Few companies have adopted multi-factor authentication to provide another layer of security against fraudsters because of the fear that consumers will abandon this extra step.
Multi-factor or two-factor authentication occurs when companies require customers to enter a one-time code to access a bank, credit card or even social media website to ensure verification during the log-in process. Many companies give consumers the option to send the numerical code via a text or email, but this validation process has loopholes for hackers to access.
Companies are lax in implementing two-factor authentication systems because of the added cost and the "complacency factor in that businesses do not feel it's necessary to go through the trouble of setting this up or they may even feel that it's the customer's responsibility and not theirs to avoid getting hacked," said Jason Glassberg, co-founder of Casaba Security, a Redmond, Va.-based white hat hacking firm.
This extra layer of protection is not foolproof because companies can deploy it incorrectly while customers make mistakes using it as well while hackers are always one step ahead attempting to undermine or bypass it, he said.
While this authentication is common in corporate environments, it is not widely used by banks or credit card companies even though it would be easy to roll into the development of normal updates or feature releases, said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based independent security consulting company.
The adoption rate would increase if more companies required its user to download an app, but many consumers are complacent and still using simple passwords and only change them when they are forced to because it is viewed as a hassle, he said.
"A company could face a great deal of resistance and possibly even a complete stoppage of website use by their customers simply because the process will seem too unwieldy and complicated for the services returned," Wenzler said. "This causes more account lockouts and customer complaints and can increase overall costs for the company to support these issues."
Two-factor authentication should be "mandatory" especially when companies have highly sensitive data such as health and financial which can be implemented maliciously if a cyber criminal attains it, said Joseph Carson, head of global alliances at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions.
"Putting two locks on the door to your sensitive data is better than having a simple password that could easily be cracked via a brute force attack or social engineering," he said.
Many consumers are still confused and do not utilize use two-factor or multi-factor authentication correctly, said Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions.
"Those that do, still rely on the two-factor as being 'secure' whereas they forgot to update their anti virus software or they are using their browser of choice without patches," he said. "Then they wonder why there's four flavors of malware, key loggers and other things on their computer or mobile phone that simply take the data despite two factor authentication being used."
Types of Multi-factor Authentication
Multi-factor authentication comes in the form of various methods from physical items such as a USB key, a secure token or a simple where a PIN or password is texted to your mobile phone. Other companies also use biometrics such as fingerprint or voice.
Graduating from minimal security such as code sent to your phone would improve security, said Roberts.
A soft or hard token is often not the solution because RSA tokens are $30 to $70 each and 25% to 50% are lost each year, he said. A one-time text message sent to a smartphone every time a consumer logs in would be problematic and the number of complaints could be exponential.
Why Companies Add Biometrics
While multi-factor authentication is available even for social media companies such as LinkedIn and gives people peace of mind that there is more security, it is not infallible and is merely another hurdle for hackers, said Mary Ann Miller, a senior director and fraud executive advisor for NICE Actimize, a New York-based financial crime software solutions provider.
Although receiving a one-time code to your mobile or email sounds like a great way to prevent fraud, the hackers could have already accessed your cellular account and manipulate information to redirect email or text messages to be sent to a cloned phone or address, she said.
Hackers only need to log into your mobile account and the consumer "will never know," Miller said.
"Mobile has become the soup du jour for authentication, but it is not a silver bullet and has its pros and cons," she said.
Giving consumers or employees more than on minute to type in the one-time passcode also increases the odds that hacking can occur, said Glassberg.
"A company's security measures also shouldn't stop with two-factor authentication or 2FA," he said. "Since mobile devices will be increasingly hacked in the years ahead, businesses need to anticipate this and check for unusual login activity, whether it's a new IP address or an unrecognized device."
Many organizations who use multi-factor authentication could improve their security and lower the amount of risk. Sending a PIN sent to a shared email, primary email, secondary email or via text is a method which hackers can exploit and intercept easily, said Carson.
Stronger methods of multi-factor authentication such as a secure token, USB key or an authenticator app lower the risk and "makes the work of the hacker much more difficult," he said.
Another level of security can easily be attained by adding alerts and notifications for account activity, Carson said.
"This will provide the level of behavior patterns so if you do somehow get hacked you will know and you can reduce the impact or prevent any malicious activity from occurring," he said.
Voice and facial biometrics are gaining traction, but consumers may not welcome them readily.
"They all need to be supported and installed to the lowest common denominator for people who use a 'normal' cell phone and don't know what to do," Roberts said.