Making the case for hardware 2FA in the enterprise

Phishing and credential stuffing attacks are two of the biggest threats to any large organization, but two-factor authentication (2FA) —especially hardware 2FA — is remarkably effective in mitigating such attacks by an order of magnitude or more.

A low- to moderately resourced attacker who successfully phishes an employee and steals their account credentials is going nowhere fast if that employee has hardware 2FA enrolled. Authentication will still require physical possession of the hardware 2FA token. Likewise, in cases of password re-use where an attacker tries a credential stuffing attack, that hardware 2FA token will come in mighty handy at fending off a huge chunk of the background attack noise of the internet.

Hardware 2FA is also considered significantly more secure than software 2FA (such as an authentication app on an employee’s phone) not to mention cheaper to replace, in the event of a lost or stolen phone.

Authentication apps no longer good enough?

Attackers are already finding ways to end-run around software-based 2FA. As veteran malware researcher Claudio Guarnieri recently observed, “Looking at the phishing campaigns @AmnestyTech Security Lab responded to and investigated in the last year, there hasn’t been one which wasn’t provided with at least some capability to bypass non-U2F multi-factor authentication.” U2F, short for Universal 2nd Factor, is an open standard for hardware 2FA tokens.

As attackers have evolved, the move from SMS-based 2FA to software-based authenticator app became a no-brainer. (You’re not still using SMS-based 2FA, right?) For many use cases, an evolution to U2F-based hardware dongles is a wise move.

Hardware 2FA gotchas

While the use of a hardware-based 2FA token is more secure than a software-based authentication app, it isn’t perfect. Given the complexity of the authentication stack, from USB firmware all the way up to a web browser at layer 7, it would be surprising if there were no security flaws to be found. In 2018, a flaw in Google Chrome made it possible to end run around U2F security tokens. At the other end of the software stack, the market leader in the space, Yubico, has issued several security advisories over the years.

That said, the real question CISOs should be asking isn’t, “Should we deploy hardware 2FA?” That answer is probably yes. The real question is, “What do we do if an employee loses their hardware 2FA token?”

If the fallback to password-plus-hardware 2FA is answering security questions, then you’re still stuck in one-factor authentication land. A smart attacker can figure out where at least some of your employees “vacationed on their honeymoon” or the “first school they went to” or “their favorite food” (pizza is a good guess).

U2F tokens get lost or damaged or stolen. They are small and fragile. That makes managing employee enrollment in a fault-tolerant manner at scale a non-trivial task. You can blame your employees for losing a cheap hardware token, or you can roll with the punches and not waste unnecessary energy stressing out over a rounding error in your total budget.

One simple, cheap solution that solves this problem most of the time: “We recommend you get two Yubikeys,” Jerrod Chong, Yubico’s chief solutions officer, tells CSO. “In Google’s case, they have a fishbowl in their break room or lunch room full of Yubikeys, and encourage end users to enroll more than one authenticator.” Google has rolled out Yubikeys to “all staff and contractors for secure computer and server login, reaching more than 50,000 employees to date,” according to the Yubikey case study. (Google did not respond to our request for comment on their U2F deployment.)

When software 2FA is not an option

In addition to offering greater security than software-based authentication apps on a smartphone, there are use cases where you don’t want your employees using cell phones on the job. Call centers famously restrict cell phone use at work, but employees still need to securely log into their workstations.

At the other end of the spectrum, engineers working on sensitive intellectual property probably don’t want to have an always-on threat vector next to their main workstation. A savvy attacker will go after the user’s personal device and use that proximity to jump into the corporate network. While there are good reasons to allow “bring your own device” (BYOD), there are also good reasons why some employees should not be allowed to BYOD. (Although if you’re going to go there, secure lockers for employees to store their phones seem like a good idea.)

“Passwordless authentication”?

The future of multi-factor authentication is unclear. Many clamor for biometrics (“something you are,” like a fingerprint) in addition to “something you know” (e.g., a password) — and “something you have” (e.g., a U2F token), but the invasive nature of biometric data raises serious privacy concerns. The impossibility of “resetting your iris” when that information gets compromised is a serious security concern. The Aadhar national biometric database of India, for example, containing more than a billion sets of fingerprints and iris scans, has dealt with a steady stream of security breaches since its launch a few years ago.

One thing is clear: Passwords suck. They are a terrible way for humans to authenticate themselves. While a lot of breathless marketing copy touts a “passwordless future,” it seems more likely that passwords will be paired with other authentication factors to mitigate the severe risk they pose to users and enterprises alike.