Your Strong Authentication Token May Already be in Your Pocket

Last updated: 19 March 2014

Gene Spafford, professor of computer science at Purdue University and a leading computer security expert once said this about IT security, “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”

It’s true enough, with new and evolving threats seemingly every day, how do we keep our online identities and data secure? While we can’t turn to concrete, we can turn to strong authentication.

When you hear “strong authentication,” what runs through your mind? I usually hear “Do I really need that?” followed by “What is it going to cost me?”

First, yes, you need it. The first step to gaining access to a cloud service or your network is the login process. Did you know that it is at this step where data breaches occur most? According to a recent Verizon/Secret Service data breach study, 86 percent of records breached across all industries were the result of stolen login credentials.

This means that the username and password you are using to authenticate yourself to your systems is not strong enough to protect your identity and your data. How can you prove that you really are who you say you are? What you need is strong, or multi-factor, authentication, which adds another layer of authentication security. This typically comes in the form of “something you have,” such as a token or a device, and sometimes as “something you are,” a biometric like a fingerprint.

Second, on the question of “What will it cost?” The answer may shock you, but you can strengthen the security of your log in process for very little cost at all. You can actually use something that you already have and probably carry with you all of the time – your mobile phone.

By simply downloading an application, you can turn your phone into a one-time password (OTP) device. With the application, your mobile OTP will generate a different password you must enter for every login. OTPs provide a higher level of identity assurance than a simple password, and are a form of strong authentication.

Mobile OTPs allow you to quickly and cost-effectively strengthen your security with strong authentication, especially for remote users accessing cloud services. You can use OTPs as you evolve to stronger forms of authentication. Yes, you need to always be thinking that the more layers of security you can implement, the better.

The end goal? A full certificate-based identity solution enabling data encryption and digital signature. But it isn’t called “evolution” for nothing. Start with what you have, and then work to be stronger in the future. It is really that simple, even without the concrete.

You can see more of my musings over at the Enterprise Security blog.