The present and future of two-factor authentication (2FA)

Fraud figures continue to rise year on year. A report by Juniper estimates the cost of cyber-attacks is set to reach $2.1 trillion globally by 2019.[1] According to Symantec, an authority in cybersecurity, 80% of data breaches could have been averted with two-factor authentication (2FA),[2]  a recommended best-practice for protecting sensitive data. 2FA is also sometimes required by law when handling and accessing certain types of information, such as Federal Government data and systems in the US, bank accounts, and, soon, due to implementation of the Second Payment Services Directive (PDS2), all online payments across the European Union (EU).

Today even the ‘strongest’ of passwords are not enough by themselves. This is why two-factor authentication and multi-factor authentication become essential. 2FA is the implementation of two layers of authentication to verify someone’s identity. If the first factor, for instance a password, is compromised, the second factor can protect the account and its data, decreasing vulnerability throughout the network.

Two-factor authentication was originally developed as an extra layer of security for banking and payment purposes and has since been adopted by email providers, social media and technology services. Tech giants like Google, Facebook, Dropbox, PayPal, Microsoft, Twitter, Instagram and Apple have all adopted Two-Factor Authentication (2FA) as part of the log in process. Even the White House had a campaign encouraging people to #TurnOn2FA.

The theory of two-factor authentication itself is nothing new, for example, every time we use our debit and credit cards to make a payment we are using 2FA – the card provides the physical factor (something you have) and by entering the card PIN number to authenticate the transaction you are providing a knowledge factor. However, moving this effective process online has proven difficult, since not all types of two-factor authentication are equally secure. Some organisations still use one-time passwords (OTPs), a password that is valid for only one login session or transaction, as an authentication factor in 2FA.  For instance, some banks still use them when setting up a new payee and transferring funds. Yet OTP, particularly SMS’s, can be easily compromised.

Fortunately, the banking and payments industry are moving away from implementation of one-time-passwords (OTPs) and SMS verification, replacing these with authentication methods that instead combine stronger factors, like PIN and biometrics.

New payments and banking regulations in Europe, such as PSD2 and the new Regulatory Technical Standards (RTS) from the European Banking Authority (EBA), are also leading the way and pushing for ‘Strong Consumer Authentication’ (SCA) methods.

Today, the best way to protect the confidentiality of the authentication data is by implementing all three types of independent credentials: something you know (PIN), something you have (the device) and something you are (biometrics). From future-proofed solutions like PIN to innovative biometrics, safer and more convenient choices will do away with vulnerabilities. The way forward is keeping multi-factor authentication at the heart of all security processes.

If you want to know more about MYPINPAD’s proposition regarding multi-factor authentication, check out our website and learn more about our products.

[1] https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/

[2] https://www.symantec.com/content/en/uk/enterprise/other_resources/b-is-your-data-safe-security-non-compliance-infographic-21330416-UK.pdf