Living in a business world of confidential data, documents, and managing who can have access to the same, is a daunting task. With the world of identity theft simple logins and passwords don’t cut it anymore. People who are trusted with securing the perimeter need more help and that change is coming quickly in the form of “Two Factor Authentication” (2FA). 2FA is not new. What’s new is its requirement in daily business application logon. Example: Today case managers login to their solution, enter their password and go to work. What’s coming as “Best Practices” is introducing a second step of authentication such as Smartphone texting access codes or emails. Users, in addition to having a password, will need a device to navigate the second step before they can go to work.
Two Factor Authentication is exactly that—two inputs to secure an identity. The rules are that an identity can have a strong password or passphrase, something they know. 2FA requires a second input as something they have—a device (i.e., Smartphone, FOB or Card Swipe) to which only they would have access. 2FA used to be isolated to members of IT staff and those with data management roles, but now anyone that has access to confidential information will require 2FA.
As a solution provider we adopted 2FA years ago. New threats appearing all the time, we found that with “Cross Site Forgery” we had to add CAPTCHA inquiries for all administrative roles. Now the conversations in security associations is “Three Factor Authentication” (3FA), entering biometrics into “IT Best Practices.” The most mentioned are fingerprints, eye scans and facial recognition. With identity thefts still leading the FBI’s most active crimes today—with the agency stating, “The threat is incredibly serious—and growing,”—will these added layers make us safer?
I believe we do not need more layers of authentication which impacts usability, cost and denying access. I believe we need to change today’s “Push Model” of text message, Code generators, FOB or other device receiving the access information, to a “Pull Model” or Wallet Security. Having the device remains valid but adding biometric requirements will leave people out, shift the financial burden to companies and, at best, result in low adoption, missing its intent.
Wallet Security is something that two parties know about each other. It can be simple and there can be more than one challenge. Simple second factor could be, “From this set of twelve pictures, which one is yours?” “How many grandchildren do you have?” “What is your dog’s name?” Complex answers may require a PIN or the first six digits of your credit card.
In recent years Electronic Signatures have come under attack in the courts because the judges don’t believe login and passwords are enough to authenticate an identity. Identity theft resulting from breaches has compromised the integrity of the authentication scheme and the courts wanted to see more identity evidence. The cases at hand were resulting from defendants claiming that they did not E-Sign the documents. Judges defending their decisions want more evidence of a relationship among the virtual parties, like voice signatures, recording with unique qualifying questions and answers; Wallet Security.
Wallet Security is the closest we’ll get to biometrics without requiring special equipment to execute. Ten years ago, some people in the credit card industry thought putting your picture on your credit card would deter theft. It was DOA because CC thieves behave differently and the best thing your picture served was in “Lost and Found.” Maybe here is a case where “signing selfies” and social media can come together as evidence of authentication in E-Signing events. Think about the data points the device and picture can document as evidence (GPS, Date-Time, Secure Smartphone, IP and more) and how social media can serve as “witness” to a given identity as needed.
Well, back to the point and to wrap this up, 80 percent of us in the business world do not use 2FA in our day-to-day lives. Within the next few years it will be a requirement to enhance our perimeter security. To that end, where possible, select Wallet Security based solutions for better authentication and usability.