Opinion: Time for 2FA to be taken seriously

I am sensing rising interest in two-factor authentication or 2FA.

For instance, Kaspersky Lab researcher Roel Schouwenberg tweeted that it was "interesting to see all this talk about two-factor again".

A survey by Forrester Consulting found that a third of enterprises do not need strong authentication from their partners to access corporate networks and that enterprise-wide adoption of strong authentication is the best security policy.

Deputy commissioner David Smith at Britain's Information Commissioner's Office said three of four cash penalties it handed down were for loss of unencrypted laptops.

"Where personal information is involved, password protection for portable devices is simply not enough,” Smith said.

Perhaps the need to implement strong authentication at all levels is finally being recognised? Authentication provider GrIDsure says the message was clear that businesses need to get away from 1FA or 2FA and look at what is an appropriate solution for users.

GrIDsure chief executive officer Daniel Mothersdale says users must have more choices about what is secure and easy to use. But the company's chief technology officer Stephen Howes says complexity brings its own problems.

“We have created complexity, yet you can find people who have forgotten their password," Howes said.

“It is meant to be the pinnacle of security and it is not enough. You need to be able to remove the threat and choose the right factor and the right solution.

"Security guys are on a quest for security nirvana and it is a long way to go, as there will never be a perfect security solution. Until then we stack up what we have got.

"If you are moving to the cloud you will have to be more responsible and making sure access is a whole lot more secure.”

CryptoCard chief executive officer Neil Hollister told me a year ago that the future of authentication was to be in a managed service, on a shared platform or with multiple shared authentication.

I asked Hollister then if he felt that 2FA was generally coming back into fashion?

“I think it is coming back around with iPhones and BlackBerries, 2FA should be what email scanning is," he said at the time. "The technology has been there but only a percentage is using it. Passwords are a good idea but are the weakest link in security and complexity and costs dissuaded from rolling out."

With a managed service recently implemented by Coventry City Council, he was keen to stress the benefits of cloud-based authentication. He said that with this users "have got the ability to make 2FA a commodity".

“The cost of tokens has never been the case; it is the cost to deliver," he said.

"On an iPhone it approximates to zero, if you persist with a hard token and delivery platform is not fully automated you have never commoditised authentication. If the future is that no one uses passwords, you have got to make it simple, easy and cheap,” he said.

“A provider will want to give every parent access to reports but cannot give out a token to 200,000 families so how do you push it out? Authentication is coming round to security but because technology is there with SMS, iPhone and one click and you are all using strong authentication.

“It is not a question of the market coming around; it is a question of delivery. The economic access has been realised and that is where the biggest risk is.”

John Handelaar, Europe, Middle East and Asia vice president of Passlogix, says that 90 percent of people want to do it but are put off by complexity and cost.

“There is an argument that you can make it as safe as you want," Handelaar says.

"Users need to have access and people work remotely and as securely as possible.”

Andy Kemshall, technical director of SecureEnvoy, who acknowledges that with a cost of about $50 a token and deployment costs plus shrinkage of about 10 percent of devices a year, businesses should remove this cost from their budgets and consider using a personal device.

“Rolling out physical tokens can take as long as six months for a company with 5000 users," Kemshaw says.

"For a tokenless solution, that time is cut to two hours. The notion of carrying around a keyring to give access to secure corporate data is technology from the 1990s, the world has moved on."

He says research finds that we check our mobiles 15 times an hour.

"How long until you realise you've lost your token and phone the IT helpdesk? A week? A month?

"With companies looking for more ways to keep operating in case of adverse weather, the best solutions are the simplest. SMS-based authentication means users will always have a device that can let them connect with work, wherever they are.

"People are used to being reliant on their mobile phones for work and this is a natural evolution of that.”

RSA expanded to small-to-medium-sized business with a new capability in January. Adam Bangle, a regional director at RSA, says 2FA has received fresh interest as users realise that there needs to be more than passwords.

“Cost is always a factor and this is no different, it is about balancing risk and smaller businesses may have felt in the past that they may be vulnerable to security threats, but that has changed over the past few years," Bangle says.

"Organisations want to strengthen security around enterprise users.

“This has been in market for some time and there is strong adoption in enterprises, but I am still surprised how many rely on a username and password because as a security mechanism, it is insecure.”

So 2FA is being used internally for secure logins, but what about from a consumer perspective? Is it not time that more secure login services were offered by websites?

Bangle says the challenge is to create a secure environment but he said there is a common goal to create a customer experience that is easy to use.

“We see with government and banks they are using stronger authentication and education has improved the customer experience.

"Analyst firms say everyone needs to strengthen security and different commodities need a different type of experience and options, but it is too costly for banks to give all customers hardware tokens but with an SMS it is more cost effective."

So will we be using one-time passwords and secure sign-on technology by the end of this year?

I suspect we won't because of the cost and technology capabilities of providing hard or soft tokens. But it is positive to see an interest in secure login and I hope that this continues.

This article originally appeared at scmagazineuk.com