Aberdeen Group - Home
Two-Factor Authentication: What a Long, Strange Trip It's Been
Derek Brink
MAY 16, 2013 08:00 AM
A+ A A-

If you're not old enough to relate to the musical reference in the title, you may also not be old enough to know that two-factor authentication didn't just become fashionable in the last couple of months – as you might otherwise surmise based on announcements (both actual, and rumored) by Twitter, Microsoft, WordPress, Apple, Dropbox, Facebook, Google and others.

In general, factors for end-user authentication include:

  • Something you know (such as a PIN)
  • Something you have (such as a phone, a card or a token)
  • Something you are (such as a voice or finger biometric)
  • Something you do (such as typical patterns of behavior, or the unique dynamics of end-user typing on a keyboard)

One-time passwords (OTP) are the classic example of two-factor end-user authentication, because they combine something the end-user knows (typically a personal identification number, or PIN) with something they have (traditionally a standalone hardware device referred to as a token, which generates a pseudo-random number every 60 seconds or at the push of a button). The combination of these two factors — PIN plus one-time password — creates a unique login credential that is valid for a single use. Our ATM cards are an even more familiar example.

You might be interested to know that the first enterprise use case for one-time password tokens was not in IT Security, but in Physical Security: human guards would have to stop and enter the digits from their one-time password tokens at pre-determined locations on their appointed rounds, which compared with the values expected by time-synchronized back-end servers. If they were at the right place within an acceptable window of the right time, all was well.

For many years — and to this day — two-factor authentication established itself as best practice for providing stronger authentication than traditional passwords for remote access scenarios, such as VPN or SSL VPN.

But in the realm of consumer authentication, two-factor authentication always seemed elusive. Who remembers the AOL Passcode (I had one), circa 2004? Or the E*TRADE Digital Security ID (I had one of these, too), circa 2005? Probably not very many do remember, because they were not very successful. Eventually, RSA Security (the dominant provider of one-time password tokens) acquired Cyota as the basis of under-the-covers, heuristic, "adaptive" authentication for consumer-oriented applications — a category of solution that is stronger than passwords, low cost and invisible to end-users.

But starting a couple of years ago, and accelerating over the last couple of months, two-factor authentication in consumer scenarios is suddenly in high fashion. For example:

A couple of things seem pretty clear to me. One is that in addition to getting their internal houses in order with respect to protecting passwords and other private consumer information — see Evernote, 50M Passwords, and the Law of Demos (15 March 2013) for the latest of several blogs on this topic — leading companies are also taking steps that are directly visible to the consumer. Loss of consumer confidence does have a cost.

Another is that marketing people have gotten a hold of a time-honored phrase like "two-factor authentication", and are rapidly twisting it into as many variations as there are solutions. Marketing-created consumer confusion has a cost, too, but that will be the topic for another blog.

In general, this flurry of consumer-oriented options for stronger authentication is great news for those of us who have been pointing out for years that passwords are not secure, not convenient, and definitely not free. At the same time, how long before consumers bump up against the same problems that enterprise end-users encountered many years ago? Managing multiple authentication solutions for multiple sites; continuing to manage passwords because not all sites are integrated with stronger authentication; problems with emergency access due to lost, forgotten or stolen mobile devices; vulnerabilities with emergency access and resets based on self-service security questions; etc.

Like the song says, "takes time, you pick a place to go, and just keep truckin' on."

by Derek Brink
Vice President and Research Fellow
IT Security

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: