Blog article
See all stories »

Two-factor authentication isn't enough

A lot of people talk to me about two-factor authentication (2FA) as if it was a security panacea. But what about in the case of Man-in-the-Middle or Man-in-the-Browser attacks, or (as discussed in my last blog) when people choose weak passwords to control their access to potentially valuable information?

As cyber attacks become more complex and intelligent, and as we move towards an increasingly mobile society, two-factor authentication is no longer enough because sophisticated fraud simply leverages the authentication process.

This means using as many of the following visible and invisible reference points about the end user as is necessary, calculated against the perceived risk involved. This could be something they know (a PIN or password), something they have (a phone), something they are (for example your voice), and somewhere they are / are not (jurisdiction authentication based on proximity analysis).

Usage of the layers that go over and above the standard 2FA approach is becoming very real and increasingly necessary. For example, voice biometrics has been around for some time, but successful recent trials point towards much increased take-up in 2012, especially as the worries about privacy associated with proximity analysis can now be easily countered. My own company has two Europrise seals on data privacy, for example. Deploying multi-layered security is user-friendly in terms of security and the overall, end-user experience. As we move through 2012, I expect to see the focus shift definitively from 2FA to a more multi-layered mindset.

Organisations – banks, government agencies and companies – need to reach a position of knowledge and trust in their interaction with the public. They want assurances that the individual at that end point is the person he or she claims to be. Security is all about staying one step ahead of the fraudsters, and authentication alone can no longer guarantee this. Instead, organisations need to build up a fuller picture of the end user by taking a multi-layered approach to authentication in conjunction with transaction verification (where appropriate).


Comments: (13)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 13 January, 2012, 22:30Be the first to give this comment the thumbs up 0 likes

There's Two Factor Authentication, and there's Two Factor Authentication.  Sadly, the term and the acronym "2FA" have come to mean just one specific branch of the authentication family tree, a bunch of related one time and/or out-of-band password approaches (including SMS codes, OTP key fobs, and EMV CAP).

The more fundamental idea is still vital.  Two Factor Authentication should mean access involving a physical device.  When that device is a smart device, like a chip card or a phone, then possibilities open up for machine-to-machine challenge response, digital signing, mutual authentication and so on, which eliminate the sorts of MITM attack that plague the OTP and out-of-band password solutions.


Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 16 January, 2012, 10:14Be the first to give this comment the thumbs up 0 likes

How come my comment from last week disappeared?

Pat Carroll
Pat Carroll - ValidSoft - London 16 January, 2012, 14:05Be the first to give this comment the thumbs up 0 likes

Stephen, not my doing. Finextra bloggers have no administrative control over comments. I can see your first comment if it is any help

A Finextra member
A Finextra member 16 January, 2012, 14:55Be the first to give this comment the thumbs up 0 likes

Just wondering about this part of Stephen's comment:

"Two Factor Authentication should mean access involving a physical device."

Why is the traditional meaning of 2FA - something you know/have/are - not good here?

A Finextra member
A Finextra member 16 January, 2012, 16:09Be the first to give this comment the thumbs up 0 likes

Come on, 2FA is the bees knees if it is implemented properly. What do you want 3FA, 4FA, why bother at all ... I have had a look at the new 2FA processes some companies are employing with their web strategies, they are solid, especially the systems which are starting to use passcode generator enabled iPhone applications. It is cost effect, security effective and the passcode only lasts for a matter of seconds.

I would say 2FA with a passcode generator is as good as is it is ever going to get.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 16 January, 2012, 17:06Be the first to give this comment the thumbs up 0 likes

Martin, it's not the number of factors so much as the nature of the technology. The one time password generator is subject to MITM attack. A code that lasts a couple of seconds still affords a mechanised attack computer plenty of time to intercept and replay. 

The "bees knees" in my opinion is the smartcard. OTPs are a toy. With built-in readers increasingly commonplace (and with NFC allowing new ways to interface cards to laptops, tablets and phones) we could be replicating the universal ATM/POS experience for all Internet transactions.  Cards are far easier to use than OTP, and technically have all manner of advantages as noted previously, including resistance to MITM and mutual authentication.

