Two-factor authentication (2FA) is one of the types of multi-factor authentication (MFA). It strengthens user access security by enforcing the person to use two methods (or two factors) to verify his or her identity. This second factor can be something that a person knows (like a login name and password) – plus something that a person has – like an authentication app on a smartphone. A second factor is required to complete authentication requests.
Two-Factor Authentication (2FA) is a great way to protect a person against phishing scams, social engineering, and brute-force attacks on passwords. It secures the login process against the attacks that exploit weak or stolen credentials.
Two-factor authentication (2FA) is one of the core fundamentals of a zero-trust security model. The way 2FA works is that anyone who wants to access a certain application needs to first confirm his identity with two different factors. This additional factor makes 2FA a much more effective way to protect against security threats such as phishing attacks, brute-force attacks,
or credential exploits.
For the sake of an example let’s assume that a person uses a user name and a password to complete the standard authentication process. That info is sent over the internet from the person to the app. If the second component that is used requires some form of push notification sent over to the mobile network then this
is an example of out-of-band authentication.
If an attacker is able to break into a person’s computer via the internet then that attacker can steal the password as well as the second factor of authentication. That’s why both factors should never be delivered to the same channel. In the case of out-of-band authentication, an attacker would need to physically obtain a victim’s device in order to pretend to be that person and in order to scam the authentication process. That’s why two-factor authentication with the use of the physical device prevents attackers from gaining unauthorized access to corporate networks, cloud storage, or sensitive information stored in applications.
By triggering two-factor authentication on all applications, the attackers are not able to access any of the protected applications without physically owning a victim’s device that is needed to complete the two-step authentication process.
One of the best ways an organization can protect its employees against phishing and credential theft is through strong two-factor authentication (2FA). The problem? The adoption of 2FA. It’s expensive, time-consuming, and in the case of complex legacy systems – even impossible.
Secfense solves this problem with User Access Authentication Broker. Secfense UASB makes 2FA adoption easy, efficient, and affordable. With the use of Secfense User Access Authentication Broker, every security admin can introduce any 2FA method that is available on the market on any web application. And there’s no software development involved. The whole deployment takes minutes and is easily scalable to all the applications within the company.
Secfense User Access Authentication Broker is deployed as a virtual appliance and it only requires a security admin to push traffic through reverse-proxy and then apply learning mechanisms. Secfense UASB then tracks, monitors, and learns traffic patterns and then based on that triggers the 2FA method assigned by the security administrator.
Secfense User Access Security Broker is a 2FA method agnostic tool. This means that it can be used to deploy any 2FA method available on the market. The method recommended by Secfense is FIDO2, an open web authentication standard, due to the fact that this is the only method that is fully phishing resistant and also most convenient to use.
If our customers have special requirements we also enable other methods, such as methods based on one-time codes (SMS) or TOTP (authentication apps). Other methods, such as legacy tokens, voice and face biometric authentication can also be enabled on the Secfense User Access Security Broker platform.
We have built Secfense User Access Security Broker, in order to make 2FA accessible and affordable for any organization. Regardless of the number of applications that should be protected, whether it’s a small organization with
a handful of apps or a global enterprise with thousands of applications and tens of thousands of employees, the deployment process is the same. Minimum complexity, maximum scalability.
The biggest and most noticeable benefits of Secfense User Access Security Broker can be seen in large organizations with numerous legacy applications. In such a case, Secfense UASB removes the barrier of impossible integration with applications (due to vendor lock-ins, or maintenance problems). It brings benefits of scale. Since the deployment process is the same for any web application it can be easily repeated regardless of the number of apps.
‘The Factor’ is simply the carrier of information that a user can give to verify his or her identity. Two-Factor Authentication is one of the Multi-Factor Authentication methods. In 2FA there are two factors necessary to authenticate. In Multi-Factor there are three or even more factors required to confirm the identity of the user. There are five factors that a person can use to confirm his or her identity.
The inherence factor is based on the existing characteristics of a person. On someone’s permanent and inseparable element. In this sense, the inherence factors of a person are the attributes that would belong only to that person. Fingerprint recognition or iris recognition (eye scanning with infrared cameras) are the most popular inherence factors used today.
The knowledge factor is information that only that specific person should know. We’re talking about passwords, so shortcodes built from letters, numbers, and/or special signs. A password should only be known to its owner and should never, under no circumstance, be shared with other people.
This factor confirms the identity of the person based on his or her location at the moment. It is tracked based on the IP address of the person. If he or she registered to the app in one country and has been using it since then for a longer period of time then when there’s a login attempt from a different part of the world then the location factor is triggered and the person will be asked to confirm the identity to make sure it’s still him or her.
