These days, organizations require two-factor authentication (2FA) to log into a variety of platforms and applications, such as messaging apps, cloud services and virtual private networks (VPNs). However, the average driver may not be aware that 2FA can protect the car sitting in their driveway.
Authentication measures are consistently crucial as phishing campaigns become more sophisticated, and attackers steal credentials in mounting data leaks. Now 2FA is expanding beyond traditional IT computer use cases to include the physical world as well. Protocols can keep hackers from compromising the heat pump warming the house, breaching medical devices treating patients, or driving away in a stolen car.
Two-factor authentication is now considered a hygiene factor for traditional IT systems as well as physical security, explains Kalyan Arety, director of product management at SecureW2, warning that users shouldn’t blindly trust devices. Concerns particularly extend to Internet of Things (IoT) and protecting supply chain integrity, adds Arety.
While organizations can apply 2FA to protect physical environments across a variety of industries, auto and healthcare have made plenty of strides already.
How Is the Auto Industry Using 2FA?
Attacks targeting cars are becoming increasingly sophisticated, explains Keyfree Technologies VP, David Berg. Organized crime rings are using electronics systems to clone car keys, he tells Dark Reading.
“They know where people are located and when the time is right, they send someone to retrieve the car in the driveway without the user knowing, because it’s stolen with a key,” Berg explains. Canadian insurers and law enforcement have become concerned, says Berg, who is based in Toronto.
Since the attacks are similar to ones observed on computers, like man-in-the-middle or spoofing, implementing 2FA looks like a viable way to address the non-IT related problem, he adds. Keyfree has developed 2FA technology that combines hardware installed in the car and a mobile application where users authenticate a key fob with a one-time password in order to start the car.
Bypassing Security Systems
Attackers target a variety of cars, but they usually prefer older cars because they’re easier to steal. Electric cars are less affected because they are always connected to the internet. It’s hard to make them disappear since they’re constantly tracked, explains Berg.
“The challenge is that not only are people beating things like steering wheel clubs and bypassing GPS trackers, but they’re also doing things that are very sneaky,” Berg says. “[They’re] bypassing built-in security systems by doing relay attacks and key cloning. People are bypassing these security systems.”
There is a growing interest in multifactor authentication (MFA) for keyless vehicles, observes Lisa Caldwell, commercial U.S. manufacturing and automotive industry practice leader at Marsh. She attributed the evolution to increasing thefts and new technology which has left few possibilities of solutions under evaluation since companies know that users want frictionless security options.
“While auto companies have known of the vulnerability for a while, challenges with convenience, reliability, and cost slowed progress,” Caldwell tells Dark Reading.
Instead of entering a code, as in a computer, auto companies are considering 2FA using secure digital keys with ultra-wideband capabilities that require proximity to the vehicle, biometrics like face ID or fingerprints, and a pin-to-drive model like an ATM with no extra communication steps. That brings up another challenge, explains Caldwell, highlighting how there are no clear standards for authentication.
Trade groups like SAE International and the International Organization for Standardization have focused more on outcomes to manage safety and security, and now mechanisms for vehicle entry, adds Caldwell.
Right now, it is unlikely people will see a direct regulatory requirement for authentication but there will be more focus on broad cybersecurity requirements for vehicles, adds Caldwell.
Progress may be slow because, as is the case with any 2FA requirements, usability could pose issues. The authentication measure provides a high level of security, but it is mainly suitable for occasional actions only, and not acceptable for everyday use, explains Dr. Bastian Holderbaum, global director of functional safety and cybersecurity at automotive software company, FEV.io GmbH.
“For interactions that happen frequently, like unlocking or starting the vehicle, mandatory 2FA is not convenient for the users,” Holderbaum tells Dark Reading.
Healthcare Enters the Chat
Healthcare is another highly targeted industry pushing to incorporate 2FA into daily practices. Devices like dialysis machines and any big diagnostic machine that captures patient healthcare information will have 2FA or MFA enabled to protect sensitive data, says Arety. The key is to implement 2FA to ensure the data residing in the device is encrypted and when users actually transmit data to secure communication between the device and the central control plane, he adds.
“It’s all driven by policy,” Arety tells Dark Reading. “All inherent, implicit policy that pushes the second, third, or fourth factor before you issue that certificate.”
Medical devices such as infusion pumps, imaging systems, and electronic health record terminals are network-connected and high-value targets for cybercriminals, explains Keeper Security CISO, Shane Barney. Therefore, some healthcare organizations now require clinicians to enter both a physical credential and PIN before they can interact with sensitive equipment or patient data, adds Barney.
“When unauthorized access to medical infrastructure carries real-life safety consequences, the bar for identity assurance must be higher than a single factor,” Barney says. “That bar should also extend to the quality of the factors themselves.”
Barney warns authentication methods like SMS-based code, while still commonly used, remain vulnerable to interception and SIM-swapping. Implementing 2FA could also “close a category of risk that most threat models still don’t account for,” he adds.
“Whether someone is unlocking a server room, accessing a medical device, or authorizing a wire transfer, the underlying question is the same: Can you prove who you are through at least two independent channels?” Barney says.
