How 2-Factor Authentication Boosts Endpoint Security
Two-factor authentication (2FA) has become a popular solution for boosting the inadequate endpoint security that many enterprises still often use that relies on usernames and passwords.
But in this era of WebRTC IP address leaks, no-perimeter internet security, and CPaaS API data breaches, enterprises and their MSSP partners must help increasingly mobile and remote workers with next-generation, two-factor authentication solutions.
There are so many forms, but they all come down to who you are, what you know, or what you have. This article will examine the shortcomings and advantages of some of the current and upcoming 2FA solutions that MSSPs can use to protect their customers including:
- Facial recognition
- Iris/retinal scanning
- Fingerprint matching
- Device detection
- IP address predictability
- Emerging 2FA solutions
“In a fast-changing digital world, we are seeing more and more passwordless innovations from biometrics to hardware authentication devices to multifactor authentication and more,” said Jim Ducharme, vice president of identity products at RSA. “But while it’s become quite common to leverage facial recognition, fingerprint ID or USB security keys, most passwordless authentication is still rooted and reliant on a password and username for account enrollment and recovery. FIDO Alliance standards hold a lot of promise for enabling a more passwordless world; however, it’s going to take time for the standard to be integrated across user devices, browsers and applications, and it will take even more time to be rolled out and supported by IT departments in organizations.”
Indeed, other password security experts point out that the prolific availability of email-password combination lists has led to a significant rise in the success of “credential stuffing” attacks — also known as password reuse attacks. Two-factor authentication reduces the risk of success for these attacks, protecting applications from unauthorized access even when the end user makes the mistake of reusing a password.
“However, depending on the type of two-factor authentication solution implemented, there are still risks associated with password-takeover attacks,” said Alex Heid, chief research and development officer at SecurityScorecard, a security company with solutions for measuring and communicating security risk. “Take SMS authentication codes that can be intercepted with a SIM swapping attack and IP geolocation controls that can be bypassed by using a SOCKS5 proxy. It seems the best options are the use of Google Authenticator, Authy, or another app-based token 2FA solution. Attackers would need to compromise the recovery key to bypass that or resort to social engineering to disable the control.”
2-Factor Authentication, SMS and SIM Swapping
MSSPs can use two-factor authentication and wireless technologies to backstop passwords; however, this still relies on the first factor being a username/password, which is vulnerable because SMS-based 2FA and one-time passwords (OTP) aren’t hard to use, and attackers have shown cell carrier security is very porous and SIM-swapping attacks give strangers the ability to hijack phone numbers.
“Password managers sound refreshing, but ultimately they use a single password to protect the rest of your passwords, actually increasing the risk associated with compromising that credential,” said Ori Eisen, CEO and founder of Trusona, a passwordless two-factor authentication platform. “The advice I give service providers is to …