Two-Factor Authentication

Password ScreenIt’s somewhat odd how certain security technologies have very slow adoption rates where a great product, service, or technique can languish in obscurity for years before becoming popular and widespread.

My own thought is IP Video followed this path, and PSIM (Physical Security Information Management) is in the throes of this reality right now. 

But this post is about neither of those.  The subject is securing access to computer networks, servers, and applications.  Specifically, Two-Factor Authentication.

Without getting too technical for widespread readership, everyone knows that most security relative to IT Networks, applications, and web services involves a username and password.  Plug in the right username and password and, if authorized, you are granted access to the particular program, network, or application.  Simple enough, right?  Yes.  Maybe even too simple.

Over a decade ago now, it was not uncommon for some larger enterprises with field staff—think technicians, sales reps., branch operations, etc—to want “more” when it came to allowing these remote staff members to access their enterprise networks.  They did this by implementing “Two-Factor Authentication” to the process of logging in remotely to enterprise resources.  In this sense, these enterprises were the “early adopters” of this technology.

RSA TokenSimply put, in addition to entering your username and password to login to the corporate network from your hotel room, a user of a Two-Factor Authentication, receives a code/password (on the fly) from a separate device (or separate technology) that must also be entered into the logon page/box for access to the corporate network.  Ten years ago this separate device was typically an RSA token (about the size of a luggage tag, but with a small LCD window to display the code).

Again, this was ten years ago that this technology was being used.  It worked great when the token was remembered (and kept separate from the laptop that was being used to login to the corporate network!!!) and was working.  I recall seeing more than one user of the system have to call in to support for faulty tokens back in the early days—the price paid for early adopters, I suppose.

So, Two-Factor Authentication has been with us for some time, but it languished in a pretty narrow spectrum of the IT space for many years—namely corporate enterprises who had field staff and wanted to take that “extra” step to secure their data. 

Today, that is all changing.  Quickly and somewhat dramatically.  Two-Factor Authentication is becoming more mainstream and not limited to large corporate enterprises any longer. 

Security breach after security breach of online content and networks is well known.  From twitter accounts being hacked to credit card databases and everything in between, access to your favorite web account, profile, application, or corporate network, cloud apps, and more are all subject to greater security risks than at any time in our history.

What has helped Two-Factor Authentication gain traction (tons of news stories exist on it in the last few months) has largely been driven by ingenuity in accomplishing the task of that second authentication.  No longer is a token the only option.  In fact, entire companies are springing up and building a service model based on Two-Factor Authentication that uses Smartphone Apps, SMS Text Messages, and Phone Calls. (One I’ve been following for some time is Duo Security—Venture backed and growing.)

With nearly everyone carrying a mobile phone these days, these devices are replacing the tokens of old (although they still exist and are used in some applications).  Popular blogging platform WordPress has plug-ins by various vendors to implement Two-Factor Authentication on blog accounts.  Google Accounts like Gmail and Google Docs have the option (called two-step verification).  Apple has the option available for those with an Apple ID.  The list of cloud services and web applications making this available is growing daily.

Implemented properly, Two-Factor Authentication improves security and seems to be gaining acceptance within the marketplace—a trade-off, of course, is it slows a legitimate user down (albeit…typically, only seconds) and that can be a challenge when it comes to users wanting to get online access to information.  Still, adoption is growing as the many past stories of compromised accounts have made individuals consider their options when it comes to keeping their data safe and secure.

Password Photo by: Mark Falardeau/Flickr

Token Photo by: Travis Goodspeed/Flickr

About Vince Regan

Vince Regan, CPP, PSP, PCI is one of the most highly credentialed security professionals in the world. As Voice of Security President, he works full time to inform and educate colleagues in the security industry.

,

Comments are closed.