Two-factor authentication significantly increases the security of IT services, but not everyone likes it. Critics decry the lack of user-friendliness and the wish for simpler alternatives arises.
- A lot of research is being done to improve user.
- An alternative to the current MFA methods could be an authenticated and registered device.
- Behaviour-based solutions can also be an interesting MFA solution.
Simple password protection is no longer considered secure. Hacked data are regularly published on the darknet, such as the recent five million data records from the hack at the Portuguese airline TAP-Air.
Multi factor authentication (MFA) and two-factor authentication (2FA) are designed to make cracked passwords worthless by adding another piece of login information. In addition to the knowledge factor in the form of a password or PIN, there is also the factor possession, for example in the form of hardware tokens or a character string generated via special apps on the smartphone. Biometric procedures such as fingerprints or FaceID are also used as an additional factor. But all methods have one thing in common: they increase the effort not only for attackers, but also for legitimate users. If you forget your smartphone, you may no longer be able to log in at work. As the effort increases, the convenience decreases. Alternatives are in demand, and we asked experts about it.
Interesting alternatives to widespread MFA procedures
Login access via an authenticated and registered device could be an interesting alternative, says Simran Mann, security policy officer at the German Information and Telecommunications Industry Association (Bitkom):
"123456", "password", "12345" – do any of these sound familiar? These are the top 3 German passwords of the last year. The fact that despite all the warnings, most people do not follow the golden password rules – long, complex and 2-factor used wherever possible – shows the need of technical innovations to improve the problem. And they are being worked on diligently. One solution that is both convenient and secure is to allow login without a password through an authenticated and registered device. The registered device is given a digital signature that allows it to access the relevant services. However, if one does not have the device with him or loses it, a backup code has to be used for recovery. As you can see, we are not quite getting away from the logic of passwords yet. But at least they could soon largely disappear from our everyday lives.
Christopher Boysen from the department "Technical requirements for eID components and sovereign documents" at the Federal Office for Information Security (BSI) expects optimisations in the current MFA procedures:
In connection with the of a user, several aspects must always be weighed up; pure user-friendliness is not the only point to be considered. The security of an entire process is also always relevant. With increased demands on security, it will therefore still be necessary in the future to use procedures that do not have an exclusive focus on user-friendliness. This combination is often described as "usable security". In addition to the currently widespread biometric factors, hardware tokens, for example USB keys or smartcards that can be read via NFC, would also be conceivable as factors of the possession type. However, it is difficult to estimate in which direction research and development will go in the future. Basically, it can be assumed that both the security of biometric procedures and the usability of possession-based procedures can be improved.
Holger Berens, Chairman of the Board at the German Association for Critical Infrastructure Protection, BSKI, considers behaviour-based solutions to be an interesting MFA solution:
The BSI has published a very good overview and evaluation of the individual MFA procedures on its websites (German). Integrative solutions have been developed to increase user acceptance. User-friendliness has often been strongly neglected in favour of security. SMS OTPs or apps are common, but user-friendliness is also disregarded here. That is why TypingDNA Verify 2FA was developed. Here, the user is authenticated based on what is typed on the keyboard. Users only have to type a few words. No additional code is required. Basically, it can be said that 2FA definitely increases security, but actually still causes problems with acceptance. In addition, the best technical solutions cannot eliminate the human risk. If, for example, a company does not delete the permissions at the same time as off-boarding, in worst case no 2FA solution will help.
More research needed
The growing dissatisfaction among users reveals the shortcomings of multifactor . These lie less in security than in everyday practice. For example, it is difficult to obtain a second factor with a smartphone app in wireless holes. You often see desperate users wandering the corridors of a building in search of network reception. USB tokens tend not to have this problem, but if they are left at home, access to IT is only possible via detours, if at all. Future optimisations must be oriented towards these problems. Research on this is ongoing and the first companies are presenting results, for example with continuous security through a behaviour-based model, such as the start-up Deepsign, which just took part in the ATHENE Startup Award UP22@it-sa. However, such ideas are still the exception on the market for IT security solutions and innovative procedures have not yet arrived in the everyday life of users.
Author: Uwe Sievers