Solutions
Two-Factor Authentication (2FA)

Two-factor authentication is the easiest and the most effective way to make sure that the people who access the application actually are who they claim to be.

phone

How 2FA works?

Two-factor authentication (2FA) is one of the types of multi-factor authentication (MFA). It strengthens user access security by enforcing the person to use two methods (or two factors) to verify his or her identity. This second factor can be something that a person knows (like a login name and password) - plus something that a person has - like an authentication app on a smartphone. A second factor required to complete authentication requests.

Two-Factor Authentication (2FA) is a great way to protect a person against phishing scams, social engineering, and brute-force attacks on passwords. It secures the login process against the attacks that exploit weak or stolen credentials.

schema

What is special about 2FA?

Two-factor authentication (2FA) is one of the core fundamentals of a zero-trust security model. The way 2FA works is that anyone who wants to access a certain application needs to first confirm his identity with two different factors. This additional factor makes 2FA a much more effective way to protect against security threats such as phishing attacks, brute-force attacks, or credential exploits.

For the sake of an example let’s assume that a person uses a user name and a password to complete the standard authentication process. That info is sent over the internet from the person to the app. If the second component that is used requires some form of push notification sent over to the mobile network then this is an example of out-of-band authentication.

Why is that important?

If an attacker is able to break into a person’s computer via the internet then that attacker can steal the password as well as the second factor of authentication. That’s why both factors should never be delivered to the same channel. In the case of out-of-band authentication, an attacker would need to physically obtain a victim’s device in order to pretend to be that person and in order to scam the authentication process. That’s why two-factor authentication with the use of the physical device prevents attackers from gaining unauthorized access to corporate networks, cloud storage, or sensitive information stored in applications.

By triggering two-factor authentication on all applications, the attackers are not able to access any of the protected applications without physically owning a victim’s device that is needed to complete the two-step authentication process.

Easy 2FA Integration with Any Application

One of the best ways an organization can protect its employees against phishing and credential theft is through strong two-factor authentication (2FA). The problem? The adoption of 2FA. It's expensive, time-consuming, and in the case of complex legacy systems - even impossible.

Secfense solves this problem with User Access Authentication Broker. Secfense UASB makes 2FA adoption easy, efficient, and affordable. With the use of Secfense User Access Authentication Broker, every security admin can introduce any 2FA method that is available on the market on any web application. And there's no software development involved. The whole deployment takes minutes and is easily scalable to all the applications within the company.

Secfense User Access Authentication Broker is deployed as a virtual appliance and it only requires a security admin to push traffic through reverse-proxy and then apply learning mechanisms. Secfense UASB then tracks, monitors, and learns traffic patterns and then based on that triggers the 2FA method assigned by the security administrator.

schema
eye

Full Independence on 2FA Method

Secfense User Access Security Broker is a 2FA method agnostic tool. This means that it can be used to deploy any 2FA method available on the market. The method recommended by Secfense is FIDO2, an open web authentication standard, due to the fact that this is the only method that is fully phishing resistant and also most convenient to use.

If our customers have special requirements we also enable other methods, such as methods based on one-time codes (SMS) or TOTP (authentication apps). Other methods, such as legacy tokens, voice and face biometric authentication can also be enabled on the Secfense User Access Security Broker platform.

2FA for Enterprise and Small Businesses

We have built Secfense User Access Security Broker, in order to make 2FA accessible and affordable for any organization. Regardless of the number of applications that should be protected, whether it’s a small organization with a handful of apps or a global enterprise with thousands of applications and tens of thousands of employees, the deployment process is the same. Minimum complexity, maximum scalability.

The biggest and most noticeable benefits of Secfense User Access Security Broker can be seen in large organizations with numerous legacy applications. In such a case, Secfense UASB removes the barrier of impossible integration with applications (due to vendor lock-ins, or maintenance problems). It brings benefits of scale. Since the deployment process is the same for any web application it can be easily repeated regardless of the number of apps.

business
shape
question

What is ‘the Factor’ in Two-Factor Authentication?

