As part of our “Brief introduction” series, you will learn today what is meant by two-factor authentication.
If you are planning to use security software, you will surely stumble upon this term, as this method provides additional protection for your business when it comes to login processes, especially for data-sensitive areas. Often enough, it has happened in the past that the identities and associated passwords of users from, for example, large mail providers like Yahoo were stolen. As users often use the same password for different services, there is a risk that the criminals use the stolen data to gain access to other services, thus causing great damage. Securing user authentication against sensitive areas or business-used services not only by requesting a password but also through a second authentication, data breaches become much more difficult for attackers.
In addition to the brief explanation of the concept of the two-factor authentication, I would like to briefly describe the “challenges” that you could have in implementing such a solution in your organization.
Let’s start with …
What is meant by authentication?
Authentication means the verification of an entity that it is really the one that it seems to be. For example, the login to a Windows client is already an act of authentication. The system’s authentication service verifies the entity, here the user, and then grants access to a defined context and time (in this case, Windows).
There are different types of authentication, which are described shortly here.
With regard to the two-factor authentication, there are various processes that relate to the second factor:
Indirect Two-factor Authentication
Authentication via the input of a generated passcode as the second factor is considered as an indirect authentication process. The passcode can be sent, for example, by SMS or be generated within an app.
(Semi-) Automatic Two-Factor Authentication
A (semi-) automatic authentication is characterized by a deeper integration into the login workflow, for example with technologies such as NFC or Bluetooth. Using personalized mobile devices, these technologies allow a semi-automatic, i.e. without data input, or a fully automatic authentication of users.
What Exactly is a Two-Factor Authentication?
Two-factor authentication or 2FA is the authentication of a user against one system using two different, independent components (factors).
The components for withdrawing money at a cash machine are, for example, the bank card itself and the pin code. Only if both components are provided and correct, the system allows access. This requirement makes it much more difficult for attackers to being a legitimate user.
Factors in Two-Factor Authentication
Factors are classified into three types:
- Possession: This factor belongs to someone, for example, a bank card or a key
- Knowledge: This type of factor is known only to the user, for example, a user name, a password, a pin code, an answer to a certain security question
- Characteristic: This is a physical feature such as, for example, the fingerprint or the iris.
Challenges in Daily Practice
Challenges arise for IT managers with regard to acceptance and applicability.
Acceptance of a Two-Factor Authentication Solution
Acceptance among users is a classic dilemma IT managers are facing and from my experience, they handle it very differently. It often depends on the individual manager who is responsible whether 2FA will be introduced into the corporate systems or not.
Users, of course, tend to react rather negatively towards the introduction of a second factor for authentication. They usually see the benefit, but the additional effort is, of course, a much stronger argument. Here it is important, from my point of view, to approach users at an early stage in order to increase their acceptance of this measure.
The early information of all users is the most important measure. Another helpful measure is the identification of key users, where 2FA is first introduced. These key users can already gain first experience. And later during the corporate-wide introduction of 2FA, these first users can support the rest of the team with advice and action if necessary.
Applicability
Looking at usability, there are two crucial questions to ask:
- How do the current employee login workflows look like?
- How can I integrate 2FA into their workflows with as little effort as possible?
The first question seems to be trivial, but from my experience it is very important: Only if you are really aware, when, where, how and how often the individual employees log in to the company, optimizations can be made in this area.
For example, I already have experienced it in customer projects that the introduction of 2FA was implemented in parallel to the introduction of SSO via SAML. In this case, the users had to log in much less frequently and therefore the acceptability was notably much higher.
The question regarding the integration into the login workflows is, in principle, easier to answer. There are two crucial workflows that should be considered here:
- The registration itself
- The rollout of an authentication token
As to 1)
If the instructions described in the section “Acceptance” are implemented, it is my experience that all kinds of 2FA (indirect and (semi-) automatic) are well accepted by the users.
As to 2)
The rollout of authentication tokens is a subordinate criterion, but should not be underestimated. It should be noted here that this rollout should be possible for users independently and also for administrators by means of a multiple rollout.
Safety Considerations
Generic security considerations are very difficult in the organizational or corporate context. The fields of application are very diverse and the degree of protection that each service requires can be very different.
If you would like to get advice for this, we would be pleased to get you in touch with a contact person.
Integration in UCS
Univention positions itself as a platform manufacturer and provides all the necessary interfaces to integrate 2FA. We have been supporting various projects and with privacyIDEA4UCS we provide a third-party application via the Univention App Center, which implements 2FA with UCS.
We are pleased if we were able to give you a good idea about what is the concept of the two-factor authentication and the problems that can arise during the implementation of such a security solution.
As said, if you feel, you need more consulting, please contact us via our contact form.
Further information on 2FA and data security can be found on the following pages:
[1] Wikipedia: Multi-factor authentication
[2] Two factor authentication everywhere with privacyIDEA LDAP-proxy
[3] Data Security Thanks to Multiple-Factor Authentication in UCS with privacyIDEA + SAML
[4] Single Sign-On for UCS 4.1