What is Modern Two-Factor Authentication (2FA)?
Two-factor authentication (2FA), a type of multi-factor authentication (MFA) solution, verifies the identity of a user using two different methods—proving they are who they say they are. Nine years ago, I wrote about the different criteria to consider when choosing a modern two-factor authentication solution, in What to Look for in a Modern Two-Factor Authentication Solution.
But the requirements of access security and identity have rapidly evolved since then, and the trend is likely to continue, with 32.6 million Americans predicted to work remotely by 2025 (that's 22% of the workforce).
As the risk landscape continues to evolve, it’s more than worth keeping up to date with the latest authentication methods to secure your organization and its users. Let's explore a few common questions you might have about aspects to look for in a (more) modern 2FA solution that addresses the latest risks in data protection.
Is two-factor authentication safe and easy?
It still holds true that the most secure technology is one your users actually want to use. For user-friendly 2FA, look for a solution that has minimal impact on end users, and provides:
A lightweight 2FA mobile app that doesn’t require users to carry a separate device and is compatible with both Android and iOS
Easy authentication in seconds via push notifications sent to their phone
Or, a secure USB device plugged into a laptop that only requires one tap to verify their identity
81% of organizations’ breaches stem from stolen or weak passwords. 2FA can help mitigate this vulnerability, providing users with a secure login method that requires minimal effort to use.
If you choose to use a 2FA mobile app, assure your users that the app will never store their passwords, view their data, or otherwise invade their privacy.
Is 2FA low-touch for admins?
A modern 2FA solution is a cloud-based one that doesn’t require hardware or software to install, and no servers to set up for deployment. Admins should be able to deploy the solution quickly—in a matter of hours or days, not weeks or months.
User provisioning should be made as easy as possible, too. While smaller deployments can allow users to sign themselves up for 2FA using self-enrollment, larger groups with thousands of users can enroll via Active Directory synchronization and bulk user imports.
Finally, ongoing management of your modern 2FA solution shouldn’t require dedicated in-house security staff or hours of help desk support. A modern 2FA solution should give admins the capability to easily manage users, phones, tokens (if you choose to use them) and integrations from a single dashboard.
Does 2FA use a built-in, secure design?
Protect Against a Breach – A modern 2FA solution uses asymmetric cryptography to protect against the risk of stolen shared secrets. Attackers can steal shared secrets used to generate token numbers, which they can use to compromise user accounts and organizations. A modern 2FA provider should only store public keys on their servers, and private keys on your users’ devices.
Secure, Compliant Methods – Check to make sure your 2FA provider supports U2F (Universal 2nd Factor), one of the most secure methods that protects against phishing and man-in-the-middle (MitM) attacks. The National Institute of Science and Technology (NIST) recommends against using SMS-based 2FA that can be easily bypassed by attackers.
Fast, Easy Secure Patching – To protect against new vulnerabilities, a modern 2FA solution should send frequent, automatic updates directly to your users’ devices to ensure they have the latest security patches.
Does 2FA extend visibility?
A modern 2FA solution should also give admins access to authentication logs for reporting, analytics, and compliance requirements. With detailed user and device reports, you should get visibility into the security health of your users’ devices with an at-a-glance security dashboard.
Your 2FA solution should also allow you to use APIs to export security logs to your security information and event manager (SIEM) for customized reporting and security analysis, and to meet industry compliance, such as for PCI DSS that requires tracking and monitoring security events and all access to network resources.
What are 2FA user access policies?
More advanced 2FA solutions give your administrators the capability to create user access policies to further strengthen your security profile. Examples of user access policies might include:
Block authentication requests originating from countries you don’t do business in
Block requests from anonymous networks, like Tor
Customize which authentication methods your users can use – require only the most secure methods, like U2F, and restrict the use of easier methods, like SMS-based 2FA
Today’s 2FA solutions allow admins to create role-based access policies; organizing authenticated users into functional groups based on their job role and amount of access they need.
Designated admins are the only ones able to easily turn off any authentication methods for users. Without 2FA, a user and their organization alike may find themselves at high risk of attacks and data breaches.
Is 2FA’s total cost of ownership (TCO) low?
New 2FA solutions are offered as software as a service (SaaS), eliminating many upfront installation and maintenance costs associated with older solutions, including hardware, software, token, server, and data centers.
Remember, 2FA technology that is difficult to deploy, use, and maintain requires more work from your IT team and help desk support. Ongoing maintenance costs should be covered by design— a modern 2FA solution is managed by full-time security professionals that frequently roll out the latest security updates automatically to your users, lessening the load on your IT team.
Plus, 2FA customer support should be responsive and proactive, helping your team through deployment, provisioning, integration, and maintenance to reduce the resources needed to support a 2FA solution.
Duo vs. Traditional 2FA
How does Duo stack up against traditional two-factor authentication solutions? Find out how to upgrade your security and lower your costs in Duo vs. Traditional Two‑Factor.
Two-Factor Authentication Evaluation Guide
Get more in-depth information by downloading the Two-Factor Authentication Evaluation Guide. In this guide, you will learn how to evaluate a solution based on:
Security – Does your solution reduce risks, and can it provide visibility into your environment?
Strategic Business Initiatives – Does your solution support cloud, mobile and BYOD initiatives? And can it fulfil compliance?
Total Cost of Ownership (TCO) – Does your solution provide more upfront value, or more hidden costs?
Resources Required – Determine what kind of resources it’ll take to deploy and provision your users.