Gluu Blog

Follow us:
Back to Blog

Achilles Heel of Two-Factor Authentication

Mike S. January 15, 2014

achilles-heel1

Ironically, to reset one credential, you need another. And your organization is only as secure as your weakest account recovery credential.

Today, websites use a wide array of techniques to enable account recovery. Many rely on control of an email address or a cognitive secret. Manufacturers can associate a serial number with a given customer, and require control of a device. One solution proposed is to enable account recovery based on “friend vouches.”

To use Google’s own words, account recovery is most definitely “the achilles heel” of multi-factor authentication. Organizations may want to consider solving this first, before you undertake a multi-factor authentication solution. It is vulnerable to hacking humans, which is the topic of an interesting talk this year at SXSW Interactive.

What is the best way to secure account recovery?

In many organizations, hardware is going to be a long-term fact of life. It represents an ancient trust model: a physical key. Supporting hard tokens at scale is a challenge–its logistically much more difficult than scaling a mobile authentication solution. However, prices for hardware are going down, a promising standard is on the rise (FIDO), and combined with NFC, hardware tokens can be used to authenticate to both a mobile device or laptop. A lot of work needs to be done to make hardware tokens easier to use by organizations. For example enrollment is a logistical nightmare for many hardware solutions.

Many new account recovery solutions will utilize the telephone, SMS, and mobile PUSH networks. These technologies have the most potential to improve existing account recovery systems, while providing a fairly cost effective solution to support at scale.

Biometric account recovery remains a niche, but with the mainstream use of fingerprint in the iPhone, and other clever uses for voice authentication, biometric account recovery is also clearly on the rise.

Interested in secure, self-service 2FA? Check out our new open source app, Credential Manager.

[:ja]

achilles-heel1

Ironically, to reset one credential, you need another. And your organization is only as secure as your weakest account recovery credential.

Today, websites use a wide array of techniques to enable account recovery. Many rely on control of an email address or a cognitive secret. Manufacturers can associate a serial number with a given customer, and require control of a device. One solution proposed is to enable account recovery based on “friend vouches.”

To use Google’s own words, account recovery is most definitely “the achilles heel” of multi-factor authentication. Organizations may want to consider solving this first, before you undertake a multi-factor authentication solution. It is vulnerable to hacking humans, which is the topic of an interesting talk this year at SXSW Interactive.

What is the best way to secure account recovery?

In many organizations, hardware is going to be a long-term fact of life. It represents an ancient trust model: a physical key. Supporting hard tokens at scale is a challenge–its logistically much more difficult than scaling a mobile authentication solution. However, prices for hardware are going down, a promising standard is on the rise (FIDO), and combined with NFC, hardware tokens can be used to authenticate to both a mobile device or laptop. A lot of work needs to be done to make hardware tokens easier to use by organizations. For example enrollment is a logistical nightmare for many hardware solutions.

Many new account recovery solutions will utilize the telephone, SMS, and mobile PUSH networks. These technologies have the most potential to improve existing account recovery systems, while providing a fairly cost effective solution to support at scale.

Biometric account recovery remains a niche, but with the mainstream use of fingerprint in the iPhone, and other clever uses for voice authentication, biometric account recovery is also clearly on the rise.

[:es]

achilles-heel1

Ironically, to reset one credential, you need another. And your organization is only as secure as your weakest account recovery credential.

Today, websites use a wide array of techniques to enable account recovery. Many rely on control of an email address or a cognitive secret. Manufacturers can associate a serial number with a given customer, and require control of a device. One solution proposed is to enable account recovery based on “friend vouches.”

To use Google’s own words, account recovery is most definitely “the achilles heel” of multi-factor authentication. Organizations may want to consider solving this first, before you undertake a multi-factor authentication solution. It is vulnerable to hacking humans, which is the topic of an interesting talk this year at SXSW Interactive.

What is the best way to secure account recovery?

In many organizations, hardware is going to be a long-term fact of life. It represents an ancient trust model: a physical key. Supporting hard tokens at scale is a challenge–its logistically much more difficult than scaling a mobile authentication solution. However, prices for hardware are going down, a promising standard is on the rise (FIDO), and combined with NFC, hardware tokens can be used to authenticate to both a mobile device or laptop. A lot of work needs to be done to make hardware tokens easier to use by organizations. For example enrollment is a logistical nightmare for many hardware solutions.

Many new account recovery solutions will utilize the telephone, SMS, and mobile PUSH networks. These technologies have the most potential to improve existing account recovery systems, while providing a fairly cost effective solution to support at scale.

Biometric account recovery remains a niche, but with the mainstream use of fingerprint in the iPhone, and other clever uses for voice authentication, biometric account recovery is also clearly on the rise.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.