Secure-your-digital-life-160x160

Multi-factor authentication – protect your digital life

3

Wired’s Mat Honan recently had his ‘digital life’ destroyed when his Google, Twitter and Apple accounts were all compromised. The story spread like wildfire across the internet as an example of how seemingly small security lapses can leave every one of your online properties at risk. You can read about Mat’s experiences via the link above and, without being overly dramatic, it’s quite harrowing. Mat admits early on the article that “password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.”

We see so many examples, almost on a daily basis, of passwords failing to protect a digital ecosystem. So why do half of CIOs believe a simple log-in and password is a secure enough form of authentication to protect their network and applications? As Mat revealed: “Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened.”

That’s certainly true. Two factor authentication is being made more readily available and there are many easy to ways to implement it (see Anil Saldhana‘s Security & Identity Management Blog). Gmail, Google apps, Amazon Web Services (AWS) and others all offer the option of turning on strong authentication with either a mobile OTP app or a token. While this is only the first step, it significantly improves a user’s security compared to a username and password.

I was reading Lysa Myersblog for Intego last week, asking how multi-factor authentication will help us stay secure in the future. I agree with her view that there will be more factors available for authentication and different implantations of those factors. Geolocation and device fingerprint look to be the two leaders in the next wave of authentication, but I don’t think we can wait for the future of multi-factor to arrive: we need to move now.

There are still far too many businesses that are still using the bare minimum when it comes to security (username/password). While emerging technologies hold promise for a more secure system, it is important that we get businesses to move toward stronger forms of authentication now and not down the road. We need to see more adoption of strong authentication, which in time could allow the user to select the identity factors (username, OTP, Mobile, device mapping, Biometric, geolocation… you get the picture). Companies need to take this first step and implement a strong authentication system.  As technology evolves, companies will be able to add in additional identity options that will (I hope) continue to increase both the security and the convenience of authentication.

Have you been putting off improving your security or have Mat’s experiences convinced you to make the move now? Let us know in the comments section below!

Contact:


Leave a comment


  1. Comments

  2. Chris Marsden said:

    Ray while I agree, unfortunately in the absence of it happening to them, there are not enough economic reasons for them to implement additional features for any type of security. Similarly, unless it is explained simply to individuals and in the absence of known instances plus convenience, people won;t do it either. Think Mat who is in the game!

  3. Chris,

    Thank you for the comment. I agree with you, but we have to start somewhere. There have been some good moves within the market to try and raise the collective IQ on these subjects, but one of the biggest challenges still remains the “it can’t happen to me” thought process. There are some who get it and other who have something happen (like Matt) where you feel the impact of not making the move before the attack happens. But we can’t just simply throw up our hands and give up. My hope and one of the reason I write it to hopefully be able to get the attention of those who are in the know and have them begin to educate (and enforce) stronger levels of online identity. If people are educated about the need, it is my home that we can see broader adoption of these critical security measures. The other option is to wait for someone like Apple to come out with two factor authentication for the iPhone/iPad (note some of their recent investments) which will be a great vehicle for educating the masses. With this level of pain, solutions are typically not too far off.

    Thanks again,

    Ray

  4. Gerry said:

    Hacking (or being compromised) is a sad fact of the 21st century that we live in. We ALL need to be more proactive about our personal account security. In this day and age we need take responsibility of our info. If you don’t trust the site don’t use it. We have heard a million times don’t use the same passwords, back-up you info and then there is two-factor authentication. 2FA has jumped into the spotlight over the last few months. It’s been around for a while but it is good to see some of the big companies like Google promoting this option. In this case, 2FA was an option that was made available to him and he did not see the need or want to take the time to set it, so it is his own fault. And the two A’s don’t offer it, and that would have limited to damage done. But the sad fact is there are millions of people just like him who are not taking advantage of this awesome functionality that is being offered to them by several sites. People need a wake-up call to kick this complacent attitude about authentication and passwords. My advice is take advantage of the 2FA which allows you to telesign into your accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.

Related posts: