The Two-Factor Authentication Rage in I.T. Security Brings its Own Set of Problems and Risks

In the never-ending war to prevent hacking, two-factor authentication has become the end-all answer. But guess what?

I.T. Security Specialists evidently have all agreed that password protection alone is not enough to protect against unauthorized access. Therefor we need a second layer of security in case the password has been compromised. What do they do?

They introduce the three least secure technologies to the mix!

• the internet
• email
• and cell phones

In a truly secure working environment, none of those three technologies should be available to the employee. Or at the very least, should be severely restricted. Restrict cell phones? No, but definitely ban cameras and audio recording devices, which every smart phone has today.

Admittedly, texting a numerical code to an employee’s cell phone after they have entered their password does decrease the likelihood that someone other than the employee is accessing the system. But ….

I am not going to require employees to have a cell phone just to receive a two-factor code for security. That is just crazy! And it opens a Pandora’s Box of other security failures.

If I have properly secured the physical environment where the system resides, single-factor authentication is more secure than two-factor.

• The system is not accessible from outside my building (rules out internet)
• Passwords to unlock a workstation are different from program passwords (already have two-factor authentication)
• Access to the building is restricted

There’s my rant on two-factor authentication.