Introduction
Two-factor authentication schemes focus on improving the security of login for password-based Authentication by arraying secondary authentication tokens. In this setting, mobile two-factor authentication schemes do not need extra hardware such as smartcard for storing and handling secondary authentication token and therefore regarded to be a reasonable trade-off between expenses, usability, and security. This two-factor Authentication (2FA) is significantly utilized in online banking and also widely adopted by internet service providers. Day by day, security and privacy concerns through malware have been increasing in quality and quantity (Colnago et al., 2018, p. 71). Therefore, in this perspective, tradition password authentication is regarded to be inadequately secure for several security prone applications like personal login accounts and online banking. 2FA schemes assure to provide the best protection ever through the extension of the single authentication scheme such as what the user knows, along with other authentication aspects like what the user has, for instance, phone or what he or she is. SMS-based TAN systems are a great example of a mobile 2FA. The objective of these systems is to control account abuse even in an instance whereby the banking login credentials interfered with. Mostly, SMS-based TAN schemes as significantly adopted across the world. Many banks are currently using visual-based TANs systems (Khamis et al., 2017, p. 4). Furthermore, the use of mobile 2FA is significantly increasing, especially by global service providers like Facebook, Google, and Twitter at user login to moderate the substantial abuse of the services they provide. This paper will discuss Facebook, Twitter, and Google use of 2FA schemes, discuss whether 2FA should be made mandatory as well as its mitigation to the risks associated with password-only systems. The paper will also discuss instances whereby 2FA was not used as well as the consequences that resulted in social issues concerns.
Google is currently various 2FA schemes which have helped to improve online security. It uses an on-device prompt on android devices. This scheme notifies the user with a prompt message appearing on the screen of the device “Trying to sign in?” prompt (“Google 2-Step Verification,” n.d.). This burrs an intruder from accessing another persons’ device and access his or her personal information or data. Another form of 2FA that Google uses is the use of SMS codes. When logging into Google accounts, a secondary SMS code is sent to the users’ phone for him or her to verify in order to get access into the account. Google says that SMS codes have helped in blocking 100% of automated attacks. Google also uses a physical security key as its other form of 2FA, which is said to be the safest and blocks 100% of every type of attack (“Google 2-Step Verification,” n.d.). Moreover, Google also uses other 2FA forms like provision of secondary email address, last sign-in location as well as a phone number. However, these forms are less secure, have the capacity of fending off bots but not targeted attacks or phishing. Most prefer adding a recovery phone number to their Google account as a safe way to secure their accounts whenever Google detects suspicious activities.
Facebook uses two-factor Authentication through apps such as Google Authenticator and Duo, which helps in strengthening the security of the users on the site. Facebook also has a 2FA through phone numbers which receive SMS codes that are used to verify to access one’s Facebook Account. Facebook has also improved t other forms of 2FA such as Facebook’s code generator as well as physical security keys within the Facebook app itself (“Facebook,” n.d.). Moreover, Facebook has lately updated to another form of 2FA that is currently available to most of its users. Facebook has streamlined its on-boarding process for 2FA, which makes it easy for the user’s accessibility to the added security feature. The update was done after Facebook was criticized for utilizing phone numbers for people used for two-factor Authentication for sending spam messages an accusation that Facebook admitted that it was a bug (“Facebook,” n.d.). Facebook also has Authentication apps which turns out to be safer since they are connected to a user’s precise device and not their phone number. This allows the user to access their accounts even in case they lose their phone by backing up access codes. Facebook allows its users to generate recovery codes up to 10 times.
Why 2FA Should Be Mandatory
User authentication before being allowed to gain access to a secure application is a very critical security step required in protecting digital assets of various companies. For a long time, the traditional use of username and password has been the orthodox mechanism utilized in authenticating users and proving identity, though password security is inherently faulty. Passwords are prone to security issues due to poor password hygiene practices like reusing a similar password for various apps or even choosing simple and easy to guess passwords which put operations at risk. Advances authentication schemes mitigate such threats, and that is why 2FA should be mandatory to address safety concerns (Wang et al., 2018, p. 4085). 2FA is an additional layer of security which is a task to reduce risks of automated attacks that affect single password authentication. The use of 2FA plays a vital role in providing online security to personal information that every online site should adopt by it is not made mandatory for every industry. But in reality, 2FA is a required security measure to comply with specific password restriction in areas like governments, defense, finance, law enforcement, and healthcare.
