Two Factor Authentication Eases Compliance Concerns
Mention the word compliance and many an InfoSec professional will shudder at the thought of having to achieve compliance without any missteps. While compliance regulations are numerous and spread across multiple industries, they all share one thing in common, the need to secure the data involved. Compliance standards, such as PCI, HiPAA, SOX, and others all demand that certain types of information be kept private and be secure from interception.
Security and privacy are arguably the biggest issues when it comes to compliance, especially since violation of either of those requirements can lead to massive fines, lawsuits, and numerous other problems for any business bound by compliance. Ironically, despite all the focus on security and privacy, breaches do occur, simply because organizations have not embraced the technologies needed to better protect sensitive information.
Most breaches occur due to flaws in security, where either lax methodologies, or unpatched software can lead to persons unknown gaining access to sensitive systems. The key operating phrase here is “persons unknown”. SImply put, it all comes down to identity, the who, what, when, and where of access. Elements which are better established with two-factor authentication (2FA).
What is two-factor authentication?
Typically, there are three three known factors that can be used to prove who the user actually is.
Something known by the user: (such as a password)
Something possessed by the user:(a smartphone or electronic key)
Something integral to the user: (fingerprint, retina, face, voice)
Each of those factors can be thought of as different dimensions, such as X, Y and Z. Currently, everything falls into one of those identity dimensions. By combining two or more of these you are adding assurance that the person is indeed who they claim they are. 2FA means an attacker needs to solve two fundamentally different problems, each in different dimensions, in order to compromise the user’s identity.
Using a password and a captcha (or pictogram) on website does not constitute 2FA, simply because it does not include two of the different identity dimensions. Both a password and a captcha (or pictogram) falls under something the you know. This type of authentication method is called multi-layer single factor and should not be confused with 2FA.
2FA and Compliance:
While the specific rules around each compliance standard differs, the requirements set forth by PCI DSS prove to conceptualize the idea of identity best.
- Requirement 8: Assign a unique ID to each person with computer access: Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
- Requirement 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial- in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)
The requirements set forth by PCI DSS prove to be an excellent starting point for implementing 2FA and also illustrate how 2FA is becoming a must have with compliance regulations.
Additional 2FA Benefits:
2FA brings additional benefits to the table. Case in point; when relying only on one authentication factor, access controls are beholden to a single point of failure. In other words, if the knowledge, device, or biometric pattern is compromised, anyone who has it can impersonate the user. Something that is exacerbated by certain situations:
- Careless users share passwords, write them down in places easy to find, or reveal them by means of social engineering
- Smart cards, tokens, keys, and similar can be stolen or lost
- Biometric patterns can be reproduced by different kinds of technologies (from high-definition video and voice recorders, to low-tech rubber fingers)
2FA creates an additional layer of protection against anyone seeking to obtain unauthorized access, because even if a wrongdoer compromises the information regarding one factor, it will be useless without the information of the second authentication factor.
Nevertheless, it all comes down to the proper selection of a pair of authentication factors, and choosing those requires the combination of a risk assessments, the desired security level, implementation costs, and resources available.
In most cases that leads to 2FA based upon a combination of something you know and something you have (e.g., passwords and smart cards).
When picking a 2FA solution, make sure the solution is robust enough to support multiple criteria, can integrate across multiple systems, and it is easy to implement, manage and maintain.
Learn how AuthAnvil deepens security through 2FA here.