Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

To log in to our web app, our security team is insisting on 2FA as it is hosted

ID: 662036 • Letter: T

Question

To log in to our web app, our security team is insisting on 2FA as it is hosted on our internal network.

The proposed solution is to have a standard username (email address) and password login, which will then trigger a four digit PIN emailed to the user which they will have to enter to log in.

To my mind that is two sides of the same coin (something the users knows) - using the email address, rather than sending the PIN to a phone number or a physical token.

Is this strictly 2FA? Is it just a negative experience to the user interrupting the login process flow in return for little gain in terms of security?

Explanation / Answer

It is considered 2FA, although you may hear some argue that it's not "true" 2FA. The reason is because the three factors of authentication are "something the user knows", "something the user has", and "something the user is". Presumably, in 2FA, email is considered "something the user has", although in order to log in to their email, typically all the user needs to know is another set of user name and password (unless your company already had a 2FA on email).

Many systems, esp. financial institutions and now Google, FB, Twitter, Microsoft Account etc., will use a phone number because that is more along the lines of what the user has.

2FA is going to be worse login experience than single-factor, but it comes down to what's at stake. If its high business impact information (such as sensitive data, ability to make financial transactions, customer PII), typically 2FA will be favored over user experience.

Having said that, security is as good as its weakest link. So even after you applied 2FA for users, if the underlying data was accessible in some other way without 2FA, then it's really annoyance for the users (and yes, I have seen examples of people trying to do that!)

Related Questions

To learn andunderstand basic Indexing concepts. Problems Q 1. Consider thefollow
Question #3611793
To learn classes and objects at my university, students are required to develop
Question #654351
To learn how to calculate ion concentrations in an aqueous solution of a strong
Question #632932
To learn how to calculate ion concentrations in an aqueous solution of a strong
Question #812085
To learn how to calculate ion concentrations in an aqueous solution of a strong
Question #812088
To learn how to calculate ion concentrations in an aqueous solution of a strong
Question #948248
To learn how to calculate the binding energy of a nucleus. The measured masses o
Question #529653
To learn how to calculate the solubility from K_sp and vice versa. Consider the
Question #600284
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
To log in to a enterprise web app, our security team is insisting on 2FA as it i
Next
To logging into MySQL or MariaDB with the mysql client and entering the SQL stat

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.