By Derek Handova

Two-factor authentication (2FA) has become a popular solution for boosting the inadequate endpoint security that many enterprises still often use that relies on usernames and passwords.

But in this era of WebRTC IP address leaks, no-perimeter internet security, and CPaaS API data breaches, enterprises and their MSSP partners must help increasingly mobile and remote workers with next-generation, two-factor authentication solutions.

There are so many forms, but they all come down to who you are, what you know, or what you have. This article will examine the shortcomings and advantages of some of the current and upcoming 2FA solutions that MSSPs can use to protect their customers including:

RSA’s Jim Ducharme

“In a fast-changing digital world, we are seeing more and more passwordless innovations from biometrics to hardware authentication devices to multifactor authentication and more,” said Jim Ducharme, vice president of identity products at RSA. “But while it’s become quite common to leverage facial recognition, fingerprint ID or USB security keys, most passwordless authentication is still rooted and reliant on a password and username for account enrollment and recovery. FIDO Alliance standards hold a lot of promise for enabling a more passwordless world; however, it’s going to take time for the standard to be integrated across user devices, browsers and applications, and it will take even more time to be rolled out and supported by IT departments in organizations.”

Indeed, other password security experts point out that the prolific availability of email-password combination lists has led to a significant rise in the success of “credential stuffing” attacks — also known as password reuse attacks. Two-factor authentication reduces the risk of success for these attacks, protecting applications from unauthorized access even when the end user makes the mistake of reusing a password.

SecurityScorecard’s Alex Heid

“However, depending on the type of two-factor authentication solution implemented, there are still risks associated with password-takeover attacks,” said Alex Heid, chief research and development officer at SecurityScorecard, a security company with solutions for measuring and communicating security risk. “Take SMS authentication codes that can be intercepted with a SIM swapping attack and IP geolocation controls that can be bypassed by using a SOCKS5 proxy. It seems the best options are the use of Google Authenticator, Authy, or another app-based token 2FA solution. Attackers would need to compromise the recovery key to bypass that or resort to social engineering to disable the control.”

2-Factor Authentication, SMS and SIM Swapping

MSSPs can use two-factor authentication and wireless technologies to backstop passwords; however, this still relies on the first factor being a username/password, which is vulnerable because SMS-based 2FA and one-time passwords (OTP) aren’t hard to use, and attackers have shown cell carrier security is very porous and SIM-swapping attacks give strangers the ability to hijack phone numbers.

“Password managers sound refreshing, but ultimately they use a single password to protect the rest of your passwords, actually increasing the risk associated with compromising that credential,” said Ori Eisen, CEO and founder of Trusona, a passwordless two-factor authentication platform. “The advice I give service providers is to …

… scrub dormant accounts and overprivileged users first, because attackers rely on these for entry and cover. Next, be pragmatic with identity. There are alternatives to passwords in the market and the use cases and identity stakes for an MSSP should prompt hard questions.”

One alternative is to use mobile apps for two-factor authentication, which offer the ability to deploy authentication solutions to mobile phones that aren’t as cumbersome for IT departments when compared to legacy solutions. However, authentication apps that use push notifications have a security disadvantage in their view: An active user could accidentally approve an attacker’s sign-on request when the approval notification appears.

“In contrast, physical keys are not susceptible to SIM swapping or accidental approval,” said Keegan Keplinger, data visualization lead, threat intelligence at eSentire, which offers cybersecurity protection as a service. “The physical key requires that an attacker has physical access to the user — an unlikely scenario. Simplicity and low cost of mobile solutions make them an enterprise favorite despite their flaws in security. Biometric solutions may be more secure, but they come at a higher cost. The best tradeoff between security and affordability is the physical key, given the requirement of physical proximity to the user.”

2-Factor Authentication and Biometrics

When speaking solely about two-factor authentication, the advantages and drawbacks to different solutions vary. For biometric identification – like facial recognition, iris/retinal scanning, and fingerprint matching – the benefits are the scalability with multimodal applications to increase identification accuracy, versatility of being able to assign various permissions per user, and ROI in terms of reducing fraudulent activity within the workplace as biometrics are an identifiable means of verification.

SiteLock’s Monique Becenti

“However, the technology for biometric 2FA is not secure enough or advanced enough yet for biometric data to be used as a source of identification or as a secondary form of identifying an individual for higher-level security,” said Monique Becenti, product and channel specialist at SiteLock, a provider of website security and protection solutions. “Recently, the database of the Biostar 2 biometric data lock system was found exposed and researchers were able to change data and add new users — a function that cybercriminals could exploit to gain unauthorized access with fraudulent fingerprints.”

And replacing passwords with biometrics is very controversial because they can be stolen just as easily as someone can steal your credit card. This can happen because biometric data can be easily replicated – including fingerprints from selfies, facial characteristics, and other identifiable traits – just by capturing an image.

“Additionally, in many data center environments, biometric authentication methods may be impractical,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “This leads people to not enable them and fall back on password-only authentication.”

Like other biometrics, facial recognition can be useful because it can’t be …

… easily manipulated and directly identifies the user requesting authentication. However, not all devices support facial recognition and device cameras can break.

“Also, facial recognition software also is not 100% accurate,” said Clay Miller, CTO of SyncDog, a containerized mobile DLP solution for enterprise security. “It can have trouble accurately identifying faces especially when the user has grown a beard or gains weight. Additionally, some users may have concerns about sharing their biometric data with third parties. Iris scanning is another biometric authentication method with similar properties as facial recognition except eye scanners typically have more accuracy than facial scanners.”

One issue that plagues all biometric two-factor authentication methods is that if a user’s biometric data is stolen, it is a very invasive and permanent attack that renders that particular authentication method unusable to that person forever, according to Miller.

Emerging 2-Factor Authentication

In order to improve identity security for their customers, MSSPs are beginning to offer two-factor authentication layered with adaptive authentication.

SecureAuth’s Ryan Rowcliffe

“These techniques provide additional security without impacting user experience because they run in the background during the user authentication process,” said Ryan Rowcliffe, lead of solutions architecture at SecureAuth, a multifactor authentication solution. “Additional risk factors are checked, such as the reputation of the user’s associated IP address, geographic location, device recognition, as well as behavioral analysis. It enables customers to keep their desired workflow while simultaneously maximizing security, and without impeding the user, causing login frustration. This modern approach to identity and access management can be applied to applications, consumer portals, as well as endpoint devices such as logging into servers, desktops, and laptops.”

Push notifications, another emerging mobile-based authentication method, offer a cost-effective alternative to traditional passwords.

“And unlike SMS message notifications that contain a one-time-password (OTP), which can be visible on a locked phone screen, push notifications don’t contain an OTP,” said James Litton, CEO of Identity Automation, an identity and access management platform. “And the device must be unlocked to approve the authentication attempt. Push notifications are an effective password replacement, eliminating the risk of users falling prey to phishing, man-in-the-middle, and brute force attacks. However, they require an internet connection and a smartphone — which itself is vulnerable to attacks as users can inadvertently approve fraudulent requests.”