Two Factor Authentication (2FA)
Two-factor authentication (also known as 2FA or 2-Step Verification) is a technology patented in 1984 that enables confirmation of a user's claimed identity by utilizing a combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user.
The most recognised common use case, which can be used to describe the technology on a daily basis is to obtain cash from an ATM. By inserting your bank card (something you possess) and then entering your PIN (something you know) enables you to withdraw money.
There are many types of devices that can be used to implement 2FA infrastructure.
Hardware Devices - such as USB tokens, one time password (OTP) tokens and smartcards.
Mobile Phones - with ever increasing use of smartphones they can be used to generate the secondary factor using either an app or retrieve a value from a system generated SMS message.
Biometrics - the secondary authentication could be provided by a scan of Fingerprint, Iris scan, face and voice as examples.
Getting the right protection in place
Different types of 2FA devices can be easily integrated into many existing infrastructures depending on the level and type of security you want to implement. Once the devices are set up, account holders use the device's to identify themselves in conjunction with passwords when signing in to their accounts. The Technology behind these tokens can be grouped into 3 distinct family types:
PKI- (public key infrastructure)
Where the token and a digital certificate replace the need to use passwords, this solution offers the highest level of security and can provide other features such as digital signing and encryption functionality in addition to user authentication. For additional information click here .
OTP based tokens
These display a unique code that is entered in addition the usual username and password, these tokens can be hardware or software apps on mobile phones and rely on a shared secret between the service and the token. For additional information click here .
FIDO Security Keys
These conform to the new rapidly growing Fast Identity on line [FIDO] standards and enable the token holder to manage and control which services they want to add additional security to. The standards allow any organisation to implement the additional security step and enable their users to register their own devices to take advantage of the enhanced security on offer. For additional information click here .
Why should you use 2FA?
Hackers always go for the easy targets and using a system that's only protected with a static username/password makes for an easy target. Simply look at the Breach level index to see the examples. http://breachlevelindex.com/#sthash.uDcLJ7OI.dpbs Not only can it lead you to face legal action but consider the reputational damage.
Here are some examples of common password hacks:
• Brute force - hacker bombards website with various password options in hopes of "guessing" the correct one (trial and error approach)
• Key/screen loggers - passwords are captured as they're entered in, either by the keyboard or via screen captures (malware)
• Phishing - hacker sends a fake email which tricks the user into entering their account information. He collects it and re-directs the user to the appropriate site so that the user is completely unaware they've been hacked (can be done via text as well)
• Social engineering - hacker gains information to security questions to obtain password or reset password by posing as a friend or colleague (in person or online)
Most organisations implementing on line presence select setting up user accounts using username and password. Over 95% of these accounts normally rely on email as the [User Name] and the Something you know is generally a [password].
Static passwords are becoming increasingly a problem,Many passwords can easily be guessed by someone that knows you well, or at least knows where you keep you list of passwords. Even if you're extra vigilant, so many powerful hacking programs exist. Just look at the keystroke virus: in a few short minutes, it can steal your password right after you type it. There are more advanced versions of this virus as well that can take screen shots, track your mouse clicks, and use algorithms to decipher when you type in your password—all the while hiding inside your computer's operating system.
Wikipedia has a list of the different software and hardware based keystroke loggers here:
As a result, the idea of having a strong static password has become somewhat laughable. If someone can steal it directly from your keyboard, it doesn't really matter how strong it is; you've already handed it over. Changing and updating your password can help, but even this leads to problems and GCHQ recently suggested this in fact potentially weakens the security. https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry
Generating passwords, and password security have become big issues for many people as they have increasing numbers to manage so they either resort to writing them down or use one or two for all their applications. It's the lack of security and unmanageability of passwords that makes a second factor needed in order to maintain IT security and good authentication access control. It only takes a moment for someone to clean out your bank account and transfer all your funds away.
The second factor is something you have. This is where it can get a little complicate. Something you have could be almost anything: a set of numbers on a one-time password (OTP) token, a digital certificate, a smart card, a fingerprint, your eye for retinal scanning, your voice, a key, and so on. There are also products that will send a code to your phone or email with a number for you to type in, but if you are logging in with the same device you just received the code on, that negates it as a true second factor.
The idea behind 2FA is that even when someone steals your password, it's useless without the second factor that they don't have. With an OTP token, for instance, the generated code only lasts seconds; if they steal your code, chances are it'd expire before they could use it. A digital certificate, when stored on a secured device such a smart card, can't be removed from this second factor device. A fingerprint, an eye, or your voice functions on the idea that they are always with you.
Cost vs. Loss
Single-factor authentication (SFA) is so dangerous, it's a mystery why 2FA is not required for most websites, especially those dealing with payment and transactions. IT security isn't solely done on the user's end—companies also have to have a system for us to use. Many finance and e-commerce organisations don't even give you the option to use 2FA at all.
So why, with all the cyber-attacks and hacking taking place, wouldn't you set up something as easy and cost effective as 2FA?
Most companies don't realize that setting up 2FA can be easy and still have a low Total Cost of Ownership (TCO). The security industry have always made it difficult to provide solutions that could interoperate with other solutions so the tendency was to have point solutions that were costly to deploy and manage over their lifecycle. Here at Card personalisation solutions we wish to change this perception by providing you access to low cost products in in the PKI, OTP and FIDO space to enable you to set up the security infrastructure that best meets your needs.