Helios News
Back to News
What you need to know about two-factor authentication
Author: Jeremy Herring
September 1st 2013 -

If in the modern age information is the currency then account security is the bank vault with which you secure your digital assets. It's reminiscent of the humorous anecdote about banks leaving their vault open all day long but chaining the pens to the counter. Many of us are the same way in a lot of ways… we worry about someone hacking into one of our online accounts but don't even bother to log off our online sessions are lock our devices when we leave them unattended. We're actually more likely to be the victim of a ‘friendly hacking' by a friend or family member than a deliberate and malicious online attack. Nevertheless, precautions taken in advance can significantly reduce the likelihood and/or impact of your compromised online information.

The hot topic lately has been two-factor authentication. It's really nothing new; you've been using it for years when you go up to an Automated Teller Machine, insert your card and enter your Personal Identification Number. The only reason it's making news is because so many large-scale websites are finally getting around to implementing it in the wake of ever-more frequent attacks on their networks. Financial websites were obviously early adopters, using challenge questions as an additional level of authentication but this was simply a second step of authentication using the same type of authentication factor (what you know). Additionally, it is often the case that they use the same common questions to which the answers may be information that can be commonly discovered. Believe it or not, your mother's maiden name is not some big secret… in fact, it's a matter of public record is someone knows where to look for it.

Google, Apple, Facebook, Twitter and the like have literally hundreds of millions of subscribers and possess billions of bits of personal information about these subscribers. Hackers would like to get their hands on this information but know that a frontal assault on any network's defenses is futile. This is why they try to co-opt legitimate credentials from the subscribers in the form of malicious browser pop-ups, Trojan apps and of course spam/phishing emails. If they can get you to volunteer your login information, they can get access to your online account by walking right in the front door so to speak.

Two-factor authentication measures seek to counter this vulnerability by adding an additional layer of verification. Security, both virtual and physical, is achieved by three factors: what you have, what you know or who you are, just like the ATM card/PIN combination. Your house key is a security factor because it is something you have on your person. A security system is in a sense a second factor because having crossed the first barrier (the door lock) you need to also provide something that you know (your alarm code). In this scenario, losing your keys doesn't immediately result in a burglary because the would-be thief actually needs to know TWO things in addition to possessing the key – your address and your alarm code. The casual pickpocket who comes into possession of your keys would need to also have your ID in order to learn your address so you're more vulnerable to a targeted attack than a passive one, meaning someone who already knows where you live when they come into possession of the keys.

Of these three factors (what you have, what you know or who you are), only one is really directly obtainable in the online realm and that is what you know (your username and password). This is why one of the most successful forms of hacking is the legitimate-looking email notification from an online account service. If they can make you think you need to verify your login credentials, they can send you to a bogus online location where you're give them your information voluntarily. Therefore many online accounts want to add a second validation method and the next best thing is a form of confirming something you have – your mobile phone. Therefore, when you attempt to login, the two-factor authentication scheme wants to send you a text message that will contain a code for you to enter. The only way to receive this code? Be in possession of your phone. This adds a barrier to the would-be hackers from being able to use the illicitly-obtained login credentials because they are not also going to be in possession of your phone… or if they are then this is a very sophisticated and targeted attack and you must be a very wealthy or important individual for such measures to be worthwhile.

The downfall is that most online sites aren't requiring the two-factor authentication (yet) but rather simply offering it as an added level of security. Many subscribers won't take advantage of it either because they don't know it is available or else they don't want to endure the hassle of validation every time they login. I'm as guilty as the next person of checking that little box that says, ‘Keep me logged in' because I don't want to have to type my username and password AND a verification code every time I want to send an email. So we are often our own worst enemies when it comes to online security. I firmly expect that two-factor verification will gradually move from optional to requirement as the online community seeks to further secure their networks.

The same expectation of security relates to our customers as well. When a customer purchases a package or enrolls in a membership, there is a monetary value at stake in the form of services bought and paid for but waiting to be used/redeemed. Many salons may ask each customer their name or number as they arrive (something the customer knows) or even issue customers a membership card or key fob (something the customer has) to expedite the check-in process. Both of these can be shared or stolen and cards can also be lost or possibly even replicated. To counter this, a second step can be employed to confirm the customer's validity. In former days this could have been a photo on the customer's profile or asking for a security code; both of these are weak forms of authentication because they rely on the employee to remember to perform the step and can easily be circumvented by an unscrupulous employee. More recently the implementation of biometrics has virtually eliminated such factors because it is scrupulous and unbiased as well as not able to be falsified or circumvented. Using a simple fingerprint scan, the customer can prove that are indeed who they say they are and it only adds a second or two to the check-in process. In many ways the indoor tanning industry is actually at the forefront of such retail security measures.

Biometric technologies are gradually making their way into other forms of security, including mobile devices. Some mobile phones use facial recognition to unlock the screen. Several high-end laptop computers use a fingerprint scan to unlock the operating system's screen saver or standby mode. As the technology becomes more prevalent to the point of almost universality, this can be a benefit for online services to implement biometrics as an additional level of authentication. As long as the device where you are logging in has a capable biometric device, the protocol for using it to confirm you are the legitimate subscriber will undoubtedly be forthcoming.

 

Did you know?

Helios is offering bundling pricing for all of our services, Helios, and New Sunshine Marketing Hub!
Great services, great pricing... click here to find out more.
Credit Card Processing

Integrated Credit Card
Processing

Learn More  ►
  • sales: (888) 936-5160
  • support: (317) 554-9911

8001 Woodland Dr., Indianapolis, IN 46278       info@gohelios.com

Helios, LLC is a division of New Sunshine, LLC. Copyright © 2019. All Rights Reserved. indianapolis web design by: imavex

Accepted Credit Cards