Article posted: May 25, 2017
By Joakim Thoren, CEO
It's not often that Mashable writes about two-factor authentication (2FA), but it's a sign that personal security is being threatened and organizations and individuals are concerned. The latest malware virus, WannaCry, shocked the security industry and exploited older operating and legacy systems, shutting down hospitals in the UK and large multinational organizations around the world.
It's clear that organizations and consumers alike are looking for better security methods to protect themselves. While Mashable questions the validity of using two-factor SMS security measures, it fails to explore better, alternative two-factor identification methods that are widely available today
The problem with how companies are using SMS for two-factor authentication is that there's no additional security check to make sure the user has possession of his/her phone or device. A typical SMS two-factor authentication message is delivered automatically with no proof that it reached the device and was privately delivered or that the owner of the device was present to receive the message. Oftentimes, a SMS message pops up even when a device is locked, so anyone can receive the message by simply looking at the phone.
A better way to incorporate messaging in two-factor authentication is to communicate in both directions. It is more secure and powerful and opens possibilities for more security layers to be added to it, such as challenge-response, location validation, audit logging, voice recognition, behaviometrics or other forms of two-factor identification in use today.
As Mr. Morse also points out, there are many other forms of two-factor authentication with higher security levels than SMS authentication. Recently, Google authorized Yubico to supply two-factor authentication for its Google accounts, such as Gmail. Yubico provides a physical two-factor key, which is inserted to a computer and provides a secondary level of support needed to access accounts. Consumers are now able to secure their Google accounts by purchasing an inexpensive, but secure Yubikey. YubiKeys provide an additional level of security beyond a password and even if a username and password are hacked, it would be impossible for a hacker to access an account without the physical YubiKey security key. So, there are additional two-factor authentication methods that consumers can deploy today to protect sensitive accounts.
The real issue is who should pay for this additional layer of security? Should the vendor or service provider (that is maybe giving away the product for free and has already provided a click through contract to the user saying that the security is not guaranteed) pay? Or should the end-user (who might not be aware of the risks of using the product or service) pony up for added layers of security?
It's great to read an article that addresses two-factor authentication in Mashable., but more can be said about how two-factor authentication can provide an extra layer of security to organizations and individuals alike. To learn more about the latest two-factor authentication methods and how to manage them, visit https://versasec.com.