Two-factor or not two-factor? That is the security question

AP Twitter hack and Verizon's 2013 security report rachet up calls for general deployment of two-factor authentication

The drumbeat for stronger online authentication swelled this week, the beginnings of a death knell predicting the passing of lowly password-based security.

The highly visible hijacking of the Associated Press Twitter account may have been a tipping point, as it unleashed a new round of calls by security experts for wider use of two-factor authentication. This type of authentication requires two different kinds of evidence before granting users access when they log into websites and online services. Evidence typically consists of some combination of a detail known by the user (for example, a password, a  PIN, or an access code sent to a second device, such as a smartphone); an item owned by the user such as an ATM card or a smart card; or a physical attribute of the user -- a biometric feature such as a fingerprint or retina scan.

Microsoft had already jumped on that bandwagon -- sort of -- by offering the option of two-factor authentication to users of Outlook.com, Skype, and SkyDrive. Microsoft's move followed recent similar initiatives by Apple, Google, and Facebook to help customers secure their accounts against hacking.

Google further flew its security flag this week by joining Lenovo, PayPal, and others as a member of the Fast Identity Online (FIDO) Alliance. FIDO seeks to supplant the reliance on passwords by developing alternative methods -- such as a built-in finger scan or a USB memory drive with a password -- for verifying users' identities. Sam Srinivas, who leads information security efforts for Google, said in a statement: "We look forward to continuing our current development work on strong, universal second-factor tokens as part of a new FIDO Alliance working group."

As if to underscore the point that mere passwords are passé, the Twitter hack coincided with the release of Verizon's 2013 data breach report, which pointed the finger at single-factor authentication as a primary culprit in security spills. According to the report, 76 percent of network intrusions in 2012 exploited weak or stolen credentials.

The case for two-factor authentication would appear to be a slam dunk. But not all security experts praise the solution as a remedy for all security ills. InfoWorld's Roger Grimes this week listed two-factor authentication as the No. 1 dud on his list of security solutions that don't deliver.

Better authentication can't hurt security, but it isn't a panacea for our larger computer crime issues, despite the legions who appear to believe that 2FA alone can save them. What 2FA does well is it prevents someone who's not using the device you're using pretend to be you. Got that? If you require 2FA to use a particular service and the bad guy hasn't compromised your endpoint, then it will be harder for the bad guy to pretend to be you from an alternative location or device.

However, most computer crime is committed by bad guys who've compromised the victim's legitimate device by taking advantage of unpatched software or inducing the user to unknowingly execute a Trojan. Call it a man-in-the-endpoint attack. Attackers then use the user's legitimate access for bad acts. Unfortunately, 2FA can't change that; in fact, 2FA has been shown to be useless in endpoint attacks over and over.

It might be nice to live in a world where all our insecurities could be solved with a neat two-factor authentication check list, but in the real world the situation is sure to grow more complicated. As if the current crop of security woes isn't enough, get ready for the Internet of Things, with a new generation of millions and millions of connected devices all talking to each other. IT execs will need to be aware of how all those data points tie in to their networks -- and stay on top of a new passel of security headaches.

The security arms race is guaranteed to escalate.

This article, "Two-factor or not two-factor? That is the security question," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.