Is two-factor the savior for secure logins?

The rise in interest around two-factor authentication among embattled online service providers may look like the solution to securing end-user logins, but it is only one piece of a long-term project, according to a pair of security experts.

Just last week, Evernote became the latest service provider to commit to offering a two-factor authentication option to its end-users. A hack of the company's systems forced it to reset 50 million passwords.

Already, Facebook, Google, Dropbox, Amazon, Microsoft, PayPal, and Yahoo are committed to two-factor authentication options for end-users.

Twitter, which was hacked last month and lost 250,000 passwords, is under pressure to join the group and offer two-factor authentication, which is the addition to the common password of a second piece of identification in order to gain access to computer resources.

There is no question that forms of two-factor authentication can increase security around end-user logins, but by itself, a two-factor system is not a universal remedy.

"This is an incremental win, and it is generally good that [this interest in two-factor authentication] is happening," said Gunnar Peterson, managing principal at Arctec Group. "Initial authentication needs to get stronger, but for sure, it is not a panacea."

Peterson pointed that out two-factor is not new. The security technique is not in question, but historically, users often became burdened with its extra steps, and lost or forgot hardware tokens, which drove abandonments or creative workarounds.

Many providers, such as Evernote and Google, offer two-factor only as an option, not a mandate. So despite all their efforts, the tightening of the security screw is left to the proverbial weakest link in the chain, the end-user.

But Peterson said that it's a positive development that service providers are getting creative in using techniques such as SMS and smartphones, devices that users want to carry and that help two-factor scale.

"It's nice to see that some of these hurdles are being cleared," he said. But today, there is a lot of "silver bullet frenzy" around the topic.

Jeff Stollman, principal at Secure Identity Computing, said the details around two-factor authentication are not always clearly explained, and that leads to poor decisions.

"Deployment is often pushed by regulators, but how it should be done is not defined," he said.

In-band factors, such as answering security questions, are notably weak, given that they are prone to man-in-the-middle attacks. And answers to the personal questions they ask often can easily be discovered online or in social media accounts.

"Two factor needs to be out-of-band; either a token or a mobile phone," said Stollman. On a scale of one to 10, if authentication is a one, out-of-band two-factor can increase security to a three or a four, he said.

With these methods, users are sent a code to enter to complete login or they acquire a token, a bit of data to prove who they are, that is presented to complete authentication.

Of course, mobile devices are a blessing and a curse. They diminish out-of-band methods, given that users may be logging into services via their phone, therefore, negating the second factor

"The smartphone has the ability to simultaneously weaken two-factor because you are going to be using Facebook, Google, Twitter from that device, and is that really another factor if you are pushing your credential back through it," said Peterson. "Just because that happens on another channel, is that really as secure as something like a smart card."

The two-factor movement is also being pushed by the fact that companies don't have to dramatically change or update infrastructure to enable the technology.

"Evernote can roll changes out without re-doing its entire site or re-doing its entire API," said Peterson. "It's an isolated change that offers a lot of security for a little bit of work, and that is always a good thing."

But there are other factors to consider, especially around infrastructure for service providers, such as how accurate is their initial identity proofing on the front-end. Also, what have they changed in their backend plumbing to address any session management problems, data leakage, SSL implementation errors, or inaccurate authorization data that could lead to a host of vulnerabilities.

Peterson likened it to installing a bright new shiny sink and connecting it to 110-year-old plumbing.

"I would prefer people target the structural and strategic problems as well," he says.

He mentioned techniques such as risk-adaptive access control that recognize use and behavior, along with fraud and attack models that drive intelligence into authentication and authorization tools.

And he said device features such as GPS or geo-location could be resources to help improve authentication from the client side. Even techniques like shaking the phone or speech recognition could provide an identifying factor.

To wit, two-factor hasn't proven that it is excused from human error or human manipulation. Researchers found holes in Google's two-factor system based on a number of integrations gone wrong across the backend of its services. And the infamous foundation shaker in 2011 — the RSA Secure ID hack — began with phishing on the client side, and ended with previously unimaginable exploits on the backend.

"The way security works is we raise the bar and the hackers try to jump over it," said Peterson.

"Does two-factor raise the bar? It raises it some percent, but do I think that hackers will not be able to clear that bar? No, I think they will still be able to clear it."

But it doesn't mean that two-factor authentication won't push the ball forward.