We’re all familiar with two-factor authentication (2FA)—when you log in to something with a password (the first factor) and are prompted to confirm the login with an app or a one-time code sent to you by text message (the second factor). It’s an extra layer of protection for your accounts and applications.
The use of 2FA has risen rapidly in the last few years, and that’s certainly no bad thing. It’s logical that an account requiring two pieces of information to log in is better protected than an account requiring one. The problem is that many companies are calling 2FA ‘best practice’. Calling it that is to literally say that there’s no better way of doing it. Moreover, it implies that 2FA is unassailable.
There is now evidence that 2FA is certainly not unassailable—and there is a better way of doing it.
The reality of 2FA
In late 2018, Amnesty International released a report describing how hackers have been using fake phishing login pages to capture both users’ passwords and their one-time authentication codes.
It’s not that difficult to do. The hacker obtains the victim’s password by encouraging them to enter it on the fake phishing page that’s pretending to be well-known web services like PayPal or Amazon. Once the hacker’s got the password, they go to the real login page and enter it, triggering the second-factor alert that sends the user a code via email or text. The victim, still suspecting that they’re on the legitimate site, enters the code into the fake site and voila, the hacker’s got that too.
The fact that 2FA can be compromised using pretty straightforward tactics is obviously no reason to stop using it. It’s still more secure than relying only on a password. However, calling it ‘best practice’ is misguided, particularly as we don’t have any evidence about how well it actually works, and now we know of instances where it doesn’t.
And it’s also not ‘best’ because there’s something better…
2FA versus MFA
Three different factors can be used for authentication—something you are, something you have and something you know. Two-factor authentication only relies on two of these, whereas multi-factor authentication (MFA) relies on all three. MFA solutions usually use passwords (something you know) and biometric authenticators like fingerprint and facial scans (something you are) on your mobile phone (something you have).
So MFA is already more secure than 2FA. But is MFA best practice?
No. Because there’s something better still.
Password-free MFA
The problem with most MFA solutions is with the ‘something you know’. It’s a password. 81% of data breaches happen because of passwords. We’ve been using passwords to authenticate since the 60s, so it doesn’t really make sense that we’re still using them, particularly given how sophisticated our technology has become (and our hackers too).
To that end, idenprotect have found a way to replace the password with something far stronger, making MFA more secure than ever before.
Instead of a password, we create a private key that sits in the secure chip inside a user’s smart device. Unlike a password, which is a shared secret, this key is an actual secret. And the fact that it’s stored in hardware instead of software means a hacker can’t get to it remotely. This renders phishing and malware attacks impossible.
For the user, the authentication process becomes effortless. With no password to remember or type in, all they do is enter their username or email. Then, when directed to do so, they scan their face or fingerprint using the biometric authenticator on their idenprotect-enabled mobile device. The private key responds with a ‘digital signature’ that can be verified by a mathematically related public key, which is usually stored on the computer or network. This all happens instantaneously in the background, unlocking the user’s work applications on the computer, or the computer itself, in a matter of seconds.
Best practice?
MFA is better than 2FA, sure. But if it’s an MFA solution that relies on passwords, it’s still not good enough. Passwords will always be vulnerable and it’s high time we got rid of them. And although many computer security measures are based on short-sighted notions of ‘best practice’, we believe that going password-free is unequivocally deserving of the term.