Two-factor Authentication Mandatory for Federal Government Websites and Contractors

US government has announced a new federal cyber security plan that mandates two-factor authentication for federal government websites and government contractors. This legislation was passed to address the increasing number of cyber security attacks. The US government is also launching a national awareness campaign that encourages Americans to use two-factor authentication and move beyond passwords and use an added level of security such as mobile-based authentication.

Two-factor authentication, also known as multi-factor authentication will enable a user to pair his smartphone with his password in order to protect access to his online accounts. An authentication mobile app will then prompt the user to approve a push notification as he logins, thus verifying his identity with his device and protecting against the exploitation of stolen passwords.

According to a White House fact sheet, the National Cyber Security Alliance (NCSA) will team up with leading tech firms like Google, Facebook, Dropbox and Microsoft to launch a National Cyber Security Awareness Campaign to urge two-factor authentication adoption among organizations and individuals alike. They will also team up with financial service companies like MasterCard, Visa and PayPal and Venmo to make transactions more secure with two-factor authentication.

Two-factor authentication or 2FA as it is commonly known adds an extra level of security to the conventional username and password-based systems. It is a type of multi-factor authentication and requires not only a username and password but also something that only the user has on them like a fingerprint. The process of using a username and password together with a piece of information that is known only to the user makes it difficult for intruders to gain access and steal that user’s personal data or identity.

Without two-factor authentication, you only need to enter your username and password. The password acts as your single authenticating factor and might be easier to decode by potential intruders. On the contrary, 2FA adds a second authentication factor to your logon procedure thereby improving the security of your account.

Standard online security procedures requiring only passwords to verify authentication is vulnerable to security breaches. It has become increasingly easy for criminals or intruders to gain access to sensitive user information such as personal and financial data. They can use this information to commit fraudulent acts, mostly of a financial nature. In the past, passwords were considered a good enough security measure. With the rapid advancements in technology and an increasingly modern connected world, passwords are now considered a weak link which can be easily stolen by using electronic or social engineering techniques. They can also be sniffed or captured with the help of hardware and software key loggers.

However, the biggest concern that still remains is getting to know when the password has been compromised. The security logs only show that a successful logon has occurred, but not who is behind the logon. Sometimes passwords are weak and can be guessed. This goes to show that relying only on passwords for account security is not sufficient and an extra level of security is definitely required in today’s online world.

Password-based authentication is a form of single-factor authentication system. The security of passwords relies on the diligence of the system administrator or the user who sets up the account. It is recommended to create a strong password which ensures no one can decode it. Also, we need to remember passwords. Many of us will admit that we can’t remember all our passwords. It seems quite justified given the fact that corporate employees need to remember almost six or more passwords.

According to Cloud identity management company Ping Identity, an average person has to remember 15 passwords – a combination of six or more corporate passwords and other personal passwords. Another research from Microsoft shows that an average internet user has 25 password accounts with 7 passwords that are shared among these different accounts. Given these facts, it seems quite logical that almost 61% of the population reuse passwords from site to site. This is known as password negligence and the results can be quite disastrous. 39 percent of all malicious hacking attacks can be attributed to the problem of having to remember too many passwords and not enough memory. This can cost large enterprises quite a lot of money, around $5.5 million each.

Another problem with passwords is that users sometimes don’t understand how to create a strong password and make them memorable or they simply underestimate the need for password security. Password entropy is a test to determine how difficult it is to crack a given password. Potential intruders can use a variety of methods such as guessing, dictionary attacks and brute force cracking to decode passwords. Thus users need to be trained to create passwords with more entropy so that it becomes difficult for hackers to gain access.

Even then passwords are vulnerable to hacker attacks. If an intruder gains access to the password database that resides on a protected computer, he can use methods such as brute force or rainbow attacks to crack the passwords. Administrators also need to take extra measures to protect password databases from dictionary attacks.

Social engineering is also a major threat to password-based authentication systems where an attacker tricks the user into divulging his password. Then there are other threats such as phishing tactics and Trojans which may come in email messages. Thus we can see that passwords are one of the most easily stolen forms of authentication. So the bottom line is that passwords may be sufficient to secure systems that don’t need a high level of security, and even in that case some constraints should be enforced. For any system that needs a higher level of security, it is crucial to use a stronger authentication system that complements passwords. There is a lot of sensitive personal and financial user data online and they need to be protected with stronger authentication methods.

