For what seems like a decade or more, two-factor authentication has been the gold standard of cybersecurity. We’re all used to it by now, and it’s one of the most used tools. You don’t build a robust defense without two-factor authentication, that’s a given.
Still, TFA isn’t foolproof. A recent article that appeared in the New York Times, written by a Rochester Institute of Technology professor named Josephine Wolff, has caused a buzz in the MSP community. Citing research by Amnesty International and other organizations, it suggested two-factor can be gamed more easily by bad actors than many would like to admit. While the professor stopped short of saying TFA should be scrapped, the article made a strong case that MSPs and other IT security personnel shouldn’t take it for granted.
Wolff wrote, “The fact that two-factor authentication can be compromised through fairly straightforward, widely used tactics is no reason to stop using it. After all, no security tool is perfect. As long as it significantly decreases the likelihood of account compromises, two-factor authentication is still worth using. However, we don’t know a lot about how much two-factor authentication helps protect your accounts.” Wolff is hardly the only person to suggest sentiments like this after conducting research on the topic.
The New York Times article, coupled with other recent research, is making 2019 a tough year for two-factor authentication. “You can’t relax just because you started enabling two-factor authentication. A smart attacker could still get access to your account,” Kevin Mitnick, a cybercrime advisor to the FBI, told CNBC.
So, where does TFA stand today? SmarterMSP caught up with a couple of noted cybersecurity experts for their thoughts on the current state of two-factor authentication.
Not perfect, but still safer than not using it
Dr. John Nicholas, Professor of Computer Information System and Program Director of Cybersecurity and Digital Forensics in the College of Applied Science and Technology at the University of Akron in Ohio, is a significant supporter of this idea.
“If you put two dead bolt locks on your door, it does not stop a determined thief from getting in; it simply makes it harder to do so. Two-factor authentication is a similar thought process, it is not perfect, but it is much safer than not using it,” Nicholas explains.
The battle against hackers is an ongoing one, and Nicholas believes that organizations need to increase their spending on IT, which is good news for MSPs. MSPs are often the best option for businesses that don’t have the budget for in-house IT.
Whether it is two-factor authentication or some other methodology like biometrics, Nicholas says that if the business’ culture doesn’t value cybersecurity, then it doesn’t matter what defense you pick. People will get sloppy and hackers will find a way in. Nicholas advises MSPs to continue educating and training staff in IT best practices, as part of their regular routine.
Practice good “cyber hygiene”
Nicholas preaches that, “All organizations, especially now that we are almost into the third decade of the 21st century, have to increase spending on the IT side of the ledger book. This means hiring and keeping enough IT professionals to keep the system and data secure, providing continuing education monies for the IT professionals to keep their knowledge and skills current and, most importantly, embracing, implementing, and enforcing an organizational-wide culture of cybersecurity,” citing good “cyber hygiene” and cyber awareness policies.
The most potent weapon MSPs can deploy isn’t technological, it’s educational. As far as two-factor authentication goes, there are ways to make it more foolproof.
“Usually an SMS message can be intercepted and decoded, or if the thief has your phone, the SMS message will go directly to the thief. On our end, we can use Virtual Private Networks (VPN) on all our devices. This will encrypt the data from point-to-point, so that we can have the authentication code sent to an encrypted and secure e-mail account with verified e-mails before you reply,“ Nicholas explains.
“If in doubt, call the institution to which you are trying to log into and verify the phone number in multiple places. Use common-sense and street-smarts because these hackers are using the same con-man tactics as street punks, just with more sophisticated tools,” Nicholas cautions.
Add another layer
Meanwhile, Dr. Mamoun Alazab, Associate Professor in the College of Engineering and a cybersecurity specialist at Charles Darwin University in Australia, reiterated the importance of two-factor authentication and education.
“Two-factor authentication should be used all the time by internet users. It absolutely can help to reduce cybercrime and provide better protection. Implementing two-factor authentication makes it much harder for cybercriminals to gain access and steal secret information or your identity,” details Alazab.
Adding still another layer of login security is even better. When cold weather hits, people break out the jackets and coats and when it gets even colder, the scarves and mittens come out. None of these things are foolproof, but they provide increased protection and that is what adding more layers of authentication does.
“When multi-factor authentication is implemented, it is significantly more difficult for criminals to steal a complete set of credentials, as the user has to prove they have physical access to a second factor,”Alazab explains.
While two-factor authentication is still the go-to tool, multifactor may be gaining currency. In the end, it comes down to the MSP’s most potent weapon: education.
“Two and three-factor authentication is only as effective as the user. Education and awareness are therefore vital to enable users to use this security feature,” Alazab says.
Photo: NicoElNino / Shutterstock