What is Two-Factor Authentication?

When you attempt to access data on a server, an authentication process goes on behind the scenes to prove you have permission to access data. This can be as simple as entering a password. Some servers even allow anonymous access, which allows anyone to request data (this is terribly insecure, however, and unacceptable in secure server environments).

Authentication Basics

When you attempt to transfer data, the client and server perform a greeting, called a handshake, and exchange certificates in order to set up a secure line to pass credentials and, if your credentials are accepted, encrypted data.

Both SSL and SSH, used in the FTPS and SFTP protocol transfers, use public key authentication to encrypt data. This means the public key is combined with the data being transferred to make a unique encrypted message, which can only be decrypted by the matching private key (see our QuickStart on public-key authentication for more information).

This is called asymmetric encryption because it requires two different keys- one public and one private- which work together in a pair. This is an incredibly secure form of data transfer security, so long as the private key’s integrity is intact. The private key must remain completely inaccessible to anyone but the owner at all times. If a third party gets ahold of the private key, they can access any data sent with the matching public key.

Authentication for Your Authentication

The most convenient and common method of authentication is software-based, single-factor authentication. The software installed on the computer you’re using to access data handles the entire encryption and data transfer process, including generating the public and private keys. Your key pair is stored securely on the computer or server on which it was generated, and the private key is stored in hidden locations or encrypted (or both).

The absolute necessity of keeping the private key secure can be a hindrance, however. If the private key absolutely must be shared—for instance, an employee needs to use the same key to access the server, but gets a new computer—it should be transferred on a physical piece of hardware, such as a CD or flash drive. It should never be transferred digitally.

If the private key is never shared, this form of authentication has only one other, very slight vulnerability. While a data transfer is in progress, the private key may briefly appear in the computer’s memory as it decrypts incoming data. An extremely sophisticated attacker could capitalize on this moment of vulnerability to snag the private key.

Two-factor authentication answers the problems posed by single-factor authentication by adding a second, physical form of proof to complement the usual password protection. Even if the correct credentials are present, the physical second factor must also be there, making it significantly more difficult for someone to access data illegitimately. This method is preferred for enterprises where sophisticated attacks are highly likely, and the vulnerabilities of single-factor authentication are too risky.

Some two-factor authentication systems use biometrics for their secondary proof, such as fingerprint or retinal scanning technologies. The most versatile (and foolproof) second factor, however, comes in the form of a token.

The token is a separate piece of hardware which contains all of the algorithms necessary to create a secure public and private key pair on its own and perform encryption and decryption of data. This ensures that the private key absolutely never leaves the isolation, and therefore complete protection, of its home hardware. It will also never appear in the memory of a computer, even for an instant. This provides mobility, since you carry your private key with you rather than having it tied to a single computer. This works well for employees that need to move around the company or to off-site locations.

According to Symantec, 80% of security breaches could be prevented with two-factor authentication.

Cornerstone MFT Server offers multi-layer security for data storage and document collaboration. This includes perimeter security, two-factor authentication, and the latest NSA-approved encryption standards. With zero- point-of-exposure encryption for data at rest, Cornerstone is an essential part of your enterprise’s security strategy.