A Factor of Two
The password is dead. At least, so they say – the headlines anyway. And if you haven’t seen them, you may not be paying attention. From the 2011 Forbes article declaring “The Password is Dead”, to the December 2012 Wired Magazine cover story titled “Kill the Password”, to the recent 2013 American Banker report reiterating “The User Name and Password Are Dead. Now What?”. Houston, we clearly have a problem – one that requires solving.
Authentication processes that only rely on static values presented at each logon event are well known to be vulnerable to compromise. It only takes a single misstep to fall victim to malicious threats lurking in the inter-webs, keystroke-logging their way into your online life.
Is it surprising to see the rapid adoption of two-factor authentication by social and consumer sites such as Gmail, Yahoo!, Twitter, Evernote, Dropbox, PayPal, and so many others? Please explain: why wouldn’t you want to protect your online banking account with at least the same level of security protecting your Facebook account!? Struggling to understand why these online services are surpassing the adoption rates of technologies by banks, credit unions, and other financial institutions? Me too. Maybe what’s even tougher to accept is the number of financial institutions not even offering such enhanced authentication features to their customers? One barrier often cited is the fear institutions tend to have around customer attrition due to overburdening security hoops. I may have given you that one a few years ago, but two-factor authentication is becoming more of a standard offered in many online services, such as the popular ones listed above. Google recently introduced their two-factor authentication for Gmail users. With nothing more than a simple instructional video, Google rolled out this feature in “3 easy steps.” Quite possibly, banks and credit unions alike haven’t considered that such enhanced authentication features might be welcomed and seen as a benefit or differentiating advantage in the eyes of their customers and members.
Introduce the smartphone. Yeah, you know, that device nearly every one of us owns. You remember now – the one you have connected at your hip. Consider online banking, from a security perspective, and realize the opportunity a mobile device introduces. Then consider engaging that mobile device in authentication-based events – representing the “something I have” in the two-factor realm. Why would your institution not leverage this second factor? To send a real-time SMS message to authenticate a user at login? To initiate an automated call containing a one-time code to authorize a transaction? Or to validate a higher-risk activity using a randomly generated value from a soft token app? This added level of security could often be just enough to halt fraudsters perpetrating account takeover attacks. Sure, it has its weaknesses, such as a smart phone infected with a malicious SMS-stealing Trojan. But show me a technology that doesn’t have weaknesses. There isn’t. That’s why the best protection strategy is one that employs “multi-layered” security controls, to compensate for whatever weaknesses may exist in one control with the strengths of other controls.
It’s something I know. My Password. But it’s clearly not enough. Add to the equation something I have. A second factor.