’s identity-related breaches. The continued reliance on passwords is not sustainable and fails businesses and consumers alike.
With 81% of data breaches attributed to attackers leveraging weak or compromised credentials, our goal should be rendering stolen credentials useless to an attacker. Unfortunately, because people reuse passwords across multiple websites, password leaks can have far-reaching consequences. Chen argues that implementing 2FA will stop this.
While 2FA is a step in the right direction, it is only part of the puzzle in addressing today’s threat landscape. Attackers have now revealed multiple techniques to bypass 2FA. These include real-time phishing, malware, phone fraud, and text & voice call interception. A January article by Josephine Wolff in the NY Times discusses several examples of attackers who have defeated an organization’s basic two-factor authentication methods.
The future of access protection is reducing the impact of human error to the authentication process by adopting a passwordless model. To achieve this, organizations need to move beyond basic 2FA by applying an adaptive, risk-based approach combined with strong multi-factor authentication for their users. This type of access control solution utilizes real-time data as part of the authentication workflow in order to thwart attackers – even if they have stolen passwords or intercepted SMS one-time passcodes.
Adaptive risk-based authentication includes techniques such as IP address analysis, geographic location data, geo-velocity checks, phone porting fraud checks and a collection of other risk checks that are largely transparent to the user, only adding extra authentication steps when risk is found. As a result, the technology has the rare quality of improving security posture without impacting user experience.
Because of their value, cybercriminals invest significant time and technology to search for stolen credentials. We agree that consumers should be encouraged to have good password hygiene and use 2FA where possible, but we also call on organizations to move beyond traditional password use and ineffective 2FA methods towards adaptive authentication solutions that both maximize identity security and improve user experience.
For more information on how attackers bypass 2FA, download our “2FA is only as good as the risk checks that strengthen it” infographic.