‘The Factor’ is simply the carrier of information that a user can give to verify his or her identity. Two-Factor Authentication is one of the Multi-Factor Authentication methods. In 2FA there are two factors necessary to authenticate. In Multi-Factor there are three or even more factors required to confirm the identity of the user. There are five factors that a person can use to confirm his or her identity.

factor

Inherence Factor

The inherence factor is based on the existing characteristics of a person. On someone’s permanent and inseparable element. In this sense, the inherence factors of a person are the attributes that would belong only to that person. Fingerprint recognition or iris recognition (eye scanning with infrared cameras) are the most popular inherence factors used today.

light

Knowledge Factor

The knowledge factor is information that only that specific person should know. We’re talking about passwords, so shortcodes built from letters, numbers, and/or special signs. A password should only be known to its owner and should never, under no circumstance, be shared with other people.

location

Location Factor

This factor confirms the identity of the person based on his or her location at the moment. It is tracked based on the IP address of the person. If he or she registered to the app in one country and has been using it since then for a longer period of time then when there’s a login attempt from a different part of the world then the location factor is triggered and the person will be asked to confirm the identity to make sure it’s still him or her.

time

Time Factor

This factor is based on an assumption that a person should log in to a specific online resource only within some specified timeframe. For example office employees usually access their company resources between 9 to 5. If a login attempt is done in the middle of the night, this may trigger a necessity to confirm that person’s identity.

possession

Possession Factor

Or ‘something that a person owns’ verifies the identity of a person by requiring proof of the information that only that specific person physically owns. This factor often comes in the form of a token, so a physical object that generates a rotating code (known as a one time password, or OTP). This token should be carried with the person all the time and used when a person wants to open an application and authenticate.

User Access Security Broker from Secfense makes it possible to use any possession factors that are available on the market and in a fast and easy way connect it with any application within minutes. It’s incredibly important because there’s an abundance of 2FA solutions available on the market, each of them tempting users with different features and functionalities.

Secfense UASB eliminates the pain of committing to one technology. If a company decides that it’s better to move on with a different 2FA method this transition can be done smoothly and does not require any software development. It doesn’t affect the work of protected applications either. The change can be done smoothly by a security admin and should not affect the work of company employees.

shape
solve

What Problems Does Strong 2FA Solve?

More and more companies realize how crucial it is to implement strong two-factor authentication mechanisms within the organization. This is a general trend across all industries. The criteria is not the size of the company but rather the risk of compromising company data. If the risk is big and the consequences are serious than the company needs to take measures to minimize or eliminate the risk of a cyber attack.

The organizations realize that passwords alone are only a small fence that a cybercriminal can break easily.

Strong 2FA can protect an organization against various cyber threats but the most common and serious among them are:

password

Compromised Passwords

As mentioned earlier, a password is one of many factors that a person can authenticate with. This method while being least secure (and easiest to compromise) is at the same time the most commonly used. There are various ways in which passwords can get compromised. From simply sharing the password in emails or sticky notes, to passwords being stolen from unprotected databases.

phishing

Phishing Attempts

Cybercriminals will usually send an email with links to malicious websites that either infects a person’s computer or convince that person to share his or her passwords. Once the password is obtained it can be used by a criminal to steal data and compromise the entire organization. Two-factor Authentication fights phishing by adding a second layer of authentication that is triggered after typing the password.

social

Social Engineering

One of the most commonly used techniques that leads to phishing is social engineering. It is based on manipulation and tricking people into believing that what they do is correct and that they should give up their password to a person or a service that requests it. Criminals often act as employees working at the same company as the victim. They act as an IT professional, VP assistant or even a CEO. They will do what it takes to earn the trust of the victim in order to get his or her login credentials.

Two-factor authentication is a good way to protect a person and an organization against this type of malicious manipulation because even if the password will get compromised there’s still a second factor that verifies if the person that tries to connect is the one that is entitled to do it in the first place.

attack

Brute-Force Attack

In this type of an attack, a cybercriminal randomly generates codes for a specific workstation until the sequence is matched with the correct password. Again, two-factor authentication is a remedy for such an attack because it requires the login attempt to be validated first.

logging

Key Logging

Even without actually written down the password, cybercriminals are still able to use malicious software to steal passwords as they typed in. After the malware is installed by an unaware person criminals can then track every keystroke and store every password and then use it in the hacking attempt. The second layer of two-factor authentication helps a person to make sure that the login attempt is done by the right person.

shape
arrow

What are the types of 2FA?

User Access Security Broker from Secfense makes it possible to deploy and scale all types of 2FA that are available on the market. One of the core fundamentals of a user access broker is the complete flexibility of choice. So the security administrator within the company can decide which method is the preferred one and on which user group should it be used.

Secfense always advises its customers to pick the FIDO2 standard as the strongest method of authentication there is. There is however an abundance of 2FA solutions available on the market and Secfense being in the position of a security broker makes the deployment process the same for all of them.

sms

SMS

SMS-based two-factor authentication verifies the person’s identity by sending a text message with a special code to the mobile device of that specific person. The person needs to then type in the received code into the website or application in order to authenticate and access it.

