The Pros and Cons of Two-Factor Authentication

December 30, 2011

The government (FISMA), banks (PCI) and the healthcare industry are huge proponents of two-factor authentication, a security measure that requires two different kinds of evidence that you are who you say you are ... or that you should have access to what you're trying to access. In many cases, it involves using a combination of a physical device and a secure password, so those huge industries were early adopters of the practice. In our definition, two-factor authentication is providing "something you know, and something you have." When you're talking about national security, money or people's lives, you don't want someone with "password" as their password to unwittingly share his or her access to reams valuable information.

What is there not to like about two-factor identification?

That question is one of the biggest issues I've run into as we continue pursuing compliance and best practices in security ... We can turn on two-factor authentication everywhere – the portal, the vpn, the PoPs, internal servers, desktops, wireless devices – and make the entire SoftLayer IS team hate us, or we can tell all the admins, auditors and security chiefs of the world to harden their infrastructure without it.

Regardless of which direction we go, someone isn't going to like me when this decision is made.

There are definite pros and cons of implementing and requiring two-factor authentication everywhere, so I started a running list that I've copied below. At the end of this post, I'd love for you to weigh in with your thoughts on this subject. Any ideas and perspective you can provide as a customer will help us make informed decisions as we move forward.

Pros

  • It's secure. Really secure.
  • It is a great deterrent. Why even try to hack an account when you know a secondary token is going to be needed (and only good for a few seconds)?
  • It can keep you or your company from being in the news for all the wrong reasons!

Cons

  • It's slow and cumbersome ... Let's do some math, 700 employees, 6 logins per day on average means 4200 logins per day. Assume 4 seconds per two-factor login, and you're looking at 16,800 extra seconds (4.66 hours) a day shifted from productivity to simply logging into your systems.
  • Users have to "have" their "something you have" all the time ... Whether that's an iPhone, a keyfob or a credit card-sized token card.
  • RSA SecureID was HACKED! I know of at least one financial firm that had to turn off two-factor authentication after this came up.
  • People don't like the extra typing.
  • System Administrators hate the overhead on their systems and the extra points of failure.

As you can start to see, the volume of cons out weigh out the pros, but the comparison isn't necessarily quantitative. If one point is qualitatively more significant than two hundred contrasting points, which do you pay attention to? If you say "the significant point," then the question becomes how we quantify the qualitativeness ... if that makes any sense.

I had been a long-time hater of two-factor authentication because of my history as a Windows sysadmin, but as I've progressed in my career, I hate to admit that I became a solid member of Team Two-Factor and support its merits. I think the qualitative significance of the pros out weigh the quantitative advantage the cons have, so as much as it hurts, I now get to try to sway our senior systems managers to the dark side as well.

If you support my push for further two-factor authentication implementation, wish me luck ('cause I will need it). If you're on Team Anti-Two-Factor, let me know what they key points are when you've decided against it.

-@skinman454

Comments

December 30th, 2011 at 10:34am

End passwords all together and go with a bio-metric authentication such as a retinal scan or fingerprint.

Have the system update all passwords every 30 days, and the only thing the user has to remember is their eyeball or hands.

Done - and it's more secure than 2 factor because unless they lost their eyeball or got their hand chopped off, no one but them is getting in. And the "they must have stolen my token" is a useless argument.

December 31st, 2011 at 8:05am

I've always been a fan of two-factor authentication, simply because people always pick bad passwords. Even if you enforce complexity policies, they will find ways around it.
Even worse, people are lazy. As soon as their is a "remember credentials" option in any application, they will use it, storing their admin credentials on an insecure laptop (I consider all client devices to be insecure because nearly everyone in IT has local admin rights these days, but that's another discussion).

So, assuming passwords are weak, two-factor authentication should always be used for remote access in my opinion. For local access to desktops, one can argue that physical access means you had to use a keycard to enter the building, so you can be trusted. Depending on the environment you work in, that may or may not be sufficient. For me, that's only a small factor because there are many people with physical access that I do not trust at all (like the cleaning crew).

For VPN access, there is no way to know who the user really is, so that requires two-factor authentication at all times. Once past that barrier, the user experience is the same as when they are in the office. The token here really just acts like the keycard.

The system should of course remain usable, requiring two-factor authentication for access to every single server would mean I spend half the day copying token codes rather than doing anything useful. We do require a second level of token authentication for admin access to servers, but thats only once a day.
This basically means we have two security zones, depending on the damage you can do. Many of the staff never need access to the customer servers, so no need to allow that either.

Introducing all this wasn't always easy and it was done in steps, always explaining why these things were needed. Some people complained, but all in all, less than I would have expected. I think by now we are somewhat on the edge of what is usable. Combined with proper firewall rules and ACLs everywhere, this is a pretty safe system. Two factor authentication is just a part of it.

We do in fact use a third check before granting users access to the network (regardless of access method) and that is computer authentication. Microsoft, as much as I dislike them, makes this trivial. It's even transparent to the end user. If you're clients use linux/mac or install their own OS, this gets a lot more complicated.

