Friday, 30 May 2014

Achilles Heel of Two-Factor Authentication


Ironically, to reset one credential, you need another. And your organization is only as secure as your weakest account recovery credential.

Today, websites use a wide array of techniques to enable account recovery. Many rely on control of an email address or a cognitive secret. Manufacturers can associate a serial number with a given customer, and require control of a device. One solution proposed is to enable account recovery based on “friend vouches.”

To use Google’s own words, account recovery is most definitely “the achilles heel” of multi-factor authentication. Organizations may want to consider solving this first, before you undertake a two-factor authentication solution. It is vulnerable to hacking humans, which is the topic of an interesting talk this year at SXSW Interactive.

What is the best way to secure account recovery?

In many organizations, hardware is going to be a long-term fact of life. It represents an ancient trust model: a physical key. Supporting hard tokens at scale is a challenge–its logistically much more difficult than scaling a mobile authentication single sign on solution. However, prices for hardware are going down, a promising standard is on the rise (FIDO), and combined with NFC, hardware tokens can be used to authenticate to both a mobile device or laptop. A lot of work needs to be done to make hardware tokens easier to use by organizations. For example enrollment is a logistical nightmare for many hardware solutions.

Many new account recovery solutions will utilize the telephone, SMS, and mobile PUSH networks. These technologies have the most potential to improve existing account recovery systems, while providing a fairly cost effective solution to support at scale.

Biometric account recovery remains a niche, but with the mainstream use of fingerprint in the iPhone, and other clever uses for voice authentication , biometric account recovery is also clearly on the rise.

Article resource - http://thegluuserver.wordpress.com/2014/05/16/how-to-benchmark-ox-for-a-large-scale-deployment/