The ID and password combination systems can be made more secure by the use of biometric verification systems such as fingerprint recognition. Single factor authentication is simplest in the sense that the user is required to match only one thing to verify him online. It is the basis of the majority of today’s digital verification and we use it almost every day. But how secure is it? Many consumer and company profiles are compromised everyday due to simple and easy to guess passwords. The solution to this might be to come up with more secure, solid and reliable authentication techniques like a two-factor authentication.

Two-factor authentication is a technique that adds an extra level of security and is a bit more complicated. Along with the username/password combination, the user is asked to verify their identity with something that they only have – a factor which is unique to their physical being such as a fingerprint. The advantage of using this dual form of authentication is that it will be extremely difficult for hackers to crack the systems and they will be limited in what they can pull-off.

While two-factor authentication seems like a sci-fi fantasy, it’s actually pretty common especially in banks. The user may not be aware of it, but he probably will be using it in the physical world. Creating awareness among users and explaining to them about 2FA might be convincing as to why it’s a good idea to use 2FA for mission-critical online services. After all, Twitter and Apple’s got it. Facebook and Amazon have had it for a while.

Fingerprint as a biometric identifier has been around for decades. Fingerprints do not change from birth to death and the advancements in technology have led to its increased accuracy and fingerprint authentication is becoming relatively commonplace. Nowadays, most smartphones have fingerprint identification built into their operating system such as Apple’s Touch ID. Biometric authentication technologies can be used to secure a variety of electronic communications such as enterprise security, online commerce and banking.

Let us see how this system works. A biometric authentication system will compare the captured biometric data (in this case, fingerprint) to the confirmed authentic data that is stored in the biometric templates database. If both the samples match, authentication is confirmed and access is granted to the user. This is the process that is part of a 2FA system. For example, a user might log on to his smartphone with his password or his personal identification number (PIN) and then provide his fingerprint to complete the authentication process.

Two-Factor Authentication ensures peace of mind for both the user and the system administrator. They know that even if the password gets compromised, the account cannot be accessed without providing the second authentication factor which the user has on him and that is the fingerprint.

It is based on the paradigm that only those users will get access based on something that they know (the knowledge factor) and something that they have (the possession factor). Such a system highly decreases the chances that an intruder can masquerade as the user to gain access. The takeaway from this is the user himself becomes the token. Also, 2FA is a user friendly system and minimum knowledge is required by the end user.

Biometric traits like fingerprints are complex and difficult to copy. The user does not need to learn anything; he just needs to be as fingerprint is an intrinsic characteristic.

Recently, US government enacted legislations to address the ever increasing cyber security threats and the Executive Branch adopted new security regulations on May 12, 2016. Consequently, the Cyber security National Action Plan (CNAP) was announced by the government to curb the increasing number of attacks against organizations and individuals. This is the first step towards creating a successful partnership between the government and private industry to address cyber security issues. The CNAP has a number of initiatives and one of them is implementing two-factor authentication for online transactions.

The government believes that people should have the tools to protect themselves from cyber security threats and companies should be able to defend their operations and information. With this view, the government created the Cyber security National Action Plan. There is a strong focus on two-factor authentication in this plan. According to a news release from StaySafeOnline.org, the NCSA plans to tour cities nationwide and provide interactive sessions to teach individuals about adopting multi-factor authentication and why it’s an essential online safety tool for every American.

With this legislation mandating the usage of two-factor authentication, the federal government intends to ensure that strong multi-factor authentication will be used within agencies to protect personal data in online transactions between citizens and the government.

The two-factor authentication is intended to empower Americans to make their accounts secure by judiciously combining a strong password with some additional level of security such as a fingerprint. Biometric authentication is becoming common place these days and is used in diverse systems ranging from websites, enterprise applications, and secure thumb drives etc. Of all the biometric technologies, fingerprint technology is most widely used because of its precision. Implementing two-factor authentication using fingerprint recognition will ensure only the authorised users have access to their data. Becoming more informed on how to better protect oneself is the most important things towards fighting cybercrime and multi-factor authentication will surely help to achieve this goal.