While conventional 2 factor authentication solutions slightly improve security, they remain vulnerable to a number of cyber attacks. NIST‘s recent draft on Digital Identity Guidelines makes strong recommendations against SMS based 2 factor solutions, highlighting the security concerns around them. SMS based 2-factors are especially vulnerable to mobile banking malware (e.g. Spy.Agent, Acecard, and GM Bot) and complex attacks that steal OTPs. Second factors, in general, do not stop man-in-the-middle, social engineering and phishing attacks. In fact, as long as the user enters credentials manually, the authentication process is open to a variety of attacks.
Without a doubt, conventional two factors is one of the most inconvenient security solution used today. The additional friction added to the authentication process turned a large number of users against them. 2 factors, such as extra dongles and fobs, often get lost or misplaced which result in access denials. SMS based Second factor are often not delivered or delivered by a delay. Then at the end of the day, users need to manage their passwords and after entering their password, need to manually enter a 2 factor token.
Smartcards, More Secure But Inconvenient
Often, organizations in highly regulated industries tend to implement smartcards relying on the implemented PKI model. Although they provide a higher level of security relative to passwords, they are one of the least favorable 2nd factors among IT professionals and users. The primary reason is that smartcards are not designed for mobile users. Smartcards are not compatible with mobile phones, tablets, and some laptops such as Macbook. They require adaptors to work on desktops or laptops and they do not support users who need to have access from more than one device at a time. They also get lost more often due to their size and shape. Once it is lost, users need to get a new card, which drives up cost. Once a smartcard is issued, they normally don’t require authentication or provisioning to be used. This means anyone who finds a smartcard and has a user’s password will be able to access that user’s account.
Learn how NoPassword improves security beyond passwords and second factors, while it enhances user experience by making the authentication process easy and effortless.