A lot of people talk to me about two-factor authentication (2FA) as if it was a security panacea. But what about in the case of Man-in-the-Middle or Man-in-the-Browser attacks, or (as discussed in my last blog) when people choose weak passwords to control
their access to potentially valuable information?
As cyber attacks become more complex and intelligent, and as we move towards an increasingly mobile society, two-factor authentication is no longer enough because sophisticated fraud simply leverages the authentication process.
This means using as many of the following visible and invisible reference points about the end user as is necessary, calculated against the perceived risk involved. This could be something they know (a PIN or password), something they have (a phone), something
they are (for example your voice), and somewhere they are / are not (jurisdiction authentication based on proximity analysis).
Usage of the layers that go over and above the standard 2FA approach is becoming very real and increasingly necessary. For example, voice biometrics has been around for some time, but successful recent trials point towards much increased take-up in 2012, especially
as the worries about privacy associated with proximity analysis can now be easily countered. My own company has two Europrise seals on data privacy, for example. Deploying multi-layered security is user-friendly in terms of security and the overall, end-user
experience. As we move through 2012, I expect to see the focus shift definitively from 2FA to a more multi-layered mindset.
Organisations – banks, government agencies and companies – need to reach a position of knowledge and trust in their interaction with the public. They want assurances that the individual at that end point is the person he or she claims to be. Security is all
about staying one step ahead of the fraudsters, and authentication alone can no longer guarantee this. Instead, organisations need to build up a fuller picture of the end user by taking a multi-layered approach to authentication in conjunction with transaction
verification (where appropriate).