Over time with increased hacker sophistication, it has become less difficult for hackers to steal passwords and for scammers to spam user emails with phishing attempts. As such, internet users have watched and experienced the transformation of authentication processes (especially the evolution of the password) for increased security of our various user accounts.
Do you remember a short time ago when passwords could be as simple as ‘qwerty,’ ‘password,’ or ‘abcd1234,’ but now every account you create makes you comply to new rules? Passwords must be at least 8 characters, must contain one uppercase, one lower case letter (A-Z or a-z) and one or more numbers are all common rules when setting up user passwords for different accounts. Every website has different requirements for their user passwords and now almost all require “strong passwords”. Yet, even these strong passwords don’t make it much more difficult for hackers to get their hands on them, so how do we move forward?
In this post we will focus solely on logical access (access to computers, online accounts, etc.) for which two-factor authentication is nothing new.
Originally patented in 1984, two factor authentication is a two-step verification process with the intention of creating an extra layer of security. It requires the user to know their username and also use a combination of two of the following:
- Something that the user HAS (phone, hardware token like Security Key, or Google Authenticator)
- Something that the user KNOWS (usernames, passwords, security questions)
- Something that the user IS (their biometrics – fingerprint, face, iris, voice, ECG, typing patterns)
Two factor authentication is becoming more mainstream
Two factor authentication has become more streamlined and modernized which is encouraging to the user that is looking for frictionless and (more importantly) secure access to their accounts. Especially in online user accounts we are seeing a major push for two factor authentication after seemingly increased reports of user account phishing and credential hacks. The online tech leaders Google, Facebook and Twitter as well as financial institutions were some of the first to adopt two factor authentication as they realized the importance of increasing their customers’ account security and therefore the needed change in the authentication process.
Two Factor Authentication: Transition to Present Day
Some websites are now requiring two factor authentication for access to user accounts online. Typically required is a username and password, then a unique, one-time code is sent to them by either SMS or email. The user enters the code and if all credentials are correct then access to the user account is granted.
Another example is when a company executive is requested to approve a company wire transfer or the like. Many of the major banks are using two factor authentication via a token system — a small keychain-like piece of hardware that produces a new, unique code of 6 numeric digits every 20-30 seconds. When the executive logs into their company online bank account to approve the wire, they are asked to input their user name, password and a unique code produced by their token for access to the account.
As seen in this example, today two factor authentication heavily relies on the use of what you KNOW and what you HAVE. Sure, two factor authentication using something you have and know is a great way to add an extra layer of security to everyday practices, but conflicts arise with the unavoidable trade-off between usability and security. There is not much stopping the CFO from giving out their credentials and lending their token to another employee for access to the company bank account, or worse, having it stripped off his person. The introduction of biometrics to two factor authentication makes this secure two factor authentication process frictionless but also safer… Especially when you can add multiple biometrics into the mix.
What happens when you use ‘who you are’ as a factor of authentication?
An ID card-based system identifies people based on what they have…
A password based system identifies a person based on what they know…
Biometrics is the only technology which identifies a person based on who they uniquely are.
Combining any two of these makes for a safer authentication process, but biometrics represents the unique identity to each and every individual and when done properly are extremely difficult to hack, steal or replicate, unlike a token or password. Two factor authentication with biometrics opens up a whole new level of security not offered by passwords, tokens, pins, or cards previously.
Are you prepared for the rapid growth of biometric technologies? Download our white paper, “The Future of ‘Bring Your Own Identity’ in Identity Relationship Management” for some strategic insights on how to get started.