There is a lot of two-factor authentication in the real world, even if most of the authentication in our computer lives relies only on a username and password.
When you see news of a security breach or a list of passwords exposed, odds are that somewhere in the story of how it happened the attack would have been blocked — or at least made much more difficult — if two factor authentication had been employed.
At the gates of Disney World, pictured here, you will need to present both your NFC card "ticket" and a fingerprint associated with it. The fingerprint prevents you from passing your ticket on to other people.
In the pages that follow, we will examine six two-factor authentication methods that are available in the real world, although some are used more than others.
(Image ZDNet/CBS Interactive Inc.)
EMV (EuroPay/MasterCard/Visa) is the name of a standard for smart payment cards long in effect outside the US, and known in the UK and Ireland as Chip and PIN. Because of mandates by MasterCard and VISA in the US, adoption of EMV should move rapidly in the next few years.
Even an old-style magswipe ATM card is technically two-factor since you have to have both the card and PIN, but for many reasons this has proven a low barrier to criminals who capture PINs with a camera as they skim the magnetic strip on its way into the device.
EMV cards have a crypto chip in them so there's no simple way to skim them in order to sell copies. EMV doesn't have much application in mainstream computing authentication, but it will have a big impact on the US and perhaps will generate an appreciation for the benefits of two-factor authentication.
(Image courtesy visa.com)
The Disney "ticket" card on the home page of this article has a passive RFID chip in it which is read by a device inside the orb thing with the Mickey light on it. The user also has to provide a fingerprint associated with that card. Both factors are "things you have," but one of them is a fingerprint so it's a pretty strong authentication. Below is a demonstration.
Visitors at the park can also use one of the Disney MagicBands, pictured above on the left. These devices are not simple, passive RFID, but NFC (Near Field Communications) devices with a processor and power source in them. Disney lets you use these bands for other purposes, such as a hotel room key or to pay for items in stores.
This same NFC two-factor authentication is available for business applications from companies like AuthEntry, with the second factor being a PIN rather than a fingerprint. The wrist band doesn't look like as much fun as Disney's but it's the same basic idea.
Many modern smartphones contain NFC chips in them, making them excellent candidates for authentication devices, either as a sole or second factor. Unfortunately, Apple has not put NFC in the iPhone, which is one big reason use of it has not proved popular.
(Image courtesy Disney World, AuthEntry)
Yes, we already mentioned fingerprints, but they have a pretty long history as a second factor in computing, as seemingly the ultimate example of "something you have." But the scanners can be a pain at times to configure. Older, cheaper scanners can be fooled with photographs.
As they so often do, Apple set a new standard for ease of configuration and use with the Touch ID in the iPhone 5S. Fake fingers are possible with Touch ID, but only with non-trivial cost and effort; at least for now.
In order to be an effective second factor, a fingerprint reader doesn't need to have death penalty trial levels of accuracy. So it may be that Disney (and even Apple) are not checking enough of the print to rule out the rest of humanity. This is OK.
There is another problem with fingerprints: they are immutable. If you fingerprint were somehow to get compromised, if someone went to the trouble of faking it, Apple can't send you a new one (although you may have nine others left).
(Image courtesy Apple, AuthEntry)
The simplest way to use a smartphone as an authentication factor is to send a text message to it with a code. The user must enter that code in order to prove that they have the phone on record for the account. That works even with a dumb feature phone
But being as smart as they are, smartphones allow a wealth of two-factor options. Push notifications are a popular mechanism for sending codes to smartphones, as shown in the DuoSecurity screens above.
Bulk mailer MailChimp has built an extensive smartphone-based two-factor authentication service called AlterEgo to use with their services or to build into your own. AlterEgo comes with the ability to challenge with a randomly generated code from your account, a text message or a push notification. But it also integrates with several external authentication systems, such asYubikey, Google Authenticator and Duo Security's AuthAPI.
We haven't included the old-school OTP (one-time password) security token, such as those made famous by RSA, in this story because they too are being supplanted by smartphones. The image on the right is Symantec VIP Access app, which turns a smartphone into an OTP token. Why bother distributing and managing security tokens that nobody likes when they can use the smartphone they almost certainly already have?
(Image courtesy Duo Security, Symantec)
Smart cards have been around a long time. In fact, the EMV cards described several pages back are smart cards. They were long pushed as a second authentication factor for computing access, but they are only used as such in high-value scenarios.
Just as OTP security tokens can be run in software, so can smart cards. A virtual smart card is a program running on a specific computer made unique, as is a physical smart card, through the TPM (Trusted Platform Module) which is now standard in business-grade computers.
(Image courtesy Microsoft, Wikimedia Commons)
Smart mobile devices all have GPS in them, which creates an interesting authentication test: where is the device? A company might reasonably say that the system should be accessed only from within the United States, or only within a certain facility. This is called geofencing.
Toopher supplies geofencing authentication for mobile applications and integrates into some commercial systems, such as MailChimp, mentioned on the smartphone page earlier. It's a policy for you to choose, but you might decide to automatically authenticate users in a specific location. The University of Texas at Austin, where Toopher was created, recently deployed it for 24,000 faculty and staff.
Microsoft recently added geofencing support as an operating system feature in Windows Phone 8.1.
Geofencing is arguably weak as a second factor, but it's an excellent third factor, and you'd certainly want to know whether your system is suddenly being accessed from the other side of the planet.
(Image courtesy Microsoft)