Skip to Main Content
Have library access? Log in through your library
Two-Factor Authentication

Two-Factor Authentication

Copyright Date: 2015
Published by: IT Governance Publishing
Pages: 104
  • Cite this Item
  • Book Info
    Two-Factor Authentication
    Book Description:

    Passwords are not enough

    A password is a single authentication factor - anyone who has it can use it. No matter how strong it is, if it's lost or stolen it's entirely useless at keeping private information private. To secure your data properly, you also need to use a separate, secondary authentication factor.

    Data breaches are now commonplace

    In recent years, large-scale data breaches have increased dramatically in both severity and number, and the loss of personal information - including password data - has become commonplace. Add to this the fact that rapidly evolving password-cracking technology and the habitual use - and reuse - of weak passwords has rendered the security of username and password combinations negligible, and you have a very strong argument for more robust identity authentication methods. Consumers are beginning to realise just how exposed their personal and financial information is, and are demanding better security from the organisations that collect, process and store it, which in turn has led to a rise in the uptake of two-factor authentication (TFA or 2FA). In the field of authentication security, the method of proving identity can be broken down into three factor classes - roughly summarised as 'what you have', 'what you are', and 'what you know'. Two-factor authentication relies on the combination of two of these factors.

    Product overview

    TFA is nothing new. It's mandated by requirement 8.3 of the Payment Card Industry Data Security Standard (PCI DSS) and banks have been using it for years, combining paymentcards ('what you have') and PINs ('what you know'). If you use online banking you'll probably also have a chip authentication programme (CAP) keypad, which generates a one-time password (OTP).

    What is new is TFA's rising uptake beyond the financial sector.

    Two-Factor Authentication provides a comprehensive evaluation of popular secondary authentication methods, such as:

    * Hardware-based OTP generation

    * SMS-based OTP delivery

    * Phone call-based mechanisms

    * Geolocation-aware authentication

    * Push notification-based authentication

    * Biometric authentication factors

    * Smart card verification

    as well as examining MFA (multi-factor authentication), 2SV (two-step verification) and strong authentication (authentication that goes beyond passwords, using security questions or layered security).

    The book also discusses the wider application of TFA for the average consumer, for example at such organisations as Google, Amazon and Facebook, as well as considering the future of multi-factor authentication, including its application to the Internet of Things (IoT). Increasing your password strength will do absolutely nothing to protect you from online hacking, phishing attacks or corporate data breaches. If you're concerned about the security of your personal and financial data, you need to read this book.

    eISBN: 978-1-84928-733-3
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
    (pp. 5-8)
    John Haggard

    If there is a more hated, feared, or otherwise misunderstood word associated with information technology than ‘password’, I don’t know it.

    My authentication-security baptism occurred in 1982 during my first commercial security project fixing the 30-line password algorithm of ACF2 (SKK, Inc.). Since then, I’ve only gone further down the rabbit hole of this critical area of information security.

    Because ACF2 was the leading mainframe security product, and the primary product protecting US and other Western governments, we were heavily involved with trust certifications. These included C2 and B1 levels of assurance documented in the ‘Orange Book’ in the noted...

    (pp. 9-10)
    (pp. 11-11)
    (pp. 12-12)
  6. Table of Contents
    (pp. 13-14)
    (pp. 15-21)

    Existing information-security technologies and processes often resemble historical methods to provide confidentiality, integrity and availability.

    In the Middle Ages, the use of castle walls, gates, and drawbridges allowed for certain people to come or go only as desired by those in charge. Today, a firewall ensures that data can only enter or leave specific network ports as defined by configured filtering-rule sets. Similarly, Julius Caesar utilised primitive cryptography thousands of years ago to transmit instructions and guidance to his Roman army. While cryptography still has its place among military engagements, it also helps us protect everything from our private photos...

    (pp. 22-26)

    Depending on your level of computing technology experience, you may be more or less familiar with three major models in architecture:

    1 Mainframe computing

    2 Client-server computing

    3 Cloud-mobile computing

    Each of these models represents a fundamental shift in the way computing architects leverage resources (memory, storage, processing power, etc.) and how those resources are made available to end-users.

    In mainframe computing, the resources were highly centralised, with perhaps a couple of large machines that would allow many users to access them and share resources. A client-server model, however, shifted much of the computing resources and effort down to individual...

    (pp. 27-32)

    To understand the current options on the market for two-factor authentication, two key concepts are in-band and out-of-band methods. The choice of how to authenticate is more than just the mechanism (e.g. hardware, software, etc.) but also the medium used to transmit authentication data.

    When using a device like a hardware token that generates a one-time password, that value is likely sent through the same transmission channel of authentication as your primary credentials. Imagine, for instance, if you were to log into a web-based email account with your username and password. As part of the authentication process, you would also...

    (pp. 33-59)

    If you were to ask a number of reasonably well informed security professionals, “What is two-factor authentication?” you’d likely get a consistent answer: “Hardware tokens that generate random numbers.” This view isn’t unfair or inaccurate in the macro view of the world since it’s been 30 years since Kenneth Weiss filed his patent for what would become the very well known RSA SecurID token. This single line of devices has propelled the RSA brand into the pockets of many of the most important professionals over the past few decades, and was, in many ways, one of the few options of...

    (pp. 60-67)

    It’s no secret that many of the information security projects that are initiated by organisations are run in order to achieve compliance with a certain standard or regulation. Whether your company is a large financial organisation, a small online retailer or a medical care facility, there are certain benchmarks that must be met in order to participate adequately in the given industry vertical. This chapter will detail a number of situations across the world where two-factor authentication is part of the everyday reality in many different industries, from the United States to India.

    Assuredly one of the most widely known...

    (pp. 68-77)

    As has been noted in this book, many of the people who’ve used two-factor authentication in computing contexts likely did so through their professional careers in a few main industry verticals. Because of this, many of the standards and second-factor technologies we’ve reviewed are foreign even to a seasoned user of two-factor authentication. Until 2008, the average Internet user was very unlikely to have any access to two-factor authentication for their accounts and thus exposure to these technologies will have been limited or non-existent.

    From 2011 to present, there’s been a steady increase in the number of online sites and...

    (pp. 78-82)

    As technology continues to evolve with more focus on the individual user, authentication security will only become more exciting and more important. I foresee a time in which the many wearable and mobile devices we possess will become a core aspect of authentication, with many methods used across two or three factor classes, providing for greater authentication intelligence.

    It’s been said that Google uses over 50 different ‘signals’ of data to provide filtered search results to its users. In a similar manner, I believe that authentication signals will ultimately be the way that we will provide assurance to prove the...

    (pp. 83-99)
    (pp. 100-104)