Authentication is at the heart of any effective cybersecurity strategy. Traditionally, authentication was realized by assigning usernames and passwords to authorized individuals. That worked well when there were few Internet users and when enterprise applications were mostly desktop-based. The ubiquity of the Internet has exponentially compounded the scale and complexity of the user authentication risks that the average organization is exposed to. Cyberattackers have relied on weak passwords countless times to penetrate cyber defenses and access sensitive data. With a surprising number of system users still opting for simple, easy-to-guess passwords such as “123456” and “password,” there was a deep need for a new method of authentication that was harder to break. Enter two-factor authentication (2FA).
2FA refers to authentication that relies on two different factors or types of user authorization. A consideration here is either something the user knows (email address, username, passwords, security questions, credit card CVVs), something they have (token generator, a smartphone, a credit card, a card reader) or something they are (fingerprint, iris, retina, voice, face).
2FA also makes it harder for an attacker to circumvent access controls. But 2FA has pros and cons you be aware of before you make the decision to adopt it.
Pros of two-factor authentication
1. Additional layer of security
This is arguably the single most important reason for adopting 2FA controls. Password controls have been the means of preventing or permitting access for decades, but they only provide a single layer of security. If the password is hacked or otherwise disclosed, any unauthorized person who is privy to it has a front door entry into your systems.
The stronger the password, the harder it is to break. But even with that, it’s still a single point of failure. 2FA provides a second layer that ensures your systems are secure if one authentication factor is compromised.
2. Complexity by factor variation
While the two terms are used interchangeably by some, 2FA is actually different from two-step authentication. If a system’s authentication process relies on two controls, but the two controls are of the same type (or factor), that’s two-step authentication. In effect, it’s single-factor authentication. 2FA provides more robust security than two-step authentication.
For example, if the user is required to provide their username and password, it’s possible for these two to be compromised at the same time. But it’s far harder for that to happen when you are using two distinct factors such as a password and a one-time-key sent to the user’s phone or an iris scan. The variation in authentication factors that’s inherent to 2FA makes it more difficult for an attacker to breakthrough.
2FA doesn’t imply a doubling of your access control costs. Of course, the cost of 2FA varies widely depending on the type of authentication methods you choose. It’ll likely cost you substantially more to implement retinal scanning than it would an SMS-based security key.
Nevertheless, even the most sophisticated methods experience a gradual drop in price. Widespread adoption creates economies of scale, therefore, giving vendors access to lower price points without losing diminishing their profit. Also, everyday consumer gadgets such as smartphones are increasingly equipped with biometrics and other 2FA-friendly technologies that can be leveraged for authentication. Overall, the barrier to using 2FA is nowhere near as high as it once was.
Cons of two-factor authentication
Time may be an absolute metric, but it’s also relative. What may be adequate time to complete a certain activity could be negligible in a different context. 2FA adds a new step to the authentication process, and this, therefore, increases the time it takes to access accounts. At an individual level, this would appear minuscule.
But when you spread this across an organization with thousands of employees, it adds up to thousands of work hours lost each year. Some 2FA systems, such as SMS-based security codes, are quicker to navigate than others. So, the time lost depends on what form of 2FA an organization adopts.
Like time, cost is relative. For a billion-dollar corporation, a system worth hundreds of thousands of dollars would barely register a blip on the balance sheet. But for an SMB, such an expense could make the difference between profit and loss. Inevitably, it’ll cost your organization more to move to 2FA than it would if you stuck with conventional password controls.
3. Failure can be disruptive
2FA creates two distinct hurdles an attacker would have to jump through to gain access. But two-factor control also adds complexity and increases the number of moving parts in the authentication process. This, in turn, means you have more potential causes of authentication system failure. While a good 2FA shouldn’t have much downtime, it can occur. When it does, it impacts user productivity.
4. It’s not absolutely secure
No security is infallible. 2FA is much more successful in preventing unauthorized entry than single-factor controls. The depth of security will depend on what type of 2FA you use. Nevertheless, certain sophisticated attackers such as state-sponsored hacking groups may possess a depth of knowledge and resources that could undermine the system.
2FA systems are also not immune to simple, low-cost attack techniques. For example, an unauthorized person may steal a user’s phone and thereby access the text-based security code. SMS and email can be hacked too.
Is two-factor authentication the best MFA?
The disadvantages of 2FA have seen a new push for multifactor authentication (MFA). If 2FA is a major improvement from traditional user ID and password controls, MFA is a substantial step forward over 2FA. 2FA is, in fact, the most basic form of MFA. Three-factor and four-factor authentication are more secure than 2FA.
Still, the more factors you have, the more tedious and time-consuming the login process becomes. Ultimately, it comes down to striking the right balance. Despite its demerits, 2FA is a good compromise between traditional password-based controls on the one hand and MFA authentication methods on the other.
Featured image: Designed by Stories / Freepik