SMS still rules the two-factor, but the problem is one-size-does-not-fit-all.
Fencing your garden deters intruders, but it doesn’t entirely keep them out. The same is with 2 Factor Authentication(2FA). The work on making it extremely easy for a user to get in and extremely hard for a hacker to get through is ongoing, but until we have a 100% fool-proof solution, one-time-passwords as the second factor remains arguably the best bet.
Two-factor authentication has been a means for cybersecurity solution since years, but it was in 2012 that most organizations started deploying 2FA. Tech companies were rather slow to recognize its importance and it was only after a massive public campaign that demanded companies to adopt two-factor authentication as a security feature that it gained momentum.
Take for an example, when a user accesses an online banking service, the user is required to enter an additional ‘second-factor password’ in addition to the user-ID and password. The second-factor password is the one-time password (OTP) delivered via SMS, designed to be valid only for a short period of time purely for security reasons.
2FA was supposed to be a one-stop security fix
Two-factor authentication requires a user to provide two out of three credentials – something you know; something you have; something you are.
karl Rosengren has been the constant factor behind various organizations to adopt 2FA by sending out hundreds of shaming tweets to organizations that don’t. His dedication seems to be paying off as almost all major companies now offer some kind of two-factor authentication. But after all these years, it now seems that 2FA has become a more complex offering, as there are varied options – SMS; email; verification apps; special USB drive; voice; push notification.
The Benefits of Two-Factor Authentication
- Improved Security: The probability that an attacker can impersonate a user and gain access is decreased by SMS-2FA as a second form of identification is required.
- Increase Productivity and Flexibility: Mobility contributes to higher productivity and most enterprises are going mobile. With mobile 2FA, employees can securely access any information without putting either the network or the sensitive information at risk.
- Lower Helpdesk and Security Management Cost: According to a research, 35-40 percent of calls to a help desk are password-related. Two-factor authentication can assist in reducing these time-consuming calls by providing a secure way for end users to reset their own passwords.
- Reduce Fraud and Build Secure Online Relationships Identity theft is on the rise and it has a direct impact on the customer relation, hip, credibility and the bottom line. 2FA provides an additional layer securing the site, the transaction and the customer.
Researchers show how to hijack a text message – Don’t let this be the reason to be skeptical about the use of SMS for two-factor authentication.
Nearly all web services offer some kind of two-factor authentication, but not all are secured. The general framework of 2FA still offers protection, but it has its limitations and that’s why for more and more organizations relying on two-factor it’s is just not enough.
2FA no longer seems to be the security warrior it was hailed to be
By 2014, it was clear that hackers and cybercriminals were fixed on finding ways around the extra security by intercepting tokens. With criminals now targeting cryptocurrency, they are willing to go to higher extents and these attacks continue to be a threat to cryptocurrency users.
The real problem isn’t with the 2FA but with things around it – device, carrier account, account-recovery process. If any of these things can be broken through, then your security is compromised.
- Even though 2FA reduces the risk the access to sensitive data, it isn’t completely resistant to other cybercriminal activities
- It is possible for the physical factors of two-factor authentication to be lost or stolen.
- With the use of the ‘account recovery’ feature that allows temporary emails to be used and passwords to be reset, 2FA can be bypassed.
Fortunately, not all 2FA are created equal.
Only by adding an authentication code you can’t expect the attackers to fend away. Although it does harden the login page, attackers will find another way to reset the password. It is those weak points that a hacker knows where to spot is where the attention needs to be. Moving beyond two-factor is not the solution, but using technological advancements to make it fool-proof is the need of the hour, just like SendOTP by MSG91.
With 2FA implementation, it takes a little longer each time you log in to an account on a new device and is worth it in the long run to avoid some serious online theft. Look who nailed their 2FA
A few researchers are busy spotting the weakness of 2FA, while some are busy simplifying it making it more secured with sonic vibration token.
If getting two-factor doesn’t seem enough, are we ready for what is?
Making way for Biometric Authentication:
Using biometrics as the third-factor authentication is still debated on. Although it is quickly establishing itself as one of the most pertinent means of authentication using face recognition, fingerprints, voice prints, iris scan to protect your account, the main concern remains.
If the biometric is compromised, say your voice print; you don’t have the option to change your voice and start over.
Until we have some progressive security options, let’s not get ahead of ourselves by dismissing what saves our passwords.
- Saving an Image from URL in PHP
- Saving a file in Git
- How to use bcrypt for hashing passwords in PHP?
- Passwords | Entropy and Cracking
- How to secure database passwords in PHP?
- Ideas for Strong Recoverable Passwords
- How to Secure hash and salt for PHP passwords ?
- Passwords and Cryptographic hash function
- Saving Operated Video from a webcam using OpenCV
- Broken Authentication Vulnerability
- Types of Two-factor Authentication
- Graphical Password Authentication
- Two Factor Authentication Implementation Methods and Bypasses
- Nodejs | authentication using Passportjs and passport-local-mongoose
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.