Kenneth Kunin
Kenneth Kunin - SunGard - Montreal 16 January, 2012, 19:12Be the first to give this comment the thumbs up 0 likes

Interesting side-note: I was talking recently with a "big data" analyst who told me he knew of shady characters in places like Russia and the Ukraine that were funded by organized crime, looking at social media data to help with identity theft. All those questions that banks and other service providers ask, like "What's your mother's maiden name?" or "What's your dog's name?" as a second factor using mere challenge questions, that kind of data can now be easily gleaned from Facebook. The idea is to build a complete profile on an individual, and then use that data to "leverage the authentication process", as you say. Scary.  But it makes me think that the definition of 2FA probably needs to be tightened.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 16 January, 2012, 19:51Be the first to give this comment the thumbs up 0 likes

Kenneth: Absolutely the definition needs tightening. Some have bastardised "Two Factor" authentication by counting multiple secret questions as additional factors.  The most important thing is we need a physical factor (something you have) that is easily noticed when lost, and which is also difficult to replicate or intercept & replay.  A big problem with biometrics when deployed without a physical token [like in the idea of a cardless ATM where you just stare into an iris scanner] is that you cannot tell when your authenticator has been stolen. It's important that we use more sophisticated criteria for matching applications to security technologies.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 17 January, 2012, 09:41Be the first to give this comment the thumbs up 0 likes

In all this discussion about definition of 2FA, what constitutes a puristic implementation of 2FA versus what does not, etc., it's equally important to assess what are the appropriate use cases for 2FA in the first place. Does a retail banking customer really  have to go through 2FA to know their account balance? Should a biller use 2FA to authenticate that the payor is indeed the subscriber? I could go  on with such rhetorical questions but the primary point of a transaction is that it should go through without causing undue friction for the customer, and I think this point often gets missed by overzealous security mechanisms. Some seven years after FFIEC mandated 2FA for online retail banking in the USA, the level of compliance may be low, but I have never come across any solid evidence that non 2FA users have suffered greater theft as a percentage of their transaction volumes as compared to 2FA users. 

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 17 January, 2012, 10:43Be the first to give this comment the thumbs up 0 likes

Which brings us back to my point! The default "2FA" -- meaning one time password generators -- is a toy, long ago defeated by determined criminals, and of marginal benefit. But "two factor authentication" achieved by smarter means like chip cards, enables transactions to digitally signed and rendered non-replayable, and mutual authentication too, where the chip's intelligence can detect and respond to site spoofing etc..  Then two factor authentication would offer real advantages, and be as easy to use in the remote Internet setting as POS and ATM systems.

Not all "two factor authentication" is the same, and we should take the time to think beyond the simple key fobs and calculators that have come to mean "2FA" by default.

Pat Carroll
Pat Carroll - ValidSoft - London 17 January, 2012, 16:47Be the first to give this comment the thumbs up 0 likes

Thank you all for this great debate. Like some comments suggest, 2-F authentication can be defined differently. But, an effective 2-F authentication solution must use an Out-Of-Band (OOB) channel. As security technology vendor, my premise must be that the device used to make the transaction is compromised; then you work back from there so all fraud vectors are addressed.

Of course the number of factors (2,3,4) depends on business imperatives but aren’t customers demanding security already? Let’s be real, as an industry, are we seriously going to stop at 2-F? We need to evolve with technology (especially mobiles) and with the sophistication of attacks from fraudsters.

Multi factor authentication and OOB are just the beginning though – authentication alone does not stop the transaction from being compromised – you need transaction verification which is where the OOB comes in.

Who has not heard of ZITMO, ZEUS, sim swap, CFU?

Understanding security is no longer enough; any serious player in security will need to understand how telcos/mobile operators work to develop the right technology with the sufficient factors for strong authentication. Oh, by the way it is cost effective as well and can be delivered under 400 milliseconds.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 18 January, 2012, 09:41Be the first to give this comment the thumbs up 0 likes

This is an excellent research paper around why, warts and all, passwords are here to stay and, despite their huge promise on paper, many alternatives haven't managed to move the needle on adoption.

A Finextra member
A Finextra member 01 October, 2012, 16:22Be the first to give this comment the thumbs up 0 likes

Would anybody know if 2F mitigates token misuse in terms of tools such as incognito which can impersonate windows access tokens, which an over use of domain admins can cause to become a bigger concern? Or does two factor only really help the initial authentication part and therefore once authenticated to AD the tokens are still up for grabs and privilege escalation from a compromised client on the network?   

Pat Carroll

Pat Carroll

Founder/Executive Chairman


Member since

17 Mar 2011



Blog posts




More from Pat

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all