Finance
The finance sector has significantly embraced the use of 2FA schemes. Every time someone tries to utilize an ATM, he or she is using 2FA whereby both the PIN and the ATM card to gain accessibility to the bank account. Same to online banking, one need to have a pin and a number that a code message will be sent to be used for verification. Currently, more financial services have shifted to online and therefore, due to security concerns, it would be important to make the use of 2FA mandatory in order to improve security. Essentially, every company that processes as well as keep card payment information need to comply with PCI-DSS. Meaning, they should take more steps and provide two authentication factors or if possible more in order to make sure that security concerns are address (Wang et al., 2018, p. 4089). The Acts under the finance industry do not openly stipulate that 2FA is a requirement that needs to be complied to, but it does encourage and advocate for stricter internal controls on financial details. Likewise, they also do no dictate password policy though they need businesses to establish and abide by the appropriate measures to ensure that the financial information of their customers is safe. It is found that a single password authentication solution is not reliable and secure enough to conform with the strict internal controls that the laws and acts need. Even though these policies do not openly endorse the implementation of 2FA, it is essential to use 2FA and should be made mandatory. With over a billion text passwords available online and data breaches that have occurred, every organization should regard themselves to be prone to a data breach, but using 2FA; it will help to mitigate this risk.
Healthcare
The Privacy Act 1988 was established to protect the privacy of every person’s healthcare information. Under the Privacy Act 1988, healthcare organizations are required to develop measures that enforce password security (Han et al., 2018, p. 409). However, this act does not make it a requirement to implement 2FA, but it needs organizations to address password security concerns using effective methods adequately. Like in the Finance sector, 2FA is capable of ensuring that healthcare organizations are having high levels of password security and comply with industry regulations. In this sense, since 2FA provides better password security, it should, therefore, be made mandatory to use.
Defense
The military as well uses 2FA authentication through the Common Access Card (CAC) provided to Uniformed Service personnel who are active, DoD civilian employees, eligible contractors as well as Selected Reserve (Han et al., 2018, p. 412). The Common Access Card offers military users with physical access to buildings as well as controlled spaces and offers accessibility to DoD systems.
Law enforcement
The law enforcement agencies who use the Criminal Justice Information Services need multi-factor Authentication to gain accessibility to criminal justice information or crime information. Suppose the law enforcement officers access the Criminal Justice Information Services through a mobile terminal, or from any location that is not secured, they need to use 2FA (Zhang et al., 2018, p. 32679). This necessity shows the real-world need for applying 2FA in places where single-factor authentication systems cannot offer the standard of security required to retain essential data safe.
Government
For many years, the use of 2FA has been an obligatory requirement to access government websites. Primarily this action plan has led to the partnership between the government and leading technology providers like Google, Microsoft, and Facebook in promoting the 2FA use (Mann and Loebenberger, 2017, p. 215). These initiatives established by the government shows that 2FA is the best solution to mitigate risks that face single password authentication systems.
Global requirement for 2FA
Even suppose a company is not required to abide by the terms stipulated within the regulations, the requirements stipulated by the judiciary or government, 2FA remains to be highly valuable. Essentially, automated password attacks like password spraying as well as credential stuffing, capitalize on poor password practices (Mann and Loebenberger, 2017, p. 216). The implementation of 2FA helps organizations in fortifying other systems’ security, data as well as customer information. In the online world whereby passwords tends to be the only defensive mechanism used to protect systems utilized for authorized accessibility, 2FA is no more a nice to have system but a must have system.
How 2PA Mitigates Password-Only Systems Risk
2FA pair one factor which is something you know such as a password with a second factor which is something you have such as a mobile for Authentication so as to establish a layered defense at the point of access. In essence, in a password-only system, a hacker is capable of accessing a system by using just one password. With two-factor authentication, the second factor which needs a personal device would undoubtedly prevent the hackers from gaining access to one’s account (Jarecki et al., 2018, p. 434). Moreover, a password-strength in the password-only system is not reliable in securing an account. Actually, 2FA utilized along with a username is capable of preventing unauthorized access as well as credential leakages by making sure that only the user, who can be authenticated against the second authentication factor, will be granted accessibility to an online resource.
An example of a situation whereby 2FA was not utilized and led to social issues concerns is the current OpenSSL Hearthbleed Vulnerability which was all over media headlines. There was a vulnerability of the OpenSSL protocol, which led to the leakage of credentials due to the use of the password-only system (Jarecki et al., 2018, p. 438). Supposed organizations would have used 2FA, they would have benefited from the additional protection layer which would have substantially minimize the risk of credential leakages.
Conclusion
To sum it all, 2FA is an additional layer of security which is a task to mitigate risks of automated attacks that affect single password authentication. 2FA is the most vital implementation of a true multi-factor authentication solution. A necessary tenet of a valid two-factor system is that you already have the ability of acquiring all the factors you require for authentication without interacting with anyone else. A password-only system is prone to risks for attacks, and therefore, it is better to use 2FA which have an additional protective layer which helps to mitigate these risks. The use of 2FA plays a vital role in providing online security to personal information that every online site should adopt by it is not made mandatory for every industry. 2FA schemes have been endorse and their use encouraged by various acts to be used in ensuring online safety. This system has also proven to be more effective in safeguarding online content on websites. Therefore, it would be best to make it a mandatory requirement to implement 2FA in their systems. This will help to secure credential and protect users.