Wardrop notes that strong 2FA could have prevented nearly all of the internet's recent high-profile password breaches, but he's quick to point out that all forms of authentication are not created equal. Systems that use either an app-generated code or a physical security key are the strongest, he says, while SMS-based methods — though certainly better than nothing — are disturbingly easy to defeat.
"The weakest link with SMS is the telco phone rep," Wardrop says, referencing the relative ease with which people have been able to hijack phone numbers and intercept incoming messages. "You're putting your Twitter account, your bank account in their hands, which I certainly wouldn't do."
The U.S. National Institute of Standards and Technology (NIST) agrees. The federal agency revised its guidelines last year to warn companies of the flaws associated with SMS-based authentication and to push for the use of stronger alternatives, such as the aforementioned codes and keys. Yet many online services, including the frequently targeted Twitter, provide no way to use two-factor authentication without involving SMS.
That leaves security experts like Wardrop baffled, because whether you're Twitter or a tiny IT shop in Toledo, implementing effective 2FA is now easy, affordable, and with minimal inconvenience to end-users. The real question, he suggests, isn't why a company should use proper authentication to secure its data; it's why any company wouldn't embrace that heightened level of protection. "These strong authentication capabilities are right in your pocket," Wardrop says. "There's really no excuse."
That brings us back to Lorrie Cranor. As both a security researcher and a victim of poor security practices, Cranor knows better than most that 100 percent guarantees simply don't exist in the realm of security. She also knows firsthand how much difference every added layer of protection can make. "There are no absolutes in any of this," she says. "It's all about managing risk."
To see how painless two-factor authentication can be for end-users, you need only to look as far as big-name companies like Google, Facebook, and Instagram to see how they're implementing the technology.
How to set up 2FA for Google
Google offers a bevy of options to help its users stay protected at varying degrees of intensity. From the company's 2-Step Verification page, any user can opt in to 2FA and then select from receiving one-tap prompts via the Google app on a phone, receiving short-term codes via an authenticator app, receiving short-term codes via voice or text message, and using a physical security key for verification. Users can also print out backup codes in case a phone or physical key isn't available and can specify backup phone numbers to which codes can be delivered in the absence of a primary device.
Sign up for Computerworld eNewsletters.