Since its inception, two-factor authentication (2FA) has been subject to countless opposing viewpoints. Whether it’s hard tokens, SMS or biometrics; searching for the perfect 2FA solution has proven to be both daunting and ill-starred. With that being said, businesses continue to work through the pain, because the PCI Standards demands it. Another reason being that they are willing to do whatever it takes to achieve bulletproof data security. The challenges associated with these high-resistant identity solutions can all be categorized into one mega-challenge: providing a 2FA login solution that attains a high level of data security compliance while still preventing high-profile breaches and catering to a customized user experience.
Why Hackers Keep Winning
There is nothing more discouraging to business owners than discovering instances where the high-friction authentication they have invested so much time, effort and/or money into has failed. This is especially stressful for those who are mandated to integrate 2FA as part of their everyday data security practices. Last year’s mega-hack faced by JPMorgan is a prime example. The exposure of names, addresses, email addresses and phone numbers of 83 million account holders made this one of the biggest security breaches in history. It brings to mind the issue of data security compliance and the importance of maintaining a high level of security and awareness. This particular incident is said to have been a result of a 2-factor fail.
A data security breach caused by 2FA failure? That’s enough to make anyone feel insecure! In this case, the hackers clearly won. The reason they were able to achieve this data security breach however, was not a failure of 2FA technology. It was a simple, but major defect with the company’s integration of its particular 2fa solution. In the matter of JPMorgan Chase, technicians neglected to upgrade one of its network servers, a crucial step in the activation of two-factor authentication for data security compliance.
Searching for the Right 2FA Solution
In addition to the disheartening aspect of 2FA fatigue, not knowing which method to choose can be another major hurdle. Users spend weeks, sometimes months searching for the right 2FA solution for their business. Time is money! While conducting your search, it’s important to rule certain things out up-front. If you’re on a budget, plastic hardware tokens are probably not the best solution for you, as they tend to be costly. There has been major improvement over the years on this matter as several identity providers now offer tokenless authentication, eliminating that extra cost. In this case, Bring Your Own Device (BYOD) comes into play. I’ll use a cell phone as an example. While a password is generally the first factor, your cell phone will play a role as the second. This process, known as SMS 2FA prompts the end user to login with a password and then enter a one-time passcode that is generated via SMS. This solution is very popular with those seeking data security compliance and is available worldwide from companies like PortalGuard and SecurEnvoy.
Simplicity and Security
The combination of 2FA’s enhanced data security with simplicity is a novelty that would have been unheard of a few years ago. There are still businesses today that are not crazy about SMS 2FA and would rather pay for individual hardware tokens. The reasons behind these decisions vary case by case. Privacy concerns and fraudsters are still among the major issues for individual corporations. There are companies that make a fair amount of money by selling users’ information, such as their cell phone number or medical records. This is not a new development, and it pricks up the hair on the back of the neck of the security conscious individual. Because you are actually relying on the security of your carrier for the security of your system, some users and businesses are concerned about mobile phones being hacked.
In addition to alternative data security issues, cell phone reception is still not available everywhere. In this regard, it makes SMS authentication a poor patch for data security compliance. Let’s say you are a gas station/convenience store in the middle of the desert, in an area where connectivity is intermittent. However, you are still able to process credit cards. In this case, you need an alternative 2FA solution to carry out your transactions. While these scenarios are rare, there are still solutions available to address the associated concerns. PassiveKey, which leverages the end user’s laptop or desktop, serves as a token alternative and generates a password behind the scenes. The user enters a hotkey combination right after logging in, and is verified by the server without any further action by way of the user. This simple solution requires no cell reception, no hardware tokens, and still only prompts you to login with one password.
Data Security Compliance – Think It Through
Two-Factor Authentication may slowly be hitting the mainstream, but there is still a wide array of concerns about its relation to data security compliance. Though the PCI SSC may require a second factor for security, its adoption still seems to grind on some individuals’ last nerve. 2FA fatigue is an issue that doesn’t seem to be going away any time soon, so be certain to find a solution that offers you customizability and variety to suit your specific needs. Data Breaches show no signs of slowing down, but proper adoption and implementation of 2FA could bring your business from JP Morgan to Fort Knox in terms of security. Work through what’s out there, and take a step towards strong, better data security compliance.