Most 2FA solutions on the market today aren’t even ‘two-factor’ solutions according to Ant Allan, a Gartner Research vice president, who recently tweeted:
“Most mainstream #2fa or #mfa solutions are really ”second-factor“ solutions – they add to an existing password. (Even when they have their own PIN.) Few vendors offer both factors in a well-integrated way, as a *replacement* for legacy passwords. What examples do you know of?”
The latest 2018 Verizon report calls passwords “useless” and challenges all organizations to eliminate them in place of stronger multi factor authentication.
If you take a look at Cisco’s recent acquisition of Duo (huge congratulations to Duo for selling to Cisco for $2.35 Billion), you can see that Cisco (or at least one of the business units within Cisco) wanted to add an MFA solution to their quiver. But take a closer look and you’ll see that Duo is not actually an MFA solution. As Allan suggests on Twitter, Duo is adding a second factor only.
When organizations implement Duo, users log on with their username and password, and then the Duo app prompts them for a second factor (push, PIN, SMS).
Since the goal is to make life easy for the user – the Duo one-factor solution delivers, by permitting organizations to configure the Duo app to use the same phone-based authentication for an extended period of time. Basically, this allows users to stay “logged in,” which reduces security to only one factor – the inherently weak password. I have seen environments where a fresh second factor is only required once every 30 days.
When contemplating adding an MFA solution, it is critical for enterprises to weigh security and convenience. Duo’s approach might be appropriate for organizations that generally have a philosophy of open and easy access, but is it the right level of security for your company? Probably not.
The 2018 Verizon report is preaching:
“Things to consider: 2FA! 2FA! Implement two-factor or multi factor authentication in your enterprise for those who administer any web applications or databases. If at all possible establish two-factor authentication with all users in your organization.”
Why would you opt for an authentication solution – even one that adds a second factor (like Duo) – that maintains the status quo of passwords, with all of the vulnerabilities and costs that go with it?
At Veridium, we encourage a very different approach to authentication. We provide a genuine MFA solution. Instead of using KBA (what you know) as one of the factors, we use possession (smartphone,) and inherence (biometrics) for true multi factor authentication.
Is this more secure? You betcha. Is it as convenient? It is.
We’ve built a software solution that provides strong security with multi factor authentication in a single step. All you need is your smartphone. No PINs, no tokens, no passwords.
Ant Allan tweeted another point worth mentioning:
“Adding support for phones’ native #biometric modes is probably not enough.”
That’s why in addition to supporting native biometrics, Veridium has invested in developing our own biometrics including 4 Fingers TouchlessID, Face and behavioral.
We believe that you shouldn’t have to trade off security for convenience. With a true 2FA solution, you can get both. And by the way, Veridium’s solution is strong enough security (and convenience) for a Swiss bank. A very large, multinational Swiss bank.