Two Factors Aren’t Enough for Authentication

two-factor authentication 2FA biometricsOver the last few years, data breaches and identity theft have gotten progressively worse, making many people’s’ lives miserable as they strive to pick up the pieces. In many cases, these attacks are made possible through gaining access to a single account. From phishing to simply brute forcing a weak password, hackers are able to access enterprise systems because of one employee’s carelessness. And the same goes for personal accounts.

Have you ever had an account compromised? Was it because you clicked on a phishing email, failed to use a strong password, or didn’t update your password after a known security breach? I’m willing to bet the majority of you are saying yes. Even if it’s just your Facebook page or an account for a mobile game, your personal data has still been compromised. A malicious hacker could use that to gain access to more of your accounts, until they access your email or bank accounts and so on until they’ve taken over your life. All from one unsecured account.

This is why many have turned on two-factor authentication (2FA) for their social media and personal email accounts. But security experts are agreeing that 2FA isn’t enough.

Two Factors Aren’t Enough

The main function that companies use for 2FA is SMS. You type in your username and password, click login, and receive a text message with a six-digit code to type in to “authenticate.” But as hackers get more sophisticated, they’re using methods that even compromise your phone. A hacker can hijack your mobile number and “clone” your phone on their own disposable one, type in your already compromised credentials, receive the SMS for authentication, and log in before you even notice.

This type of attack has been gaining prominence in the rise of cryptocurrencies, which often use SMS for authenticating buyers. But at the same time, SMS-based 2FA is growing in popularity for businesses looking for a second-factor option that isn’t as costly as hardware tokens.

The Token Doesn’t Authenticate

The problem with SMS-based authentication is the same as that of hard tokens and other software-based solutions: A token doesn’t truly authenticate you. Whether it’s a text message, a one-time password or PIN, or a USB fob, all these tools do is, ultimately, act as a second password. They suffer similar flaws, and need to be replaced by a factor that proves that you are who you say you are when you try to log into your accounts. Enter biometrics.

Biometric authentication offers the only multi-factor authentication solution that provides knowledge-based authentication and proof of identity. For true security, such as when accessing sensitive data or bank records, you need this proof to minimize risk and keep authentication simple. Without biometrics, you’re simply applying a bandage to a much more severe problem.

Learn more in our white paper “Multi-Factor Authentication Without Tokens or Passwords.”