The old adage of “why do robbers target banks? Because that’s where the money is,” has never rung truer as it does today when we consider the increase in security attacks designed to gain access to identity credentials. Now more than ever, businesses need to reflect and consider that their existing security approach: the cost of “doing nothing.”
As the chief business officer for Unbound, I frequently speak with prospective and existing customers that are using inefficient and cumbersome ways of authenticating their customers and employees. They are typically using these methods because that is simply the way they have been doing things for years – not because it is necessarily the best or most effective way. I love seeing the moment when it becomes apparent to them that there is a better, more secure, and more efficient way. However, before we can deploy for the future – let’s take a step back and revisit the world of multi-factor authentication.
There is Nothing Current About Two-Factor Authentication
You may find it hard to believe that two-factor authentication (2FA) was determined as a necessary authentication principle around the same time that Bill Gates prophesied that passwords would fade into the sunset back in 2004. Over the last 16 years the role and goal of the passwords and in particular, the 2FA approach has continued to evolve — but this methodology is still inherently vulnerable to security risks and attacks. Independent of the form factor, from hardware (HW) tokens to software authenticators to SMS one time passwords (OTP), they all have the same fundamental flaw: there is a piece of information that the user learns when presented with the one-time password/authorization code. And to paraphrase a famous professor I know, once something is known, it can be shared.
From a business perspective, there are substantial costs and risks that could largely be avoided, including the following:
Initial Costs: 2FA solutions are difficult to implement and integrate into existing application frameworks. They are difficult to implement due to the fact that anything touching the server infrastructure which typically handles mobile, web and desktop applications, has a legacy of numerous patches, spans multiple geographies, has multiple user stores and systems that need to be updated, needs to integrate into call centers, etc. To do this typically requires massive internal change, coordination with R&D, risk, and compliance departments, along with the necessary lines of business across multiple geographies — not to mention the significant changes required to policy.
Ongoing Costs: All 2FA solutions are expensive to operate. HW tokens are lost and need replacement over time, SW authentication apps need to be maintained if developed internally and are limited in functionality if delivered by third parties. Lastly, SMS texts to deliver OTPs are not consistently delivered due to cellular network coverage – driving calls to the support center that could otherwise be avoided.
Regulatory/Audit Risk: Because 2FA architectures typically do not validate the actions taken with cryptographic signatures, they lend themselves to both regulatory and audit risk due to the inability to confirm that the action was actually conducted by the authorized user. What we have come to appreciate is that due to threats like man-in-the-middle and SIM swapping attacks, there are numerous ways to impersonate someone and make the organization receiving the request “think” that it is receiving the request from the legitimate, authenticated source. What is missing is the ability to couple authentication with a validated authorization.
In our next installment, we will discuss the challenges associated with securing identity of both people and machines.