Pros

  • Simplicity. SMS 2FA is one of the oldest and most commonly known 2FA methods. It simply sends a code to a person's mobile phone. The code is entered and the access to the information is gained.
  • Speed. If something suspicious takes place, SMS-based 2FA sends a one-time password (OTP) to a person's device, so only the person that physically has this device in his or her hands can log in and authenticate. SMS-based two-factor authentication is a fast way to verify the identity of a person.
  • Universality. SMS-based 2FA is the oldest form of two-factor authentication, so it has become a commonly used security tool.

Cons

  • Connectivity requirement. SMS-based 2FA requires a smartphone with a reception.
  • Can be compromised. Since phone numbers aren’t tied to physical devices, it’s possible for hackers to outsmart this authentication method without accessing a person's smartphone.
lock

Time-Based One-Time Password

The Time-Based One Time Password (TOTP) 2FA method generates a code on the device. The security key usually has the form of a QR code that the person then scans with his or her mobile device to generate a shortcode. The person then types the code into the website or application and gains access. The shortcodes generated by the authenticator usually expire within some minutes or even seconds. If the code is expired a new code is generated right after so the user needs to type in the right code within some specific time limit (that’s where Time-Based comes from).

Pros

  • Flexibility. This type of Two-Factor Authentication is more convenient than SMS-based 2FA because it can be used across multiple devices and platforms. SMS-based 2FA is restricted to devices that can receive the message from the operator.
  • Easy Access. Mobile authenticators do not require a person to be connected to the network. They remember which accounts a person is trying to access and can generate a new one-time password at any time, even if they are not connected to the internet.

Cons

  • Dependent on devices. TOTP based 2FA requires the person to have a device that can read the QR code to verify their identity. If a device is lost, runs out of battery, or gets “desync-ed” from the service, a person will lose access to information forever.
  • Can be compromised. It’s possible for a cybercriminal to clone the secret key and generate his or her own secret codes.
push

Push-Based 2FA

Push-based 2FA is a slightly improved approach to SMS and TOTP based 2FA. Push-based 2FA adds additional layers of security by adding other factors of authentication that previous methods couldn’t.

Pros

  • Increased Phishing Protection. The previous two types of two-factor authentication are susceptible to phishing attacks, however push-based 2FA replaces text codes with push notifications which adds an extra layer of security and helps prevent phishing attacks. When a person attempts to access his or her data, a push notification is sent to that person’s mobile phone. The push notification includes various information including location, time, and IP address of the machine on which the login attempt took place. The person needs to physically confirm on his or her mobile device that the info is correct and therefore verify the authentication attempt.
  • Easy. Push-based 2FA streamlines the authentication process because there are no extra codes that a person needs to receive and then type in. If a person sees that the push notification carries the correct information, then he or she simply accepts that login attempt and pushes a button to confirm. Then the access is granted.

Cons

  • Connectivity requirement. Similar to SMS-based 2FA in a Push-based 2FA data network is still necessary because the push is sent to a mobile device through a network. Therefore a person needs to be connected to the internet in order to use this 2FA functionality.
  • Security Awareness. The person that receives Push-based notification needs to be security-aware to be able to recognize if the login pattern looks suspicious or not. When the person doesn’t pay attention to the received message he or she can approve the malicious request and confirm the false IP address or login location.
universal

Universal 2nd Factor (U2F)

U2F security keys use a physical USB port to verify the location and identity of a person that attempts to access some specific website or application. A user inserts the U2F key into his or her device and pushes the button located on the U2F device. Once the key is activated, the person needs to type the PIN code and successfully authenticates it within the website or the app

Pros

  • Phishing protection. Since there is an actual physical intervention required (a person needs to press, insert, and enter a code into the token), the U2F key protects a person's device from being phished.
  • Backup devices and codes. U2F keys can and should be backed up across multiple devices. This allows a person to replace his or her token whenever the other one is lost or broken.
  • Easy. U2F keys require simply to be entered to the USB port and pushed at the specific moment so they do not require any technical knowledge or skills.

Cons

  • Physical object. As a physical key, the U2F based 2FA is susceptible to being lost or damaged. If a key is lost and there’s no backup U2F key, then the access to the website or application is lost.
pendrive

FIDO2 or WebAuthn

Built by the FIDO Alliance (Fast IDentity Online) and W3C (World Wide Web Consortium), the Web Authentication API (also known as FIDO2) is a specification that enables strong, public-key cryptography registration and authentication. WebAuthn makes it possible to take laptops and smartphones with built-in biometric technology and use them as local authenticators in an online authentication process.

