There is one small, little, thing that could make the difference between a secure infrastructure and front-page news – it’s how you authenticate!
If you are still using simply username and password anywhere…at work, to access your banking account or your personal email, to access PayPal or your blog, then you may already be a victim! Well, maybe not, if you use a complex and unique password on each site and you change each of those password with regularity and you don’t share those passwords with anyone else or even write them down. Seriously, if you look at the biggest hacks of 2015 and the big news hacks from 2014 you should notice an alarming trend, many of them started with an attacker using stolen credentials from a relatively unprivileged account. Phishing attacks in particular are after one thing…user credentials. If they get a username and a password from just one of your users, they have a foothold they can use to get more access.
But what if a username and a password were worthless? What if, instead of using a username and a password, your users also had to use a smartcard with a PIN, or they had to enter a unique numeric string from a fob or an app or one that was sent to them in a text message. And what if that value could be used only once and only within a very short period of time?
That’s the idea behind two factor authentication (2FA)/multi-factor authentication (MFA.) What you call it is not important, neither is the method you use as that additional factor, as long as it’s something that can defeat stolen/guessed/shared/brute-forced credentials from being usable. Personally, I prefer the solutions that use SMS messages to cell phones. Yes, not all SMS is encrypted, and I have read several very well written articles on why this isn’t a great solution, but I am going for three things; ubiquity, simplicity, and reliability. Almost everyone has a cellphone, reading a six to eight-digit number from a text message is easy for almost anyone, and SMS is reliable.
Smart cards are an alternative solution and they work great for things that have smart card readers but not so much for mobile devices. Yes, you can do certificate authentication on a mobile device, but now you have two different systems depending on the client.
SMS based systems work for anything that has Forms Based Authentication, and even Active Directory can use this method through Microsoft’s PhoneFactor and other systems. It’s a one-size fits all approach, as long as your users have a cellphone. And if they don’t, simple pre-paid phones are cheaper than RSA tokens or smart cards and readers so you could always issue cheap “burners” to those users that legitimately don’t have a cellphone but still need to authenticate.
There is a great post over at https://socialcustomer.com/2014/04/how-to-enable-two-factor-authentication-on-50-top-websites-including-facebook-twitter-and-others.html on how to enable 2FA on some of the major sites online. It includes a few that don’t offer this yet, which is a shame if you notice how many of those suffered security breaches recently! Another great site is https://twofactorauth.org/ that lists all the services that do, and don’t, support 2FA and includes a Twitter campaign button to urge those that don’t to start. Check out both sites and consider whether you want to use those services that don’t offer this additional protection after so many high-profile hacks could have been stopped if they had.
Then, go enable 2FA on every site you use that supports it, and pressure those that don’t to enable it. Start pressuring the boss to deploy 2FA on the corporate network to secure both web-facing apps and desktop logons.
It’s 2016. Let’s make this the Year of 2FA.