London Report: Gartner Analysts Push for Two-Factor Push Notifications
At the Gartner Security & Risk Management Summit in London, analysts and industry leaders are discussing security innovation and new technology, including the latest in authentication tools.
Gartner Analyst Ant Allan discussed authentication system design and user experience in his talk, Balancing Trust and User Experience for User Authentication. According to SCMagazine.com, considering user experience, cost and security effectiveness are all factors when designing user auth systems for online apps.
In his talk, Allan recognized that mobile phones are an ideal device for two-factor authentication delivery, since they’re widely used, easily understood by users and inexpensive for app designers to implement and run. But some authentication methods delivered over a mobile phone are vulnerable to man in the middle attacks, including SMS passcodes and voice, which are open channels.
For better security, Allan recommends smartphone push notifications as his favored solution for secure authentication. Why?
It’s out-of-band authentication. Typically, we use the Internet to complete the first auth method (username/password). The second method should be completed over a separate network. Approving a push notification sent over your mobile network is an example of out-of-band authentication.
If a remote attacker taps into your computer over your Internet connection, they can steal your password and your second form of authentication if it’s delivered over the same channel, e.g., a one-time passcode.
It’s less expensive than other methods. Token-based authentication is notorious for running up big bills and hidden costs that include costs associated with deployment hardware/software, token licenses, shipping, patching and upgrading, data center infrastructure and maintenance, lost/damaged token replacement, token renewal licenses, help desk costs, etc.
SMS and voice notifications require telephony costs. But push notifications provided over a free authentication mobile app is the least expensive option with no overhead.
It’s easier and faster. Some authentication app providers have designed their push notifications for the fastest and easiest user approval - for iOS, you can swipe the notification left (from the preview and lock screen) and approve it, and for Android, you can also approve a notification from the notification tray.
That’s a much faster and easier than manually generating a passcode and typing it in, or waiting for a phone call to verify your identity.
Gartner Research Director Felix Gaehtgens agrees with using phone-based authentication methods for two-factor authentication, as he discussed in his talk, Friends at the Gate? Best Practices for Enabling Remote Privileged Access From Vendors and Third Parties.
While his talk focused on the challenges of handling privileged access of third-party vendors to internal systems, he centered around the solution of implementing good access and authentication practices and tools for any contractors, e.g. a payroll processing or heating company that gets access to a company’s HR portal.
His recommendations for secure authentication practices include using two-factor authentication (multi-factor authentication), and enabling strong and easy authentication for your users. Hardware tokens are difficult for end users to use. Instead, he recommended using more user-friendly systems, such as mobile phones - with Duo Security as an example of a mobile app authentication provider.
Duo’s Director of Product Marketing, Ash Devata also attended the London conference, and he shared his perspective on the conference’s security trends and products:
A major trend this year was interest from customers on end user experience of security products. The analysts also talked about the importance of making security easy for business groups and how it can impact the overall effectiveness of the program. The fact is, it's not easy to build a security product that is exceptionally secure yet easy for end users. This is what we [Duo Security] managed to do for two-factor authentication and it resulted in 7000+ customers in four years. We are working harder to continue to push the bar.