January 2nd, 2012 at 8:55pm

Being posted on December 30, you won't get that many comments in this article. :)

Waoo, 4.66 hours (estimated) gone to the trash can every day? it looks like a lot of time.

January 3rd, 2012 at 9:34am

Count me amongst those fully on the pro "Team Two-Factor." While I've got a vested interest in 2FA (my company has a patent-pending solution using mobile-originated SMS as the authentication) I'm a believer due to personal experience. Anyone that has ever had the email or Twitter account or, worse, their personal identity - such as banking information - hacked will be happy to invest another four seconds in using a secondary method of authentication.

Passwords simply aren't enough anymore. The bad guys are getting smarter and make hacking look easy, especially when the vast majority of users choose passwords that are absurdly easy to guess or simply post them on a sticky note attached to their screen. Even a pet's name, favorite team, birthday or other information that you think would be more difficult to guess represents little challenge to someone with enough skills to read your Facebook page or your tweets.

Individuals refusing to get on "Team 2FA" are kidding themselves… it's only a matter of time until their accounts are violated and they become cheerleaders for our team, too.

Scott Goldman
CEO - TextPower, Inc.

January 4th, 2012 at 5:08am

Myself and my company are very much on board Team 2FA.

As Scott pointed out, "passwords simply aren't enough anymore". We have witnessed case after case in which a customer has been "hacked into" due to logging into their content management system or remote VPN gateway from a insecure, public connection. Keyboard loggers and rouge wifi scanners run a muck.

The concept of "something you know" (e.g. password) and "something you have" (e.g. OTP, dongle etc.) provides a very high level of security which the user cannot bypass or simplify.

There are a number of affordable (and free!) web based OTP services now such as Google's Authentication platform. We're also a fan of Yubikey's open source based USB validation platform.

2FA received some bad press in 2011, primarily due to the RSA seed hack, but regardless the hack focused on one component of the authentication process, the SecureID. Security smart users (?) will be careful to use a strong password or PIN in tandem with their OTP device making each component of the login process a "factor".

I'm pleased to see SoftLayer offering 2FA options to their customers such as the new Verisign Identity Protection option.

Its terrifying that most many hosting providers have only a password standing between a rogue hacker and their infrastructure management systems.

Christopher.

January 11th, 2012 at 11:43am

Two Factor Authentication doesn't require RSA SecureID token. For internal employees and systems, you could use SmartCards which are simply, drop SmartCard into slot then type password. Heck, you could integrate them into your badges (You do require all employees to have visible badge right?) From there, as employees hit different internal systems, it just reads SmartCard so they don't have to type.

Customers and like can still use tokens as normal.

February 29th, 2012 at 7:39am

Thank you for sharing Pros and Cons of two factor authentication!

I agree that people don’t like typing, in-fact I hated it some few months ago. But after facing serious online fraud attempts on my personal data, I chose dual factor authentication as one of the best methods to prevent online fraud up-to a greater extent.

March 10th, 2012 at 2:22pm

You can certainly have best of both words: One time access codes and no password hassles, no extra gadgets to carry and safely login.

Login without passwords is unthinkable in this decade. But, it is possible.
Nope 'am not even talking about biometrics. Biometrics have limited use when it comes to online authentication. If my finger prints are stolen, I cannot go back to my mom and ask for different fingerprints :)

SMS txt message-based access codes have limited use when whole industry is moving towards mobile banking. Out-of-band advantage vanishes simply.

Want to know more, you can either visit oncybersecurity.com or email info at truesigna dot com

Cheers
-J

May 5th, 2012 at 11:40am

I've noticed most global cloud providers, web mail providers and banks moving to the use of a telephone (mobile or other) as a form of a token where the user is asked to 'telesign' into an account or to confirm a transaction. As has been stated time and time again “passwords simply aren’t enough anymore”. For me, the 30 seconds it takes to have the peace of mind that my account won't get hacked and my credit card and personal information isn't up for grabs is well worth it. I wish more organizations would start implementing 2FA.

Leave a Reply

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • You can enable syntax highlighting of source code with the following tags: <pre>, <blockcode>, <bash>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Comments

December 30th, 2011 at 10:34am

End passwords all together and go with a bio-metric authentication such as a retinal scan or fingerprint.

Have the system update all passwords every 30 days, and the only thing the user has to remember is their eyeball or hands.

Done - and it's more secure than 2 factor because unless they lost their eyeball or got their hand chopped off, no one but them is getting in. And the "they must have stolen my token" is a useless argument.

December 31st, 2011 at 8:05am

I've always been a fan of two-factor authentication, simply because people always pick bad passwords. Even if you enforce complexity policies, they will find ways around it.
Even worse, people are lazy. As soon as their is a "remember credentials" option in any application, they will use it, storing their admin credentials on an insecure laptop (I consider all client devices to be insecure because nearly everyone in IT has local admin rights these days, but that's another discussion).

So, assuming passwords are weak, two-factor authentication should always be used for remote access in my opinion. For local access to desktops, one can argue that physical access means you had to use a keycard to enter the building, so you can be trusted. Depending on the environment you work in, that may or may not be sufficient. For me, that's only a small factor because there are many people with physical access that I do not trust at all (like the cleaning crew).

