Many of the organizations we consult with have two-factor authentication for their employees disabled. The reasoning behind the decision usually stems from upfront costs, privacy concerns, and user usability. Not having it enabled opens the organization to account takeovers through phishing attacks. However, there have been significant advancements in those areas by Universal 2 Factor (U2F) solutions.
Deploying Two-Factor Authentication by sending a push notification through a mobile application, or an SMS/email with a code the employee needs to input or accept have been the traditional strategies utilized by some organizations. These deployments have additional costs and privacy implications that many organizations wish to avoid. Below are the implications with the conventional implementations:
Employees require a mobile device with data to receive a notification or email
Employees aren’t comfortable with having the organization enact additional security controls on their mobile devices (e.g., mobile device management policies that can wipe devices)
Usability can be costly and difficult to understand
Additionally, the deployments still contain the risk of a malicious entity bypassing the two-factor authentication control through a social engineering attack.
Take a look at how fast and easy an attack against two-factor can be in this short 4-minute video.
To combat all of these risks and implications, Google and Yubico developed the Universal 2nd Factor (U2F) standard which is now hosted by the FIDO Alliance. U2F allows for the use of hardware security keys that will enable users to log in by just pressing a button on the hardware key. Google has used U2F since early 2017 and has not had any successful phishing attacks conducted across its 85,000+ employees since deployment. Google has been using the Yubico Security Keys but has recently begun developing their own Titan Security Keys.
U2F protects against session hijacking, man-in-the-middle, and phishing attacks by ensuring communication is encrypted and only established with the real website. It is also currently compatible with all major web browsers except Microsoft Edge, which as of May 2018 has been announced to be in development. Acceptance for U2F is beginning to ramp up with companies such as Microsoft and Google being the early adopters of the standard for their authentication mechanisms. For a full list of U2F compatible services, you can visit DongleAuth.
The many advantages of U2F will allow organizations to consider its deployment. Not only is it more secure and easy to use, but it also costs roughly $20 a device. If you’re worried about phishing attacks, consider deploying a U2F solution that will protect your most critical assets.