Increases in roaming user populations and remote access to organizations’ confidential data are becoming a larger security concern, leaving organizations with choices to make about how to secure these resources. The primary access point to these resources is through web-based applications which have login screens where a user is typically required to prove his or her identity by providing a valid set of credentials (typically a Username and Password).
Under normal circumstances, this authentication process may be sufficient to prove that a user is authorized and may be granted access to company applications and data. However, the sensitivity of private, corporate, or institutional information does not qualify as a normal circumstance. While currently still an integral part of authentication, passwords are an inadequate security measure for sensitive information when used only with an accompanying username. Passwords are becoming increasingly easy to exploit by unauthorized users, and the rapid progression of the digital age is providing disreputable individuals with an increasing number of methods for stealing passwords and impersonating authorized users.
There are alternative methods to securing private, sensitive information besides relying solely on something as simple and unreliable as a password. The primary method for strengthening and improving the security of logins currently on the market today is Two Factor Authentication (2FA).
Often described under the umbrella term, Multifactor Authentication (MFA), 2FA is an increasingly common solution that is sought out by many companies or institutions across a wide array of business verticals – especially where compliance requirements demand it. However, inflexibility and low usability have proven to be barriers for many organizations, with a typically high total cost of ownership (TCO) being a major deterrent for 2FA adoption in the current economic climate. PortalGuard avoids the common 2FA barriers (including the ever-prominent TCO issue) by providing a flexible and cost-effective approach that is easily implemented and adopted by users.
For a more detailed overview, check out our State of MFA eBook.
What’s Two-Factor Authentication (2FA)
Two Factor Authentication (2FA) is a safer way to secure your logins. Instead of using one form of authentication, such as a password, two-factor authentication uses at least two forms of authentication to authenticate a user. This secures access for a user and the organization since even if a password does get compromised, there is still an extra layer of protection to make sure their information is secure.
Access Control with Two-Factor Authentication
Two-factor Authentication is not an uncommon term in the current digital climate. 2FA typically utilizes authentication processes that require two of the following three identifiers: something that you know (like a username and password combination), something that you have (such as your laptop, mobile phone, or external hardware token), or something that you are (such as your retinal scan, fingerprint, palmprint, or facial structure). The use of two distinct authentication factors increases security by adding another, exponentially more difficult to crack barrier for potential attackers while reducing the threat inherent in relying simply on a potential weak and insecure password.
Does Two-Factor Authentication (2FA) Prevent Hacking?
With the workforce migrating to a more digital and remote environment, threat actors have increased their presence against many industries, including Higher Education, Healthcare, and Financial. 2FA is one of the best solutions to solve plenty of the issues facing IT departments in these sectors. Implementing 2FA makes hacking into an organization’s systems and data much more difficult as they have to be able to present multiple factors that are often difficult, if not impossible, to fake. For example, with an one-time password or OTP delivered via SMS, a hacker would have to not only hack the user’s password, but also obtain access to their text messages, or even steal their mobile device.
Because of 2FA, organizations can prevent most attacks before they begin, and even if a phishing attack succeeds, the stolen credentials will not be useful beyond the initial session. Threat actors will have to continue to obtain the secondary login further on. For these reasons 2FA is excellent at not only preventing attacks but also stopping the spread of them across an organization.
What is SMS 2FA?
The SMS Delivery Method (often referred to simply as ‘Phone’) involves sending an SMS Text Message to an enrolled Mobile Phone number. This SMS Text Message contains a One-Time Passcode (OTP) to validate the user to the PortalGuard System for a specific action. Administrators have full control over the length, character set, and validity of OTPs utilized by this option. These settings are shared by the ‘Email’ OTP type as well. SMS functionality requires integration with a 3rd Party SMS Provider system.
What is Tokenless 2FA?
Tokenless 2FA comes from what IT professionals know as multi-factor authentication, and the authentication process is very simple to the end-users. In terms of “tokenless”, this means users do not need a separate hardware token for the authentication process.
For 2FA, end-users must fulfill at least two of the following: end-users must own something, must know something, or must have some biometric characteristic. The most common methods for achieving Tokenless two-factor authentication are a combination of something you know like a username and a password and something you own like a mobile phone or a laptop.
Hardware tokens like USB tokens and physical cards have to be securely kept with the user at all times to keep it safe. However, many end-users either lose their hardware token or store it near their laptop in a backpack, which is similar to gluing your car keys to your car.
For tokenless 2FA, users already have their own devices for their work, so logically, users should be using their own device as the second form of authentication. For example, employees use their cell phones for more than work, like browsing social media or streaming services. Since it is always near them, users should be to use their phone as the second form of authentication. Furthermore, users will be more protective of their cell phones compared to a separate key card.
3 Reasons to Adopt Tokenless 2FA
For small and medium-sized businesses, hardware tokens can be very costly. This is a huge contributing factor when it comes to businesses becoming pervasive with PCI DSS standards. Organizations have avoided these costs by utilizing a product that enables their employees and end-users to leverage their mobile phones with an authentication code.
Tokenless authentication is also a matter of efficiency. In the era of a growing digital environment, there is an emphasis on ease of access and simplicity of use. By leveraging a personal device, such as a desktop computer, tablet, or mobile phone to generate a secure login, the use of a hardware token has become somewhat clunky and unnecessary.
Losing a hardware token is as common as forgetting to bring your wallet to work. Many users who rely on token-based authentication for 2FA tend to misplace their hardware token, leaving opportunities for threat actors to steal it and potentially compromise data. Additionally, users store their hardware token with their laptop in a backpack or a laptop bag, so if threat actors grab a hold of this laptop bag, to their surprise, they will find a laptop and the second form of authentication. From there, it will only take several hours to break through the password login, and now threat actors have full access to the device.
Instead, users who use their cell phone or tablet as the second form of authentication tend to secure their phone naturally. To the user, their phone means more to them than their hardware token. Adopting tokenless 2FA means you no longer have to worry about users misplacing their hardware token, and if a user misplaces their phone, it is most likely also protected through a simple PIN – making it more cumbersome for threat actors to break into the account.
PortalGuard uses existing SMTP to SMS gateways to submit an OTP to a pre-enrolled mobile device. PortalGuard uses the provider information supplied by the end-user during 2FA enrollment to determine which gateways to use for OTP delivery. The use of these services allows for rapid 2FA deployment with a much lower Total Cost of Ownership (TCO).
The Benefits of Two-Factor Authentication
The main purpose of Two-Factor Authentication is the natural ability to increase security for end-user logins. Successfully implementing 2FA will improve authentication security by adding an extra layer of protection to application access, VPN access, and even Self-Service account management actions, such as password reset, recovery, and account unlock.
Adding that additional layer of security with a second factor of authentication can reduce the overall cyber risk of being compromised. Even in a situation where an attacker manages to steal the code in transit, once it is used by you to authenticate, it becomes completely unusable.
Two-factor authentication incorporates logical or physical security to fill in the gaps in both security domains, reducing the risk from identity theft fraud. Also, two-factor authentication mitigates the risk from users that have poor password habits, i.e. changing their password in a pattern.
Moving away from the number of affordable options organizations can access from the two-factor authentication menu, it’s time to consider other benefits that go together with this authentication solution. Take compliance, for instance. According to the 2FA public sector, 2FA is deployed in over 500 state and local government organizations just within the United States to address CJIS, PCI, HIPAA, and several other state and local compliance requirements. While implementing 2FA is not mandatory for every industry, 2FA has become a necessary measure in finance, healthcare, state and local government, and law enforcement. To this day, compliance continues to be a top motivational factor for implementing a two-factor authentication solution.