Multi-factor authentication – protect your digital life3
Wired’s Mat Honan recently had his ‘digital life’ destroyed when his Google, Twitter and Apple accounts were all compromised. The story spread like wildfire across the internet as an example of how seemingly small security lapses can leave every one of your online properties at risk. You can read about Mat’s experiences via the link above and, without being overly dramatic, it’s quite harrowing. Mat admits early on the article that “password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.”
We see so many examples, almost on a daily basis, of passwords failing to protect a digital ecosystem. So why do half of CIOs believe a simple log-in and password is a secure enough form of authentication to protect their network and applications? As Mat revealed: “Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened.”
That’s certainly true. Two factor authentication is being made more readily available and there are many easy to ways to implement it (see Anil Saldhana‘s Security & Identity Management Blog). Gmail, Google apps, Amazon Web Services (AWS) and others all offer the option of turning on strong authentication with either a mobile OTP app or a token. While this is only the first step, it significantly improves a user’s security compared to a username and password.
I was reading Lysa Myers’ blog for Intego last week, asking how multi-factor authentication will help us stay secure in the future. I agree with her view that there will be more factors available for authentication and different implantations of those factors. Geolocation and device fingerprint look to be the two leaders in the next wave of authentication, but I don’t think we can wait for the future of multi-factor to arrive: we need to move now.
There are still far too many businesses that are still using the bare minimum when it comes to security (username/password). While emerging technologies hold promise for a more secure system, it is important that we get businesses to move toward stronger forms of authentication now and not down the road. We need to see more adoption of strong authentication, which in time could allow the user to select the identity factors (username, OTP, Mobile, device mapping, Biometric, geolocation… you get the picture). Companies need to take this first step and implement a strong authentication system. As technology evolves, companies will be able to add in additional identity options that will (I hope) continue to increase both the security and the convenience of authentication.
Have you been putting off improving your security or have Mat’s experiences convinced you to make the move now? Let us know in the comments section below!