This factor is based on an assumption that a person should log in to a specific online resource only within some specified timeframe. For example office employees usually access their company resources between 9 to 5. If a login attempt is done in the middle of the night, this may trigger a necessity to confirm that person’s identity.
Or ‘something that a person owns’ verifies the identity of a person by requiring proof of the information that only that specific person physically owns. This factor often comes in the form of a token, so a physical object that generates a rotating code (known as a one time password, or OTP). This token should be carried with the person all the time and used when a person wants to open an application and authenticate.
User Access Security Broker from Secfense makes it possible to use any possession factors that are available on the market and in a fast and easy way connect it with any application within minutes.
It’s incredibly important because there’s an abundance of 2FA solutions available on the market, each of them tempting users with different features and functionalities.
Secfense UASB eliminates the pain of committing to one technology. If a company decides that it’s better to move on with a different 2FA method this transition can be done smoothly and does not require any software development. It doesn’t affect the work of protected applications either. The change can be done smoothly by a security admin and should not affect the work of company employees.
More and more companies realize how crucial it is to implement strong two-factor authentication mechanisms within the organization. This is a general trend across all industries. The criteria is not the size of the company but rather the risk of compromising company data. If the risk is big and the consequences are serious than the company needs to take measures to minimize or eliminate the risk of a cyber attack.
The organizations realize that passwords alone are only a small fence
that a cybercriminal can break easily.
Strong 2FA can protect an organization against various cyber threats
but the most common and serious among them are:
As mentioned earlier, a password is one of many factors that a person can authenticate with. This method while being least secure (and easiest to compromise) is at the same time the most commonly used. There are various ways in which passwords can get compromised. From simply sharing the password in emails or sticky notes, to passwords being stolen from unprotected databases.
Cybercriminals will usually send an email with links to malicious websites that either infects a person’s computer or convince that person to share his or her passwords. Once the password is obtained it can be used by a criminal to steal data and compromise the entire organization. Two-factor Authentication fights phishing by adding a second layer of authentication that is triggered after typing the password.
Even without actually written down the password, cybercriminals are still able to use malicious software to steal passwords as they typed in. After the malware is installed by an unaware person criminals can then track every keystroke and store every password and then use it in the hacking attempt. The second layer of two-factor authentication helps a person to make sure that the login attempt is done by the right person.
In this type of an attack, a cybercriminal randomly generates codes for a specific workstation until the sequence is matched with the correct password. Again, two-factor authentication is a remedy for such an attack because it requires the login attempt to be validated first.
Two-factor authentication is a good way to protect a person and an organization against this type of malicious manipulation because even if the password will get compromised there’s still a second factor that verifies if the person that tries to connect is the one that is entitled to do it in the first place.
User Access Security Broker from Secfense makes it possible to deploy and scale all types of 2FA that are available on the market. One of the core fundamentals of a user access broker is the complete flexibility of choice. So the security administrator within the company can decide which method is the preferred one and on which user group should it be used.
Secfense always advises its customers to pick the FIDO2 standard as the strongest method of authentication there is. There is however an abundance of 2FA solutions available on the market and Secfense being in the position of a security broker makes the deployment process the same for all of them.
SMS-based two-factor authentication verifies the person’s identity by sending a text message with a special code to the mobile device of that specific person. The person needs to then type in the received code into the website or application in order to authenticate and access it.
Simplicity. SMS 2FA is one of the oldest and most commonly known 2FA methods. It simply sends a code to a person’s mobile phone. The code is entered and the access to the information is gained.
Speed. If something suspicious takes place, SMS-based 2FA sends a one-time password (OTP) to a person’s device, so only the person that physically has this device in his or her hands can log in and authenticate. SMS-based two-factor authentication is a fast way to verify the identity of a person.
Universality. SMS-based 2FA is the oldest form of two-factor authentication, so it has become
a commonly used security tool.
Connectivity requirement. SMS-based 2FA requires a smartphone with a reception.
Since phone numbers aren’t tied to physical devices, it’s possible for hackers to outsmart this authentication method without accessing a person’s smartphone.
The Time-Based One Time Password (TOTP) 2FA method generates a code on the device. The security key usually has the form of a QR code that the person then scans with his or her mobile device to generate a shortcode. The person then types the code into the website or application and gains access. The shortcodes generated by the authenticator usually expire within some minutes or even seconds. If the code is expired a new code is generated right after so the user needs to type in the right code within some specific time limit (that’s where Time-Based comes from).
Flexibility. This type of Two-Factor Authentication is more convenient than SMS-based 2FA because it can be used across multiple devices and platforms. SMS-based 2FA is restricted to devices that can receive the message from the operator.
