What’s important is to consider the various environments (e.g., on-premises, cloud, hybrid), determine which applications need Multi-Factor Authentication, and then find the best solution fit to align with existing policies, controls, and security objectives.
2 Factor Authentication Risks
It’s also important for IT security teams to understand the small, but potentially significant difference between Multi-Factor Authentication and two-factor authentication.
A subset of Multi-Factor Authentication, 2 Factor Authentication requires users to provide a username/password combination and to verify their identity via something they physically possess (e.g. a smartphone). Today, the majority of 2 Factor Authentication solutions work by sending a unique, one-time code to a user’s mobile phone, which has already been confirmed and paired to the user’s account. A good example, is Google Authenticator and Authy, which generate two-step verification codes on mobile phones.
Also see: Top Tips to Increase Your Online Privacy
But are two factors enough? The convenience and relative time savings of 2 Factor Authentication is better than nothing, but are they vulnerable? Especially considering that most, if not all breaches today involve an adversary compromising user credentials and using them to gain access to an businesses’s network and sensitive assets.
Among several large-scale examples of 2 Factor Authentication failing is the Reddit one. Back in June last year, Reddit found that an attacker had compromised several employee accounts through its cloud and source-code hosting providers. At the time, the company had been using basic SMS-based 2 Factor Authentication, whereby users were sent a token via text message that they then entered into the application they were authenticating to. This form of 2 Factor Authentication is simple, cheap, and user-friendly, which is why it’s so popular; however, the downside is that it’s also extremely vulnerable to SMS intercepts, which was the main attack vector used in the Reddit breach.
Also think about
A device-recognition product can help alleviate some of the inherent vulnerabilities of basic 2 Factor Authentication. These solutions work by registering a user ID to an authentication server. The server and client then use the user ID to generate a new token after a specific time frame. When a user attempts to log into an application, the server checks to see if the generated values match; and if they do, the user is granted access.
It's a tough one, while extra factors may not cater to those looking for maximum speed and convenience, it’s hard to argue against the easy to use, but harder to defeat combination, especially compared to the greater hassle and potential damage of a breach.