Is 2 Factor Authentication Enough?
Extracts from James Romer (Chief Security Architect at SecureAuth) blog.
It is refreshing to finally see a continued movement away from applications relying solely on usernames and passwords. Security of identities is now the leading item on most organisations agenda, people are now far more aware that username and password alone should not be trusted or used where possible.
The question remains though, is 2fA enough?
The truth of the matter is that 2fA on its own will protect you some of the time but not all the time. 2fA being in place will normally deflect your average hacker, moving them onto an easier target
2fA alone, is neither the starting point or the end point, it is just a piece of an ever-changing jigsaw. Examples of the changing jigsaw include the RSA SecurID token hack, the issues with SMS OTP (recently deprecated by NIST), compromised devices and poorly designed applications all lead to new areas of exploit for the hacker. We need to be pushing for solutions that are not static in nature, that reposition themselves based on the information presented as part an authentication workflow.
Of course I am referring to adaptive authentication solutions that are not just capable of changing the course of an authentication attempt but also the authentication methods supported, by using real time contextual information. The ability to layer together intelligence to not only drive dynamic decisions but ultimately provide a risk score and audit trail, provides a powerful solution that adjusts accordingly to the context of the user attempting to authenticate.
The key here is being able to react not only to threats as they change and adapt (new layers) but to user’s requirements as they also change over time. I’m suggesting a truly flexible authentication solution that allows organisations to stay ahead of the hackers without being locked into a broken 2fA model.