Tuesday, May 21, 2019
A research paper by Google and New York University, titled Evaluating Login Challenges as a Defense Against Account Takeover, found that two-factor authentication can prevent bad actors from confiscating log-in credentials. This conclusion supports prior studies with comparable findings, but the research goes further by adding new metrics to the mix.
“Our analysis reveals that even weak, knowledge-based challenges can offer hijacking protections against automation to billions of users without requiring any enrollment,” researchers wrote. “That said, the security posture of users plays an important role in protecting against more sophisticated attacks.”
Presented at the 30th annual Web Conference, held May 17 to 19, 2019, in San Francisco, the report evaluated risk-based authentication methods. Consumers who use devices and secondary accounts to verify their identities are 10 times more protected against phishing and targeted attacks, according to the study. However, researchers found that even weak authentication can thwart hostile account takeovers.
Mounir Hahad, head of Juniper Threat Labs, Juniper Networks, remarked that Google and NYU researchers provided useful metrics but could have made specific recommendations based on their findings. Security analysts already know which methods are stronger than others, he stated.
“This study does not introduce any new protection mechanism,” Hahad said. “It only studies real world effectiveness of existing methods. We kind of knew qualitatively which methods are stronger than others and which created more friction with users, but having a quantitative study is very good so that risk can be better evaluated.”
Google and NYU researchers pointed out that while security analysts have been urging consumers to move beyond simple passwords, challenge questions and multifactor authentication methods can reinforce password security. They recommend using password keys to protect login credentials.
Following are additional key findings cited in the report:
Hahad pointed out that consumers want simple, transparent, frictionless authentication, and they may reject complicated or cumbersome security schemes. Privacy concerns are also a factor. “Who among the general population knows how to or wants to go through the use of a third-party authenticator app or carry around a hardware token key?” he said.
He also discussed consumers’ reservations about SMS authentication. “As for the SMS code method, well, people will start giving Google their phone number when Google agrees to only use it solely for this purpose,” he said, adding that Google can already map Android users’ online activities with their phone numbers. “In general, it is a very good idea to enable two-factor authentication wherever you can,” he noted.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.