IT security solutions all have one common disadvantage: the users are also required to meet the higher security requirements. This is also the case with two- or multi-factor authentication. Their use against digital attacks and against the consequences of identity theft is undisputed. And yet: Here, too, the devil lies in the detail. Our article describes which details are involved and which possible solutions can help.
What Has Happened so Far ...
Once an email account has been cracked, it is easy for the thief to gain access
to this and other online services that require the stolen address as
authentication. He can simply send a new one to the hacked e-mail address
and thus gain access to personal, sensitive data without much effort. A
hack that can become costly contact with the topic of cybercrime not only for
private individuals but also for companies.
Two-factor authentication provides a remedy here: It protects (remote) logins
with a total of two features from the areas of "knowledge",
"having", or "being". With the combination of
"knowledge" and "having", the system also requests one-time
passwords or passcodes, so-called one-time passcodes (OTP). Conventional
processes generate the OTP on a token or send it to the user's mobile phone via
SMS. A variant that has so far been classified as relatively
safe. And yet it was only a matter of time before "unhackable"
became "vulnerable".
Modern Solutions Generate the Passcode via An App or Use the Biometric Functions of Modern smartphones and Tablets. Since These Processes Are Deliberately Carried out In Isolation on A Second Device, It Is Difficult or Even Impossible for The Hacker to Complete the Registration without Access to This Device. in The Case of Two-Factor Authentication, What Makes It More Difficult for The Attacker Is that The Passcode Is Also Linked to The Original Session. Even if The Login Data Are Read, the Hacked Passcode Cannot Be Used Successfully in A New Parallel Session. the Consequence: A Two-Factor Authentication Makes His Work Much More Difficult and May Put Him Off.
Security vs. Usability
That is why two- or multi-factor authentications are used more and more
frequently. Many companies protect their sensitive data by implementing
multiple or at least double security barriers for external access to their IT
systems, for example. The disadvantages are obvious: On the one hand, the
user has to log in with two or more factors and, if a token is used, carry an
additional device with him. Also, if a token is lost, complex
workarounds are required for temporary access - a clear minus on the usability
scale.
To increase the comfort for the user without (supposedly) lowering the
security level, some providers are now resorting to "adaptive"
multi-factor methods. Originally, these registration procedures were
intended to query additional security hurdles if necessary. Hard factors
such as an additional PIN or also soft factors such as "normal" user
behavior can be used for this purpose. The danger lies in the selection of
the factors that decide whether a user can gain access by simply entering their
name and password or not.
Many providers increase the usability of their adaptive two-factor solutions by
accepting downsizing in terms of security. For example, you can use the IP
or MAC address or location information that the user automatically
transmits. If these factors are identical to the IP addresses, devices, or
locations that have already been used, the security system accepts these
parameters as a second factor and enables access without using a second
security level. For the user, registration is reduced to entering the name
and password. Conversely, this means: Usability beats security.
Only if, for example, the user is at a foreign location, i.e. the system
receives unknown geolocation, the second security level applies and requires
step-up authentication. However, if in doubt, this can already be too
late.
Simple Tools Lift Security Barriers
Such factors thus offer deceptive security and weaken the multi-factor procedure, because nowadays no special technical knowledge is required to
disguise or manipulate IP addresses, country codes, or GPS data. The
Internet is full of simple software tools that can access proxy servers, for
example. Such tools are often used in the private sector, for example, to
circumvent the geo-blocking of streaming services or to surf the Internet
anonymously.
There is also another problem: If companies rely on such unsafe factors as part
of adaptive multi-factor authentication, they always voluntarily give up some
of their control options and thus become dependent on external service
providers. Also, it can lead to uncertainty for the user. If a
user mostly moves in a "trusted zone", he may find a two-factor
authentication suddenly switched on during a change of location unusual and
even suspicious and then go to the help desk or stop the process
unproductively.
Usability and Comfort in Harmony
It is obvious that the abolition of additional user interaction with two-factor
authentication involves considerable risks. Modern IT solutions are
therefore breaking new ground and optimizing the input of the second
factor. For example, they are based on the secure NFC standard, which is
already often used in payment functions, so that user interaction is not only
reduced to a minimum but also the need to enter a passcode is
obsolete. Another possibility for real multi-factor authentication is the
use of biometric functions of modern mobile devices or the secure pairing of
devices as a "have" factor under defined conditions. Here, the
registration can also be confirmed via the push function on the paired device,
which also ensures that
Modern solutions such as SecurAccess rely on these and new adaptive
multi-factor processes. In addition to SMS, e-mail, and voice calls, this solution provides a soft token app for iOS, Android, and BlackBerry, photo
passcodes via QR codes and a self-service help desk with which every user can
get the best from the company approved procedures - can choose.
Conclusion
Just because users are in certain geolocations or use specified login systems,
a really secure two-factor authentication must not automatically downshift by a
factor. The checking of user behavior or the security level may not be
entrusted to external service providers such as providers. Convenient but
nonetheless secure methods are also desirable for multi-factor authentication
and can be implemented with new technologies and devices. In this way, the
high-security standard of two-factor or multi-factor authentication is retained
without compromising user comfort.
Keep your security level high with Protegent360, install total security software.
Comments
Post a Comment