For VPN access, there is no way to know who the user really is, so that requires two-factor authentication at all times. Once past that barrier, the user experience is the same as when they are in the office. The token here really just acts like the keycard.

The system should of course remain usable, requiring two-factor authentication for access to every single server would mean I spend half the day copying token codes rather than doing anything useful. We do require a second level of token authentication for admin access to servers, but thats only once a day.
This basically means we have two security zones, depending on the damage you can do. Many of the staff never need access to the customer servers, so no need to allow that either.

Introducing all this wasn't always easy and it was done in steps, always explaining why these things were needed. Some people complained, but all in all, less than I would have expected. I think by now we are somewhat on the edge of what is usable. Combined with proper firewall rules and ACLs everywhere, this is a pretty safe system. Two factor authentication is just a part of it.

We do in fact use a third check before granting users access to the network (regardless of access method) and that is computer authentication. Microsoft, as much as I dislike them, makes this trivial. It's even transparent to the end user. If you're clients use linux/mac or install their own OS, this gets a lot more complicated.

January 2nd, 2012 at 8:55pm

Being posted on December 30, you won't get that many comments in this article. :)

Waoo, 4.66 hours (estimated) gone to the trash can every day? it looks like a lot of time.

January 3rd, 2012 at 9:34am

Count me amongst those fully on the pro "Team Two-Factor." While I've got a vested interest in 2FA (my company has a patent-pending solution using mobile-originated SMS as the authentication) I'm a believer due to personal experience. Anyone that has ever had the email or Twitter account or, worse, their personal identity - such as banking information - hacked will be happy to invest another four seconds in using a secondary method of authentication.

Passwords simply aren't enough anymore. The bad guys are getting smarter and make hacking look easy, especially when the vast majority of users choose passwords that are absurdly easy to guess or simply post them on a sticky note attached to their screen. Even a pet's name, favorite team, birthday or other information that you think would be more difficult to guess represents little challenge to someone with enough skills to read your Facebook page or your tweets.

Individuals refusing to get on "Team 2FA" are kidding themselves… it's only a matter of time until their accounts are violated and they become cheerleaders for our team, too.

Scott Goldman
CEO - TextPower, Inc.

January 4th, 2012 at 5:08am

Myself and my company are very much on board Team 2FA.

As Scott pointed out, "passwords simply aren't enough anymore". We have witnessed case after case in which a customer has been "hacked into" due to logging into their content management system or remote VPN gateway from a insecure, public connection. Keyboard loggers and rouge wifi scanners run a muck.

The concept of "something you know" (e.g. password) and "something you have" (e.g. OTP, dongle etc.) provides a very high level of security which the user cannot bypass or simplify.

There are a number of affordable (and free!) web based OTP services now such as Google's Authentication platform. We're also a fan of Yubikey's open source based USB validation platform.

2FA received some bad press in 2011, primarily due to the RSA seed hack, but regardless the hack focused on one component of the authentication process, the SecureID. Security smart users (?) will be careful to use a strong password or PIN in tandem with their OTP device making each component of the login process a "factor".

I'm pleased to see SoftLayer offering 2FA options to their customers such as the new Verisign Identity Protection option.

Its terrifying that most many hosting providers have only a password standing between a rogue hacker and their infrastructure management systems.

Christopher.

January 11th, 2012 at 11:43am

Two Factor Authentication doesn't require RSA SecureID token. For internal employees and systems, you could use SmartCards which are simply, drop SmartCard into slot then type password. Heck, you could integrate them into your badges (You do require all employees to have visible badge right?) From there, as employees hit different internal systems, it just reads SmartCard so they don't have to type.

Customers and like can still use tokens as normal.

February 29th, 2012 at 7:39am

Thank you for sharing Pros and Cons of two factor authentication!

I agree that people don’t like typing, in-fact I hated it some few months ago. But after facing serious online fraud attempts on my personal data, I chose dual factor authentication as one of the best methods to prevent online fraud up-to a greater extent.

March 10th, 2012 at 2:22pm

You can certainly have best of both words: One time access codes and no password hassles, no extra gadgets to carry and safely login.

Login without passwords is unthinkable in this decade. But, it is possible.
Nope 'am not even talking about biometrics. Biometrics have limited use when it comes to online authentication. If my finger prints are stolen, I cannot go back to my mom and ask for different fingerprints :)

SMS txt message-based access codes have limited use when whole industry is moving towards mobile banking. Out-of-band advantage vanishes simply.

Want to know more, you can either visit oncybersecurity.com or email info at truesigna dot com

Cheers
-J

May 5th, 2012 at 11:40am

I've noticed most global cloud providers, web mail providers and banks moving to the use of a telephone (mobile or other) as a form of a token where the user is asked to 'telesign' into an account or to confirm a transaction. As has been stated time and time again “passwords simply aren’t enough anymore”. For me, the 30 seconds it takes to have the peace of mind that my account won't get hacked and my credit card and personal information isn't up for grabs is well worth it. I wish more organizations would start implementing 2FA.

Leave a Reply

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • You can enable syntax highlighting of source code with the following tags: <pre>, <blockcode>, <bash>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.