Two-Factor Authentication Breaks Free from the Desktop

ENDPOINT SECURITY IDENTITY & ACCESS MANAGEMENT SECURITY MOBILE SECURITY СLOUD SECURITY News, news analysis, and commentary on the latest trends in cybersecurity technology. Two-Factor Authentication Breaks Free from the Desktop Threat actors know how to bypass security systems outside of traditional IT environments. Implementing 2FA could provide a needed extra security barrier in the physical world. Arielle Waldman,Features Writer,Dark Reading April 16, 2026 5 Min Read SOURCE: PANTHER MEDIA GLOBAL VIA ALAMY STOCK PHOTO These days, organizations require two-factor authentication (2FA) to log into a variety of platforms and applications, such as messaging apps, cloud services and virtual private networks (VPNs). However, the average driver may not be aware that 2FA can protect the car sitting in their driveway.         Authentication measures are consistently crucial as phishing campaigns become more sophisticated, and attackers steal credentials in mounting data leaks. Now 2FA is expanding beyond traditional IT computer use cases to include the physical world as well. Protocols can keep hackers from compromising the heat pump warming the house, breaching medical devices treating patients, or driving away in a stolen car.   Two-factor authentication is now considered a hygiene factor for traditional IT systems as well as physical security, explains Kalyan Arety, director of product management at SecureW2, warning that users shouldn’t blindly trust devices. Concerns particularly extend to Internet of Things (IoT) and protecting supply chain integrity, adds Arety.  Related:Microsoft's Original Windows Secure Boot Certificate Is Expiring While organizations can apply 2FA to protect physical environments across a variety of industries, auto and healthcare have made plenty of strides already.  How Is the Auto Industry Using 2FA? Attacks targeting cars are becoming increasingly sophisticated, explains Keyfree Technologies VP, David Berg. Organized crime rings are using electronics systems to clone car keys, he tells Dark Reading.  "They know where people are located and when the time is right, they send someone to retrieve the car in the driveway without the user knowing, because it's stolen with a key," Berg explains.  Canadian insurers and law enforcement have become concerned, says Berg, who is based in Toronto.  Since the attacks are similar to ones observed on computers, like man-in-the-middle or spoofing, implementing 2FA looks like a viable way to address the non-IT related problem, he adds. Keyfree has developed 2FA technology that combines hardware installed in the car and a mobile application where users authenticate a key fob with a one-time password in order to start the car.  Bypassing Security Systems Attackers target a variety of cars, but they usually prefer older cars because they’re easier to steal. Electric cars are less affected because they are always connected to the internet. It's hard to make them disappear since they're constantly tracked, explains Berg.  "The challenge is that not only are people beating things like steering wheel clubs and bypassing GPS trackers, but they're also doing things that are very sneaky," Berg says. "[They're] bypassing built-in security systems by doing relay attacks and key cloning. People are bypassing these security systems." Related:CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry There is a growing interest in multifactor authentication (MFA)  for keyless vehicles, observes Lisa Caldwell, commercial U.S. manufacturing and automotive industry practice leader at Marsh. She attributed the evolution to increasing thefts and new technology which has left few possibilities of solutions under evaluation since companies know that users want frictionless security options.  "While auto companies have known of the vulnerability for a while, challenges with convenience, reliability, and cost slowed progress," Caldwell tells Dark Reading. Instead of entering a code, as in a computer, auto companies are considering 2FA using secure digital keys with ultra-wideband capabilities that require proximity to the vehicle, biometrics like face ID or fingerprints, and a pin-to-drive model like an ATM with no extra communication steps. That brings up another challenge, explains Caldwell, highlighting how there are no clear standards for authentication.  Trade groups like SAE International and the International Organization for Standardization have focused more on outcomes to manage safety and security, and now mechanisms for vehicle entry, adds Caldwell.  Related:Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense Right now, it is unlikely people will see a direct regulatory requirement for authentication but there will be more focus on broad cybersecurity requirements for vehicles, adds Caldwell.  Progress may be slow because, as is the case with any 2FA requirements, usability could pose issues. The authentication measure provides a high level of security, but it is mainly suitable for occasional actions only, and not acceptable for everyday use, explains Dr. Bastian Holderbaum, global director of functional safety and cybersecurity at automotive software company, FEV.io GmbH. "For interactions that happen frequently, like unlocking or starting the vehicle, mandatory 2FA is not convenient for the users," Holderbaum tells Dark Reading.  Healthcare Enters the Chat Healthcare is another highly targeted industry pushing to incorporate 2FA into daily practices. Devices like dialysis machines and any big diagnostic machine that captures patient healthcare information will have 2FA or MFA enabled to protect sensitive data, says Arety. The key is to implement 2FA to ensure the data residing in the device is encrypted and when users actually transmit data to secure communication between the device and the central control plane, he adds.  "It's all driven by policy," Arety tells Dark Reading. "All inherent, implicit policy that pushes the second, third, or fourth factor before you issue that certificate."  Medical devices such as infusion pumps, imaging systems, and electronic health record terminals are network-connected and high-value targets for cybercriminals, explains Keeper Security CISO, Shane Barney. Therefore, some healthcare organizations now require clinicians to enter both a physical credential and PIN before they can interact with sensitive equipment or patient data, adds Barney.  "When unauthorized access to medical infrastructure carries real-life safety consequences, the bar for identity assurance must be higher than a single factor," Barney says. "That bar should also extend to the quality of the factors themselves." Barney warns authentication methods like SMS-based code, while still commonly used, remain vulnerable to interception and SIM-swapping. Implementing 2FA could also "close a category of risk that most threat models still don't account for," he adds.  "Whether someone is unlocking a server room, accessing a medical device, or authorizing a wire transfer, the underlying question is the same: Can you prove who you are through at least two independent channels?" Barney says.   About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026 The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 ENDPOINT SECURITY Microsoft Readies Administrator Protection Option for Windows 11 by Jeffrey Schwartz MAY 01, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Latest Articles in DR Technology ENDPOINT SECURITY Microsoft's Original Windows Secure Boot Certificate Is Expiring APR 16, 2026 APPLICATION SECURITY OWASP GenAI Security Project Gets Update, New Tools Matrix APR 6, 2026 APPLICATION SECURITY Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain APR 3, 2026 ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry APR 3, 2026 Read More DR Technology Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS Loading...