Protecting Logins with a Second Authentication Factor
Two-factor authentication is catching on for a variety of consumer Web services. For those of you not in the know, this isn't all that new. Years ago, various computer vendors set out to improve things with hardware-based two-factor authentication: Something uniquely in your possession that would generate a one-time code to work with a security appliance and better secure your logins. RSA made millions in this market, and over the years these tokens have been used by millions of users. One of the first consumer-based services to implement two-factor tokens was Paypal back in 2006. The service continues to sell tokens for $30. Nowadays, instead of requiring hardware tokens, Paypal and other vendors are making use of cellphone text messaging and smartphone apps to provide the second factor. Physical tokens have become passé: They can get lost or left behind. Having alternatives that are cheaper and easier to carry is one of the reasons that two-factor authentication is on the rise. In the past year Apple’s iTunes, Twitter and Facebook have joined PayPal in offering this kind of improved login security. Let's take a look at what is offered, how their approaches differ and where we have come. The basic process used by most of the vendors augments logins by requiring users to register their phone numbers and sending them one-time codes as text messages. Once this code is sent, you have a limited amount of time to verify your login. For example, my bank uses this method whenever I want to add a new payee to my bill-paying service. Most consumer Web services harness a similar approach. Google calls it 2Step, which requires you to verify your mobile number with your Google Account. iTunes handles it in a similar fashion: Once you sign in with your Apple ID, you select a Password and Security, then Two-Step Verification, and begin the registration process. Once that’s done, you see the prompt below when you want to sign into your account. Google’s Gmail has had this approach in place for several years, and has slowly rolled it out for domains that it hosts for Google Apps as well. Facebook calls its process “Login Approvals.” You get to it from the gear icon’s Security Settings. It works similarly to the Google and iTunes approaches. it started with the same SMS two-factor process by registering your phone. Early in August, it added better security for iPhone and Android users. These aren’t the only two-factor services available. Plenty more are listed on LifeHacker. What if you want to implement two-factor authentication in your company to cover more than just personal Web accounts? You’re in luck. There are literally dozens of security vendors willing to take your money. I reviewed a sampling of eight different tools for Network World earlier this year. These are very complex products to install and manage, as they touch a variety of places within your network infrastructure. Of course the consumer-based services are easier to implement, but they don't protect against all exploits, such as Man-in-the-Browser attacks where a bad actor can hijack your session. But they do improve your security posture and are worth taking a closer look at.