It is universally agreed that two-factor authentication (2FA) is safer than the Username/Password mechanism. Google even claims using 2FA will lead to a 50% decrease in accounts being compromised. We can’t say that Username/Password has “served us well in the past” but the move to two-factor authentication has been painfully slow. What is the reason for that?
What exactly is two-factor authentication (2FA)?
Let’s recap on what exactly two-factor authentication entails, and why it is such a good idea.
Ideally, we should authenticate with two completely distinct pieces of evidence, chosen from the triple of:
- what we know
- what we have
- who we are
That could be a combination of two out of (respectively):
- traditionally a memorised password though, though a simple PIN will suffice
- a hardware token (a store for a blob of data)
- a high-definition biometric
A sound two-factor scheme proves possession of these pieces of evidence without handing any of them over to the other party. Doing so would leave you wide open to a simple phishing attack. That’s why none of the pieces of evidence should ever leave your possession.
Distributing our proof of identity in this way has proven to be a very powerful deterrent to attackers. In fact, distributing secrets is a well-known and intuitively sound idea with a much wider application. It is summed up in the old adage “don’t put all your eggs in one basket”. It’s an approach that should be more widely deployed, as it avoids the dreaded “single point of failure” (SPOF). This flaw in the design means that if one part of the system fails, it stops the entire system from working. For that reason, SPOFs are so attractive to hackers.
Why does two-factor authentication work so well?
Primarily because an attacker needs to solve two completely distinct problems in order to succeed. A method that can be used to extract a blob of data from a token will not work when it comes to extracting a PIN from someone’s brain.
Another benefit is that each factor protects the other. The PIN is completely useless without the blob of data, the blob of data doesn’t get you anywhere without the PIN.
What is the problem with 2FA?
Bluntly put, the problem is that no sound simultaneous two-factor authentication schemes yet exist, with just one exception.
But, I hear you protest, there are in fact far too many two-factor authentication schemes out there. Nope. They are not really two-factor schemes.
It is much easier to fake two-factor authentication than it is to implement it properly. We call this two-step or multi-step authentication. The idea is to use a single factor, but then protect access to it using a second factor. That means there is a hierarchy of factors, not a pair of truly independent factors.
What about FIDO?
The industry-leading solution here is FIDO (Fast Identity Online). FIDO Alliance, a non-profit organisation, aims to standardise authentication at the client and protocol layers. Here, a single cryptographic secret (a blob of data) is protected by a PIN or a biometric inside of a hardware vault, a so-called passkey. With these passkeys, users can authenticate themselves without having to enter a username, password, or any additional authentication factor.
Note that expensive secure hardware is needed to get this working properly. But the real problem is that the blob of data is useless without the PIN. In fact, it is sufficient on its own to break the scheme.
The same is true for most if not all other 2FA on the market.
We challenge you to look at competing schemes and identify if they are truly two-factor or two-step.
A true single-step 2FA scheme
Since true two-factor schemes are so rare, it is hard not to fall back into two-step thinking. It’s easy to forget that the factors are already sufficient protection for one another and to further protect individual factors by layering on more steps of protection. We might be tempted to protect our PIN or password in a password manager, access to which requires yet another secret. Or we might secure our blob of data by keeping it in some kind of secure hardware storage.
Don’t go there! If the scheme is truly two-factor, the factors protect one another. Adding further steps just creates friction in the user experience while not adding much in terms of security. That can cost companies revenue: friction in the checkout process accounts for nearly 40% of cart abandonment. The 10% failure rate for passswords isn’t only annoying, it costs companies a lot of revenue.
So, which is the one true two-factor scheme? MIRACL only requires a single-step to log you into the system. It blocks phishing, credential stuffing, password spraying, replay and man-in-the-middle attacks. With the highest login success rate in the industry and costs that are one tenth of that of the industry, you will not only increase overall safety but revenue too.
There are also internal advantages: over 20% (and as high as 70%!) of helpdesk time is spent on password resets. Imagine what your IT team could do with that time! MIRACL works with every system, so no additional hardware is required.
You can find out how much your company could boost its revenue with our handy MIRACL calculator. Check it out, go true two-factor, and relax.