Celebrating World Password Day: Evolution of 2FA

May 7th, 2020   |     |  security & compliance

In 2013, The Registrar of National Day Calendar designated the first Thursday in May as “World Password Day.” This day is meant to promote higher password standards and better habits. Are you still using your cat’s name + 123 for your password? Today is the perfect day to reevaluate how you are protecting your digital identities. But let’s be honest - with all of the mobile and desktop applications, online shopping sites, social media logins, and work/life communications we are managing, especially in the digital transformation of the COVID-19 quarantine era, passwords alone are not enough. As a matter of fact, the era of passwords is over thanks to the evolution of two-factor authentication (2FA).

Let’s start this discussion with what an authentication factor is. An authentication factor is a method of identity verification. There are three main types of authentication factors:

  • Type 1 - Something You Know - such as passwords, pin numbers, combination codes, basically anything you can remember and recall when needed.
  • Type 2 - Something You Have - includes physical objects, like keys, smart phones, smart cards, USB drives, token devices.
  • Type 3 - Something You Are - things like fingerprints, palm scanning, facial recognition, retina scans, voice verification, biometrics.

Now let’s embark upon the evolution of 2FA. Once upon a time, the general rule was to secure your digital identity with just one factor - typically with a password or something you know. As cybersecurity and hackers’ techniques became more advanced with attacks such as credential stuffing, phishing, password spraying, keylogging, brute force attacks or finding that login information you wrote down on a sticky note and put under your keyboard, organizations and individuals began to recognize that they needed to apply additional layers of security on top of the password. Hence, two-factor authentication (2FA), better known as multi-factor authentication (MFA) entered the arena.

You may not even realize it, but you use multiple forms of authentication in other ways besides your online account logins. The last time you went to take cash out of the ATM machine, you entered your debit card - something you have - and verified your identity with your pin number - something you know. Here’s the problem with basic multi-factor authentication - like the pin and debit card scenario - we lose things. We lose our debit card. We lose that sticky note with our password information. Our laptop gets lost or stolen - in fact, one laptop is stolen every 53 seconds! Over 70 million smartphones are lost each year, with only 7% being recovered - who among us has not lost a cell phone at one point? Admins, how many times have you had to reset a password due to a lost device?

As the evolution of 2FA/MFA continued, technology advanced and modern day MFA now supports biometric authentication - fingerprints, eye scanning and facial recognition. Although you are less likely to lose a biometric feature of yourself, the downside is that standard MFA uses static rules that require users to authenticate every 👏 single 👏 time 👏 they log in to an application. Every user has been there and every helpdesk has heard the complaints - a user is in the midst of an important meeting or on a conference call, needing to log in to an application to grab a datasheet from Excel or customer information from Salesforce and boom - stopped in their tracks, having to pause to accept the MFA request. Needless to say, static MFA does not create the best user experience and it also does not always effectively protect from more sophisticated cyber threats, like spear-phishing. Enter the future - from 2FA (better known as MFA) to adaptive authentication which utilizes information about a user’s behavior to determine whether the login is coming from that user or not.

OneLogin’s SmartFactor Authentication™ implements adaptive authentication, leveraging machine learning and our Vigilance AI™ risk score to adjust authentication requirements in real-time, based on the risk level of the login. This solution analyzes a range of inputs, such as location, device, time of day, and browser, to calculate a risk score and determine the most appropriate action for each login attempt. This could mean that the user is still prompted for MFA or that the MFA prompt is suppressed if the behaviors are typical of that user or that the user is totally blocked from logging in if the behavior is so far outside of the user’s norm. This allows administrators and helpdesk to feel confident about the level of security, while still creating a positive user experience. SmartFactor Authentication takes it a step further, allowing organizations to define authentication flows to defend against brute force attacks, reduce account lockout and enable frictionless logins for low-risk users. Worried your users are still using their cat’s name + 123 despite World Password Day? OneLogin’s Compromised Credential Check is also part of SmartFactor Authentication and will compare a user’s username and password combination against a database of compromised credentials that have been stolen.

We have come a long way since the days of singular password protection. To celebrate this World Password Day, change your password from your cat’s name and add at least a minimum basic level MFA to all of your accounts using OneLogin Protect. This one-time password mobile app is free, available on all major platforms and performs MFA with the click of a button. Interested in learning more about SmartFactor Authentication and what the passwordless future looks like? See a Demo of OneLogin: Trusted Experience Platform in Action today. Happy World Password Day! 🌏

OneLogin blog author
About the Author

Alexa Slinger is a Product Marketing Manager for OneLogin and has five years of experience in Identity & Access Management, in both the government and private sector. Her educational background is in Business & IT Management, and prior to IAM she spent seven years in sales, marketing & training roles.

View all posts by Alexa Slinger

OneLogin blog author
About the Author

Alexa Slinger is a Product Marketing Manager for OneLogin and has five years of experience in Identity & Access Management, in both the government and private sector. Her educational background is in Business & IT Management, and prior to IAM she spent seven years in sales, marketing & training roles.

View all posts by Alexa Slinger

Secure all your apps, users, and devices