The Great 2FA Lie – The Need to go Beyond Two-Factor Authentication

We’ve been seeing a few comments and articles recently starting to question the infallibility of two-factor authentication (2FA) – which is when you need to use a code provided to you from an app, a hardware device or a text or email message to supplement your password when you log in.

This article in The New York Times from a few weeks ago is a good example of the kind of article that is now starting to question the real effectiveness of two-factor authentication. The article discusses the report from Amnesty International that describes phishing attacks even when users have two-factor authentication.

But what if, instead of using a password, plus a code from a second ‘factor’, you just removed them both? What if secure access was given with no codes or passwords ever shown?

At iDENprotect we don’t advocate two-factor authentication, but rather Next Generation Client Identity authentication – secure, context based, passwordless security that the user almost doesn’t know they are using, but is, as The New York Times has highlighted, more secure with a higher level of assurance than the current industry best practice.

For the user, the process uses no passwords or codes at all (using fingerprint, facial recognition, voice recognition etc) providing an almost effortless login. Behind the scenes, complex mathematics is used to generate a private key within the secure hardware of the device to provide an immutable credential. Our persistent intelligence service identifies and prevents risks in real-time. There are no human readable codes, no way for the user to be duped into providing a password to phishing sites or emails and no way the private key can be attacked by malware. Confidentiality and integrity are assured.

Two-factor authentication is certainly better than one factor, but that still doesn’t mean it is good enough, certainly not for many organizations that face significant threats in today’s cyber landscape. Too many corporates believe that they are secure by using two-factor and as The New York Times says:

“Many computer security practices are propagated through misguided notions of “best practices” that businesses decide to adopt because they see everyone around them doing something and assume it must be the right choice.”

We believe that it’s time for security conscious businesses to look at using identity and access security technology that can address all of today’s risks appropriately, this means going beyond two-factor authentication.