Two-Factor Authentication Primer
A rather shocking set of survey results made their way around
the Web in late April 2013, and they don’t bode well for either
the integrity of consumers’ personal information or the general
security of enterprise brands’ Web presences.
The research, from Lieberman Software, revealed that more than 70 percent of IT security professionals would not be willing to bet $100 of their own money that their companies would not suffer a data breach in the next six months. With that level of confidence, it’s no surprise that the topic of security is top-of-mind with both consumers and digital-facing enterprises — as it should be — yet not much is driving real-world action. The Lieberman Software study also revealed that one-third of organizations don’t even have a policy of making it compulsory to change default passwords when deploying new hardware, applications and network applications to the corporate network.
“These figures highlight the fact that IT security professionals realize that most organizations are woefully unprotected against cyber-attacks,” said Philip Lieberman, president and CEO of Lieberman Software, commenting on the research.
If enterprises aren’t even protecting themselves, what hope do consumers have that those same companies are protecting their personal information? As an industry, we can do better. So, what, if anything, can your enterprise do today to prevent what seems inevitable? In a word, improve your “authentication” efforts — the technical process of determining whether someone (a user) is who they claim to be.
In private and public computer networks (like the Internet), authentication is commonly achieved through the use of usernames and passwords. Nevertheless, as you may well know, these “security” efforts are not always the safest of methods to protect accounts. In this (singleauthentication) scenario, knowledge of the password is assumed to guarantee that the user is authentic as each registered user does so with a self-declared password. The weakness of single-factor authentication is that passwords can be stolen, accidentally revealed and as likely happened to you more than once — forgotten. But that’s not all — the digital rogues of the ’Net also try to hammer their way in on occasion.
Numerous security experts issued warnings this past April about brute-force password guessing attacks against sites that were powered by popular blogging and content management platform WordPress and the providers that host those sites. What made the broader attack so malicious was that infected sites were seeded with backdoors that let the attackers control the site remotely. The compromised sites were then forced to launch password-guessing attacks against other sites running WordPress. Web hosting provider HostGator suggested at the time that the problem grew to include well over 90,000 compromised sites by the time the attack was even noticed.
There’s a better way — multi-factor authentication is a process where the requesting entity presents additional evidence of its identity, decreasing the probability that the user’s request is false. The number of authentication factors is important as it implies a higher probability that the bearer of the identify evidence actually holds that identify in another realm (e.g. a computer system or real life — like a FOB key or an ATM card). These factors are something the user knows (a password or PIN), something the user has (mobile phone) or something the user is (biometric characteristic). But as far as we’ve come in the world of technology, multi-factor authentication (let’s call it more than two) isn’t yet possible. Besides, do you really want to use a retina-scanning machine to access your Twitter account?
One way that the savviest brands are approaching security today is through the use of two-factor authentication, which requires the use of two of the three authentication factors. Two-factor authentication is increasing in popularity and is in use by many of the most popular sites — from Google and PayPal to Facebook and Dropbox. The use of two-factor authentication helps consumers protect their personal information and helps enterprises maintain the integrity of their systems. There are some very interesting companies poised to help digital brands take the next step in security.
For example, cloud-based two-factor authentication provider DuoSecurity saw growth of more than 400 percent in 2012. Duo, which protects three of the top-five global social networks, serves a broad range of clients from Fortune 500 to SMBs in many sectors including Toyota, Etsy, Random House, Duke University and the State of Ohio Department of Transportation.
“By making two-factor authentication easy for both users and IT staff, Duo has effectively removed the largest hurdles most companies face in adopting two-factor authentication to protect their accounts,” said Dug Song, CEO and cofounder, Duo Security in a February 2013 statement. “Nearly half of our customers had never deployed two-factor previously — or were able to!”
Duo Security is clearly one of the leaders but certainly not the only two-factor authentication provider in the market today. Others are also making some big waves in an innovative digital sea. San Francisco-based identity startup Clef rolled out a mobile app, in late June, to replace the less secure one-factor identify authentication system with a visually dynamic login pattern — letting users leverage their mobile phones to identify themselves.
When users visit any site within the Clef network, (just 250 sites
are currently integrated — see below for some of them), they will
be able to log in with one click (additional details below). Clef’s
architecture uses a combination of paired mobile devices, cloudbased
data services and 2048-bit asymmetric key cryptography
for maximum identity protection. Sort of makes usernames and
passwords look like wagons and buggy whips.
Once a user downloads the app (available for both iOS and Android), he or she sets up a secure digital profile, which enables the user to send a personal digital signature to any sites they’re logging into. When that user visits a site integrated with Clef, they select the “Log in With Your Phone” button to activate the Clef Wave, a unique visual pattern signal. Holding their phone to the computer screen then sends the digital signature and activates a new session.
Websites that currently use Clef include StackOverflow, StartupExchange, HootSuite, LiveJournal and WordPress. In fact, there’s even a Clef plugin for WordPress.
“Clef is leveraging the mass adoption of smartphone technology to make an identity platform for the modern Web, by creating a totally new approach to logging securely in online,” said Brennen Byrne, CEO of Clef. “We’ve built a mobile app that enables any site to recognize a user based on their personal smartphone, instead of credentials they have to remember or type. Clef puts military-grade cryptography in the hands of every user — and it’s infinitely more secure than what currently exists for consumers.”
Security should be a major concern for brands of all sizes and the first step serious digital enterprises should take today is to move from single-factor to two-factor authentication. If your users’ personal information remaining secure is important, I bet you a $100 you’ll get started soon.
DON'T MISS: Patching Up Holes in Your Security System
According to a 2012 study conducted by the National Cyber Security Alliance, nearly 40 percent of all cyber security attacks are targeted at small businesses. Compared with big enterprise companies that often have robust security teams and generous security budgets, small business can be an easy target for hackers. Many small businesses don’t allocate enough resources to their security systems or have little knowledge on how to stay safe from the schemes of cyber villains. Start patching the holes in your digital security system today.