Easy Access. Mobile authenticators do not require a person to be connected to the network. They remember which accounts a person is trying to access and can generate a new one-time password at any time, even if they are not connected to the internet.
Dependent on devices. TOTP based 2FA requires the person to have a device that can read the QR code to verify their identity. If a device is lost, runs out of battery, or gets “desync-ed” from the service, a person will lose access to information forever.
Can be compromised. It’s possible for a cybercriminal to clone the secret key and generate his or her own secret codes.
Push-based 2FA is a slightly improved approach to SMS and TOTP based 2FA. Push-based 2FA adds additional layers of security by adding other factors of authentication that previous methods couldn’t.
Increased Phishing Protection. The previous two types of two-factor authentication are susceptible to phishing attacks, however push-based 2FA replaces text codes with push notifications which adds an extra layer of security and helps prevent phishing attacks. When a person attempts to access his or her data, a push notification is sent to that person’s mobile phone. The push notification includes various information including location, time, and IP address of the machine on which the login attempt took place. The person needs to physically confirm on his or her mobile device that the info is correct and therefore verify the authentication attempt.
Easy. Push-based 2FA streamlines the authentication process because there are no extra codes that a person needs to receive and then type in. If a person sees that the push notification carries the correct information, then he or she simply accepts that login attempt and pushes a button to confirm. Then the access is granted.
Connectivity requirement. Similar to SMS-based 2FA in a Push-based 2FA data network is still necessary because the push is sent to a mobile device through a network. Therefore a person needs to be connected to the internet in order to use this 2FA functionality.
Security Awareness. The person that receives Push-based notification needs to be security-aware to be able to recognize if the login pattern looks suspicious or not. When the person doesn’t pay attention to the received message he or she can approve the malicious request and confirm the false IP address or login location.
U2F security keys use a physical USB port to verify the location and identity of a person that attempts to access some specific website or application. A user inserts the U2F key into his or her device and pushes the button located on the U2F device. Once the key is activated, the person needs to type the PIN code and successfully authenticates it within the website or the app
Phishing protection. Since there is an actual physical intervention required (a person needs to press, insert, and enter a code into the token), the U2F key protects a person’s device from being phished.
Backup devices and codes. U2F keys can and should be backed up across multiple devices. This allows a person to replace his or her token whenever the other one is lost or broken.
Easy. U2F keys require simply to be entered to the USB port and pushed at the specific moment so they do not require any technical knowledge or skills.
Physical object. As a physical key, the U2F based 2FA is susceptible to being lost or damaged. If a key is lost and there’s no backup U2F key, then the access to the website or application is lost.
Built by the FIDO Alliance (Fast IDentity Online) and W3C (World Wide Web Consortium), the Web Authentication API (also known as FIDO2) is a specification that enables strong, public-key cryptography registration and authentication. WebAuthn makes it possible to take laptops and smartphones with built-in biometric technology and use them as local authenticators in an online authentication process.
Convenient. Any website, application, or browser that supports the FIDO2 standard together with a built-in biometric authenticator like TouchID can be used to enable a strong authentication mechanism. The FIDO2 standard is globally used by hundreds of technology brands including Google, Apple, Microsoft, Amazon, and many more.
Phishing resistant. FIDO2 is one of the safest Two-Factor Authentication methods available on the market. FIDO2 allows websites and online applications to trust biometric authentication as a credential that is specific only to that service — this means no more shared secret and therefore they can’t be stolen and exploited.
Complex account recovery. FIDO2 based 2FA makes the recovery process more complicated compared to previous 2FA methods. In SMS, TOTP, and Push-based 2FA there’s some form of the account recovery process that a security admin within the company can initiate. In the case of FIDO2 based 2FA, this process is way more difficult because it is always tied to the identity of a specific person. That’s why it is recommended to combine FIDO2 authenticators and for example, use laptop or smartphone biometric authentication but also keep some registered FIDO2 security keys in a safe in case the main device will get stolen or will break.
Strong two-factor authentication is becoming more popular across many industries. The type of business niche is not really important, as long as there is a user accessing a website or an application that stores valuable data there’s necessity to protect credentials and secure the authentication process.
User Access Security Broker from Secfense addresses cybersecurity risk primarily in big and medium-sized companies. All industries can benefit from Secfense UASB as long as they use web applications with login restricted access.
Cybercriminals often target the healthcare sector because, unlike the banking, insurance, and capital markets sector or e-commerce industry, the healthcare cybersecurity budget is much smaller, and therefore cybersecurity is much weaker.
Additionally, healthcare employees are among the least security-aware when it comes to cyber risks. That makes them more likely to fall victim to phishing attacks and social engineering. Implementing effective security policies is crucial as it can reduce the risk of a data breach. And, one of the most effective ways to improve cybersecurity across the board is through additional microauthorizations.
