Wednesday, April 5, 2017

Two-Factor Authentication – Uses and Misses

By Dirk Sweigart, CISSP, PMP, Cybersecurity Working Group Member

A key part of securing assets is establishing the identity of an individual who wishes to access that asset in some way.  We need to be sure that the person who is making the request is who he or she claims to be.  The asset can be a control system, a building, a VPN or an application, to name a few.  Two-factor authentication is becoming relatively common as a method of confirming that identity.

The concept of two-factor authentication is relatively simple and is an example of defense in depth.  In order to establish your identity, you need to provide something you know (such as a password) and something you have (such as a token or smart card).  You could also provide something you are (such as a fingerprint).  These should be two independent methods or technologies - having multiple passwords is not two-factor authentication.

While two-factor authentication can significantly decrease the ability of an imposter to steal an identity, it comes at a cost, both in money and time.  So, like any solution, it should be used where the reduction in the level of risk justifies the use.  

Typical uses for two-factor authentication include general access to sensitive on-line applications (think of getting a code sent to your smart phone when you log into a financial application on-line), establishing a VPN connection for remote access, and physical access.It also can be used in manufacturing for an initial log-in such as for an operator or engineer.

Two-factor authentication may not be appropriate for situations where identity needs to be established quickly.  It can be very quick to type in a password or scan an ID but doing both could take too long in a situation where a quick response is required.  It can also become cumbersome if it has to be done often.  

In some situations, two-factor authentication can significantly protect against identify takeover and should be strongly considered.  For example, if a system is can be compromised by remote access such as a hacker, then a second factor (such as a card being read by a proximity sensor) can establish local presence, protecting the system against remote takeover.  

Considerations for protecting critical assets should take into account the advantages of two-factor authentication and compare them to the effort to implement and use it.  In many cases, with the proper design, the additional security is worth the cost and efforts.  

About the Author

Dirk Sweigart, CISSP, PMP (Applied Control Engineering, Inc.) is an MES Solutions Manager and Cybersecurity Expert at Applied Control Engineering, Inc in Newark, DE.  He has over thirty years experience developing systems for process control, SCADA, MES and business applications with DuPont, INVISTA, Koch Industries and ACE.  Dirk also teaches cybersecurity and SCADA at the Wilmington University graduate school.  He is an information member of the ISA-95 Committee and a member of the MESA Cybersecurity Working Group.  You can reach him at

No comments: