2FA or not 2FA – that is the wrong question

This week we are going to take a short trip down memory lane. Before we go, let’s just check where we are. It’s summer (warm rain as opposed to cold) 2017. Yes, 2017. And yet we, even with all the potential that cognitive thought and opposable thumbs give, can’t seem to sort out authentication.

The 4 ‘S’s that Pen Testers and lazy (or newbie) Hackers look for almost seem to be in place as a matter of policy in some places;

  • Simple
  • Single (factor)
  • Static
  • Shared

Rummage through the detail of many breaches or hacks and invariably one or more of these is lurking in the path of naughtiness. Even our beloved elected (well, most of ‘em) leaders got caught last month.

So, if 2FA or not 2FA is the wrong question, what is the right one? We think you should be tackling these questions in this order – Why use it, Which 2FA to use, When and Where to use 2FA and then how. There are many, many products and services out there to consider. Choosing the right ones for your scenarios (yes, plural) is the key. Make it usable and people will use it, make in complicated they will find ways around it. As ever with our beloved profession, there is a balance between the user experience or customer journey (there goes my breakfast!) and the actual security it brings. The Enterprise warriors among us should recognise the tail winds in the pervasiveness of 2FA in everyday life. People are much more used to needing to bang in another code from somewhere to get into their apps. Keep it simple, make it appropriate to the assets being protected and monitor it. As we have said, lots of commercial products and services out there – and some fine community developed standards and products such as OpenAuth.

Even 2FA can have problems though… NIST published a comprehensive advisory on risks related to using text messages (SMS) to deliver authentication tokens – though El Reg noted that there little evidence of organisations changing their use from SMS to mobile authentication apps.

In summary, we should be moving faster in the adoption of 2FA. Breaches due to poor authentication practices are moving ever closer towards gross negligence in the eyes of customers and regulators.