Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
Two-Factor Authentication

Two-Factor Authentication: Solutions, Methods, Best Practices

Two-Factor Authentication: Solutions, Methods, Best Practices

With new data breaches being uncovered daily, many companies are desperate to improve security for their clients. The old standard of user login and password is no longer considered very safe. 2FA is a security by-word nowadays. So, why do you still using old log-on techniques?  

Two-Factor Authentication Standards

Major manufacturers of hardware and software have established standards such as the Fast Identity Online (FIDO) system. It lets a user authenticate with touch after entering their name and password. Participants include Microsoft, Intel, PayPal, Google, Samsung, and Lenovo, among others. The system can use authentication hardware built into a phone or laptop, or run over an external device like a USB dongle.

How to Implement Two-Factor Authentication

Whatever the hardware or protocol, there are some essential components to a two-tier authentication system – the directory service, whether Active Directory, eDirectory, RADIUS or some other system and the add-on two-factor authentication software that enables the additional functions. There are also cloud-based two-factor authentication systems available from Google, Microsoft, and others, which are already integrated with their directory services login systems.

Two-Factor Authentication Vendors

In addition to the members of the FIDO Alliance, and the directory services vendors mentioned above, who include two-factor authentication functionality as part of their solutions, there are third-party vendors who offer two-factor solutions, including RSA, Symantec, VASCO Data Security, Quest Software, Okta, CA, and others. In addition to software vendors who add two-factor authentication to server products, there are a variety of vendors offering hardware tokens, fingerprint readers, FIDO keys, and other devices.

Choosing the Second Authentication Factor

The first choice to make in setting up a two-factor authentication system is not to choose the software unless it is chosen for you. For instance, if you use Google for your office suite or Microsoft Office Online, then you will need a two-factor product that will work with your chosen system. For anything else, your first choice should be the type of the second factor you will be using.

This is typically a system where security is traded off against cost and complexity. For instance, using a text message code as the second factor is inexpensive and easy to set up. It is also the most likely to be circumvented by a determined hacker. Hardware tokens are much harder to circumvent but are also harder to set up and support, and typically add anywhere from $10-$100 per client in hardware costs.

Two-factor authentication types

Common types of 2FA:

  • Hardware tokens - the oldest form of two-factor authentication, physical devices that act like electronic keys that generate a time-valid numeric code to access user accounts. This technique may also include a wireless keycard opening, smart cards, USB sticks.
  • SMS text-message and voice-based 2FA - this type of two-tier authentication interacts directly with a user’s phone. After a user puts in a username and password, the site sends the user a unique one-time passcode (OTP) via text message. A user must then enter the OTP back into the application for getting access. In the case of voice-based 2FA, the system dials a user and verbally delivers the 2FA code.
  • Software tokens - one of the most popular 2FA forms. It uses a software-generated time-based, one-time passcode (also called TOTP, or “soft-token”). A user needs to have a free 2FA app on their phone or desktop. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app.
  • Push notifications - websites and apps can now send the user a push notification when there is an authentication attempt. It’s passwordless authentication with no codes to enter, and no additional interaction required.
  • Biometric 2FA - this technique includes verifying a person’s identity via fingerprints, retina patterns, and facial recognition, ambient noise, pulse, typing patterns, and vocal prints.

A Two-Factor Authentication Solutions Overview

In addition to the members of the FIDO Alliance, and the directory services vendors mentioned above, who include two-factor authentication functionality as part of their solutions, there are third-party vendors who offer two-factor solutions, including RSA, Symantec, VASCO Data Security, Quest Software, Okta, CA, and others. In addition to software vendors who add two-factor authentication to server products, there are a variety of vendors offering hardware tokens, fingerprint readers, FIDO keys, and other devices.

All of the systems have the same basic functionality. The directory services system that holds the username and password information have two-factor authentication functionality added to it, which might enable it to send text messages to a user’s phone or retrieve a code when a user presses the button on a hardware token inserted into a USB port.

The hard part is ensuring that the connection is supported and secure between the system that authenticates the user and the device or messaging system used to add the second factor. This is why picking the second factor should be an early decision – getting any particular second-factor system to work with a given directory service. Many of the second-factor hardware devices will support Active Directory or Windows 10, but if you are using Linux, or a specific brand of phone, for instance, these may limit your choices.

We compiled a list of the most popular two-factor authentication software and reviewed each solution:

  • Duo Security - one of the market leaders of 2FA. A lot of our customers use it and love it. If you just need a 2FA that works on with them. If they don't fit your needs, check out the rest of our list
  • RSA SecurID Access is an enterprise-grade two-factor authentication software that offers many multi-factor authentication methods including mobile multi-factor authentication (push notification, one-time password, SMS, and biometrics) and traditional hardware and software tokens. The identity assurance feature is performed by examining users a range of contextual factors and correlating them in hundreds of ways. Also, RSA SecurID Access authentication features include biometric, out-of-band authentication, single sign-on, and policy management.
  • Symantec VIP (Validation and ID Protection Service) is a cloud-based two-tier authentication service that enables businesses to secure access to networks and applications. Its most significant authentication features are proximity unlock, two-factor authentication, credential wallet (security codes generation for your favorite websites passwords), and more. As for the cons, the cost of this solution is rather high compared to other competitors at the market, and the enrollment process is long and confusing sometimes.
  • Okta is a two-factor identity management solution that covers multi-factor authentication, single sign-on, lifecycle management, universal directory, API access management, and other identity management basis. Okta's Adaptive Multi-Factor Authentication solution has a 30-days free trial and a freeware version.
  • ADSelfService Plus offers password self-service reset/unlock, password expiration reminders, a self-service directory updater, a multiplatform password synchronizer, and a single sign-on for cloud applications. There also are android and iPhone mobile apps available to facilitate self-service for end users anywhere at any time. ADSelfService Plus supports the IT help desk by reducing password reset tickets and spares end users the frustration caused by computer downtime.
  • VASCO Data Security by OneSpan is a mobile, two-factor authentication app that enables users to securely log in to applications, via their mobile device, with a fingerprint or PIN along with a one-time password. Users can be notified via push or generate offline passcodes. It is also called the DIGIPASS app. It comes with a free trial and has a user provisioning feature besides multi-factor authentication and password management.
  • CA Identity Suite software is designed to provide its users with control over their organization's privileged users to reduce the risk of compliance failures or security breaches. It comes with many access request management features as well as compliance management, role management, and user provisioning.

Is Two-Factor Authentication Secure?

All administrators wish they could buy a security system, install it, and count on it stopping attackers for the foreseeable future. Unfortunately, hackers continue to create new attacks as fast as (and sometimes faster than) security vendors come up with solutions. It is feasible for a hacker that has the login and password for an account to log into the self-service portal for the system, change the mobile phone number that verification messages are sent to, and then enter the code sent to the new phone number into the system.

Hardware tokens and biometric verification are currently harder to hack, but a Trojan on a PC could theoretically intercept the function call on the real user’s real PC and transmit the verification code to another system. This is much more difficult than spoofing a text message and is probably beyond individual criminals, if not national espionage agencies. However, security will always be a moving target.

FREE ASSETS
MSP’s Assets to Stay Safe from Phishing
  • Phishing response checklist
  • Phishing awareness training slides
  • Anti-phishing posters
New call-to-action
Anti-phishing assets