Pros

  • Convenient. Any website, application, or browser that supports the FIDO2 standard together with a built-in biometric authenticator like TouchID can be used to enable a strong authentication mechanism. The FIDO2 standard is globally used by hundreds of technology brands including Google, Apple, Microsoft, Amazon, and many more.
  • Phishing resistant. FIDO2 is one of the safest Two-Factor Authentication methods available on the market. FIDO2 allows websites and online applications to trust biometric authentication as a credential that is specific only to that service — this means no more shared secret and therefore they can’t be stolen and exploited.

Cons

  • Complex account recovery. FIDO2 based 2FA makes the recovery process more complicated compared to previous 2FA methods. In SMS, TOTP, and Push-based 2FA there’s some form of the account recovery process that a security admin within the company can initiate. In the case of FIDO2 based 2FA, this process is way more difficult because it is always tied to the identity of a specific person. That’s why it is recommended to combine FIDO2 authenticators and for example, use laptop or smartphone biometric authentication but also keep some registered FIDO2 security keys in a safe in case the main device will get stolen or will break.
shape
setting

Which industries use 2FA?

Strong two-factor authentication is becoming more popular across many industries. The type of business niche is not really important, as long as there is a user accessing a website or an application that stores valuable data there’s necessity to protect credentials and secure the authentication process. User Access Security Broker from Secfense addresses cybersecurity risk primarily in big and medium-sized companies. All industries can benefit from Secfense UASB as long as they use web applications with login restricted access.

health

Healthcare

Cybercriminals often target the healthcare sector because, unlike the banking, insurance, and capital markets sector or e-commerce industry, the healthcare cybersecurity budget is much smaller, and therefore cybersecurity is much weaker.

Additionally, healthcare employees are among the least security-aware when it comes to cyber risks. That makes them more likely to fall victim to phishing attacks and social engineering. Implementing effective security policies is crucial as it can reduce the risk of a data breach. And, one of the most effective ways to improve cybersecurity across the board is through additional microauthorizations.

bank

Financial Services

The financial services industry was one of the pioneers of two-factor authentication due to the much bigger risk of hacking attempts in this particular sector. There are also various local and international regulations that require banks to use strong 2FA in order to protect their customers and employees. Some examples of these regulations are the PSD2 directive (Payment Service Direct 2) and GDPR (General Data Protection Regulation). Secfense designed microauthorizations to make the financial industry employee application journey almost untouched while at the same time substantially increasing the security level. Microauthorizations add additional authorization requirements within the application wherever it's needed.

government

Government

The digitalization trend is challenging government institutions to introduce changes to their infrastructure and slowly make a shift to cloud and mobile. Strong two-factor authentication increases the security of government institutions and allows them to step into a zero-trust approach for both government officials as well as the citizens that access public sector applications. With such a great number of people using this technology, two-factor authentication needs to provide both security as well as the easiness of use.

shop

Retail & E-commerce

The ecommerce sector is one of the industries that is tied by various security regulations and directives. The PSD2 is designed to create fair competition between the banking industry and modern payment service providers (PayPal, Google Wallet, Wepay, etc.). That means strong two-factor authentication for online purchases. E-commerce is the sector that has a lot to lose in case the security policies are not obliged due to GDPR regulation. In case of the breach, GDPR directive can lead e-commerce businesses to pay huge fines as compensation for not protecting well enough their customers’ private data.

education

Education

Private schools and big universities became a popular target for phishing attacks and social engineering. More and more often cybercriminals attack organizations from the inside. In one of the cases of schools being compromised by data theft, it was a former IT official of the school who had been working for the institutions for many years.

These types of inside theft can be avoided with the use of microauthorizations from Secfense. This functionality makes it possible to stop the user when he or she reaches for some specific resources or wants to perform some specific actions in the protected application. Schools manage a big amount of sensitive user data such as financial status, health situation, etc. This data makes teaching institutions a great target for cyberattacks especially that (similarly to the healthcare industry), the security budget is usually very limited. Schools and universities usually reach for strong two-factor authentication to protect mobile devices and workstations of students and teachers. Protecting these devices with strong authentication mechanisms is usually the first step in order to maintain data security in educational institutions.

Manufacturing

Manufacturing

The energy sector, due to the strategic importance of its infrastructure in maintaining national safety, needs to secure sensitive data on a global scale. Strong two-factor authentication technology helps the energy sector protect all operations by protecting endpoint devices of all the workforce.

Ensuring endpoint security is the key element to keep projects on schedule without risking security breaches. Strong two-factor authentication also helps the energy industry protect the devices of third-party contractors who often need remote access to the organization's infrastructure when operating beyond the scope of traditional firewalls.