The financial services industry was one of the pioneers of two-factor authentication due to the much bigger risk of hacking attempts in this particular sector. There are also various local and international regulations that require banks to use strong 2FA in order to protect their customers and employees. Some examples of these regulations are the PSD2 directive (Payment Service Direct 2) and GDPR (General Data Protection Regulation). Secfense designed microauthorizations to make the financial industry employee application journey almost untouched while at the same time substantially increasing the security level. Microauthorizations add additional authorization requirements within the application wherever it’s needed.
The digitalization trend is challenging government institutions to introduce changes to their infrastructure and slowly make a shift to cloud and mobile. Strong two-factor authentication increases the security of government institutions and allows them to step into a zero-trust security approach for both government officials as well as the citizens that access public sector applications. With such a great number of people using this technology, two-factor authentication needs to provide both security as well as the easiness of use.
The ecommerce sector is one of the industries that is tied by various security regulations and directives. The PSD2 is designed to create fair competition between the banking industry and modern payment service providers (PayPal, Google Wallet, Wepay, etc.). That means strong two-factor authentication for online purchases. E-commerce is the sector that has a lot to lose in case the security policies are not obliged due to GDPR regulation. In case of the breach, GDPR directive can lead e-commerce businesses to pay huge fines as compensation for not protecting well enough their customers’ private data.
Private schools and big universities became a popular target for phishing attacks and social engineering. More and more often cybercriminals attack organizations from the inside. In one of the cases of schools being compromised by data theft, it was a former IT official of the school who had been working for the institutions for many years.
These types of inside theft can be avoided with the use of microauthorizations from Secfense. This functionality makes it possible to stop the user when he or she reaches for some specific resources or wants to perform some specific actions in the protected application. Schools manage a big amount of sensitive user data such as financial status, health situation, etc. This data makes teaching institutions a great target for cyberattacks especially that (similarly to the healthcare industry), the security budget is usually very limited. Schools and universities usually reach for strong two-factor authentication to protect mobile devices and workstations of students and teachers. Protecting these devices with strong authentication mechanisms is usually the first step in order to maintain data security in educational institutions.
Due to the importance of functions that are relevant to the manufacturing sector, data on scale installations are needed. Two-factor authentication helps manufacturing companies have lingering operations through all applications and user accounts.
Securing company devices is securing the timely implementation of projects without security. Simple two-factor authentication helps the company to provide security also for device devices that want to access the service when we provide access to firewall services.
The infrastructure of large tech companies usually consists of hundreds or even thousands of applications. This makes many of them vulnerable to cyberattacks. Security departments must therefore ensure that all applications and access points are properly secured and protected against leakage of confidential data.
For large technology companies, Secfense has developed a solution that significantly improves the authentication security of all users, without the need to spend valuable programming resources on technology adoption. Thanks to the User Access Security Broker from Secfense, large technology companies can easily secure employees performing their duties in the office or at home and provide them with secure and effective authentication.
Security of client data is one of the key areas that organizations providing legal services must take care of. Secfense provides technology that allows law firms to focus on the essence of their business, freeing them from cybersecurity problems.
A number of directives and regulations oblige law firms and notary offices to ensure the privacy of their client’s data. User Access Security Broker by Secfense helps these types of companies easily and hassle-free to achieve security compliance and eliminate phishing threats.
Large energy companies usually have advanced technological infrastructure and many systems and applications that employees use on a daily basis. Hence, data security may be threatened by multiple cyberattack vectors.
User Access Security Broker by Secfense is a solution that enables energy and utility companies to leverage strong two-factor authentication for all employees on all applications they use.
All vendors and partners can also benefit from strong authentication.
User Access Security Broker by Secfense allows you to easily implement and scale strong two-factor authentication, allowing the security administrator in the company to decide which method will provide the most security and the greatest convenience.
Secfense enables airlines, hotels, travel companies and travel agents to secure access to employee and customer data and protect against identity theft and internet fraud.
The larger the travel and travel company, the greater the benefits Secfense offers.
Airlines, car rental companies, and hotels will gain the most, as the confidential user data they store most often become the focus of cybercriminals.
Loyalty programs that encourage customers to use systems and applications are gaining in popularity in the travel and travel industry. Increased customer internet activity increases the risk of an attack to steal data.
For organizations in the tourism and travel industry, it should therefore be important to ensure a high standard of data security and secure all access points through which a potential burglar may sneak into the company’s systems.
„We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.”
Business Continuity and Computer Security Officer
BNP Paribas Bank Polska
“Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.”
Head of IT