Wednesday, 25 June 2014

Two Factor Authentication Revisted

Passwords are not secure

I talk about two factor authentication (or 2FA, as the kids and marketing people are calling it) a lot and with good reason, passwords are not secure!

Sites like this give you an insight into how secure your password is:

It also rightly states that sites can steal your password, and if they have it, it doesn't matter how strong it is they know it.  It doesn't matter if my password takes seconds or years to crack, if the bad guys have it, they don't need to crack it.

What are the factors for authentication?

Authentication can be made up of multiple factors, and by using more than one of them (hence the term, two factor authentication) you are adding security and making it difficult for the bad guys to log in as you.  The following are the factors:

  • Something you know
  • Something you are given
  • Something you are
  • Somewhere you are

Something you know
This will include usernames, passwords, PINs, patterns, etc.  This is information you could give to someone else and they could login as you.

Something you are given
If you have a bank account with one of the major banks, you will probably have a physical token or software token, which generates a seemingly random string of number.  This is creating an OTP (or One Time Password) which has a limited lifespan before becoming invalid.  This means that it can only be used in that moment in time.  The OTP can also be delivered via SMS or telephone call.

Something you are
This is where we move into the realms of biometrics, where fingerprints, iris scans, voice scans, etc are used to authenticate you.

Somewhere you are
There are solutions that work in conjunction with GPS devices to locate you in the world, so that you are only able to login if you are in a specific area.

Two Factor Authentication as we know it

For two factor authentication, we traditionally work with the first two; Something you know and Something you are given.  This is where to access the solution, you would need to provide a username, a password and an OTP.  This is something I have been advocating for over eight years, as if I have your password I can login as you.  With two factor authentication running, I would also need access to the device or software that is generating the OTP.

Many high profile hacks have been done using administrative passwords, but if these were coupled with a OTP, it would have made it a lot more difficult to achieve.

Why use two factor authentication?

We understand the importance of it when it comes to money, so it's a given we should be using it for banking.  In fact, many online gaming sites can issue tokens to secure your gambling or your online gaming persona.

I use social media, where I use Facebook for family and friends, I have two Twitter accounts (one for work and one for play) and I use LinkedIn for work.  All of these outlets say something about me, so if they were compromised, there would be a reputation issue I would need to tackle.  Like most people have web based email and although there is nothing too precious there, I wouldn't necessarily want it opened up to all!

Who can offer two factor authentication?

Google: With the Google ecosystem, you have one password for a number of applications, so Google offer two factor authentication, whereby they will send a code to you via SMS.  This is used in tandem with your username and password.  It will mean that you will need your mobile with you to access the applications, but it saves having to carry additional tokens.

LinkedIn: My professional profile is on this site, so the last thing I'd want is for it to be tampered with, so fortunately LinkedIn also offer the SMSing of a code to your mobile phone before you can login as you.

Facebook: Although this is less critical, I won't want people being able to manipulate my profile.  I know Facebook have some good measures in place around logging in from countries you don't traditionally login from, but you can add two factor authentication for browsers that you haven't login from before.

These are just some examples of commonly used sites, but remember passwords are not secure.  If we know this as a fact, why aren't more sites offering two factor authentication?

If you are looking to protect remote access solutions, internal applications, operating systems or even public cloud application, all of these can be protected with third party solutions provided by MTI.

No comments:

Post a Comment