Secure your small business:
Apps → Data →

Two-Step Authentication is Not Two-Factor Authentication

Your team, your regulators, your clients, and the cybersecurity pundit class have all been telling you for some time now that in today’s world, either two-factor authentication (2FA) or multi-factor authentication (MFA) is a must.

How good are you and your users at protecting secrets? And how much of your safety have you staked on it? © Kiosea39 / Dreamstime

So, your organization has made some improvements. You now require an additional step, beyond username and password entry, for logins. That means you’re covered when it comes to authentication best practices, right?

Let’s find out. Here is a partial list of common “2FA” solutions:

  • Also requiring a PIN number. When the user created their account, you assigned them a PIN number. To log in, they must provide this PIN.

  • Also requiring an account number. A unique account number or card number identifies the user in your database. To log in, they must provide this number.

  • Also requiring the answer to a personal question. The user has previously provided the answer to a personal question. To log in, they must be able to repeat this answer.

  • Also requiring confirmation of an image. The user has previously selected an image from a set of several images. To log in, they must be able to repeat the selection.

Which of these solutions are best 2FA practices, and which aren’t?

Okay, that was a trick question. All of these are insecure. And, more pointedly, none of them is actually a form of two-factor authentication.

More Steps Doesn’t Mean More Factors

Two-factor and multi-factor authentication are stronger than passwords alone because they require a several kinds of identity proof. Security experts talk about three basic “factors” that can be used to identify someone:

  • Things someone knows. To verify identity, you ask a question that only the right person should be able to answer. Passwords are an example of this factor.

  • Things someone has. To verify identity, you require an object that only the right person should have. Mobile phones are an example of this factor.

  • Things someone is. To verify identity, you carefully inspect the individual’s physical attributes. Fingerprints are an example of this factor.

Simply adding another question to your login prompt—whether that question asks for a PIN number, an account number, personal data, or the recollection of an image—is not the same as adding another factor.

The trouble with short secrets is that they’re easy to steal and tough to keep—particularly when in the real world, so many of them get written on Post-It notes. © Min An / Pexels

In fact, all of the common strategies outlined at the start of this article are more properly called two-step authentication, not two-factor authentication. They’re just things to know, like a password.

Why “Secret” Knowledge Isn’t Secure

Okay, so they’re not “factors.” Fine. But they’re additional questions! Isn’t that enough?

No, it isn’t. And here are three of the most important reasons why.

  • They share adjacent storage and input. PINs, secret answers, and passwords are all just data, flowing at the same time through the same login flows on the same systems. Any method for capturing, stealing, or compromising passwords will tend to nab PINs and secret answers, too.

  • They share a vulnerability to human frailty. People have lots of passwords to remember these days. So naturally, they write them down—making them easy to steal. A PIN is just the same—and you can bet that the user who puts their password on a Post-It will write their PIN right next to it.

  • They are poor identity confirmation. Most passwords can be brute-forced (all character combinations tried) in hours, most PINs in seconds. Most answers to personal questions—family names, best men at weddings, and so on—are public data or found on social media. So much for secret knowledge.

No matter how many secrets you require of someone for proof of identity, you’re still just asking for one kind of proof—short, simple secrets.

Conventional wisdom isn’t wrong. Secrets are easily shared, easily stolen, and very hard to keep. That makes them terrible proof of identity in the real world, whether you ask for just one secret at a time or two.

Two-step authentication isn’t much more secure than a simple password prompt. Don’t stop there. Deploy true multi-factor authentication instead. © / Pexels

Don’t Stop Until You’ve Added More Factors, Not More Secrets

To achieve real security gains, you’ll need to deploy true multi-factor authentication instead—logins that ask users to present a unique object that only they should have, or to demonstrate detailed physical characteristics only found on one person—the right person.

If you already knew this, and opted for mere two-step authentication because your research led you to believe that 2FA or MFA solutions are too complex, expensive, or difficult to use, talk to us at Plurilock™.

Our MFA products are affordable, invisible to users, and rely on the hardware you already have.

Just don’t rest on your laurels, believing that short PIN numbers or the names of best friends offer much more protection than passwords do. After all, you’ve already cared enough to consider your authentication practices carefully.

So don’t stop there—go the distance and actually make your login flows secure by adopting true 2FA or MFA solutions. ■

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.