Two-factor authentication (2FA) has been around for a long time, at least in sci-fi. Remember this exchange from 1969?
Captain Kirk: Computer, this is Captain James Kirk of the USS Enterprise. Destruct sequence 1: code 1-1A.
Computer voice: Voice and code 1-1A verified and correct. Sequence 1 complete.
Notice that Kirk had to provide two things to access the computer’s self-destruct system: a code and his voice print. The code is like a password, and the voice print is a second authentication factor. (No, it’s not a good password. Kudos to you for noticing!)
Two-factor authentication like this seems like a great idea today, when hardly a week goes without a story in the news about user IDs and passwords being stolen and misused by hackers. Of course, the most common second factor today isn’t a voice print, but a code the company sends to either your mobile device or a token device that you’ve been issued. Essentially, the company is requiring not only “something you know” (your user ID and password), but also “something you have” (your phone or token). That way, even if hackers steal your user ID and password, they should be unable to gain access to your account.
Of course, the second factor doesn’t have to be a code. For example, at your ATM, you probably have to supply both your PIN and your physical bank card. Biometrics (“something you are” rather than “something you have”) are gaining ground, too, working hard to catch up with sci-fi — not just voice printing, but fingerprints, facial recognition, retina scans and more. However, it is important to understand biometrics and 2FA are not the same thing. In fact, in both fiction and reality, biometrics often replace, rather than supplement, a user ID and password. The thumb prints in Back to the Future 2 and the retina scans in Minority Report are high-tech versions of swiping your employee badge to get into the building when you go to work — not 2FA, but just single-factor authentication using a different factor.
What’s not to love about 2FA?
Two-factor authentication improves security by making a hacker’s job tougher. But (of course there’s a “but”!) 2FA comes at a price (both figurative and literal), and it’s not foolproof.
The figurative cost of 2FA is inconvenience. Users don’t want to have to enter yet another factor on top of the complex passwords that IT is already making them invent and constantly change. And sometimes the code they’re sent won’t work, forcing them to request another and another until one is finally accepted or they just smash the token in frustration. Speaking of tokens: The last thing users want is a pocket or drawer full of key fobs. Using a phone to get the code is more acceptable to most users; after all, most people keep their phones with them. Usually. But what happens if you’re on a business trip and your phone is safely on the nightstand at home? Or it’s lost or just refuses to take a charge today? There’s that “f” word again: frustration!
The literal cost is, of course, money. Tokens are expensive to acquire, dole out, maintain and replace. Using SMS codes on smart phones also requires a certain amount of infrastructure, software, maintenance and user support. And course the cost of technologies like iris scanners is still prohibitive in most scenarios. Plus, remember the user frustration we just talked about? That hits the bottom line, too, in the form of lost user productivity and lots and lots of helpdesk calls.
Beyond the various costs of 2FA, there are the security concerns. Sci-fi gets it right: two-factor authentication just isn’t as good as it’s cracked up to be. While we may not yet have to worry about androids that can mimic your voice and shape-shifters that can assume your form down to your fingerprints, hackers can and do already intercept SMS codes and impersonate users through social engineering to redirect where the texts are sent. Do biometrics seem more secure? In 2006, the Mythbusters team was able to fool a fingerprint scanner by copying the fingerprint they needed onto latex, gel, and even paper! Of course, technology keeps evolving and those copies probably wouldn’t work today, but hackers are increasingly inventive and sophisticated, too. Even if you could afford to keep buying the latest technology, do you really want to bet your security on the good guys staying ahead?
If not, what’s the next logical step? Adding more factors to the authentication process. Watch for our upcoming blog, “What is multi-factor authentication?” to learn more.