In this second installment (see Two Factor Authentication & Password Managers – Part I ) on two factor or two step authentication I’ll explore in more depth both virtual and physical two factor authentication options you can start using today. In my Boston based IT consultancy practice I many questions from customers on the information security issues of the day. A most common issue I hear is about password security and even more frequently – two factor authentication. To explore this further, let’s first define what 2 Factor Authentication is:
Wikipedia defines two-factor authentication as:
Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inherence factor (“something only the user is”).
As an end user or even IT administrator you currently have a LOT of free and inexpensive options to deploy 2FA today. These exist both in software or virtual MFA and inexpensive physical hardware tokens. First lets explore the software options:
Virtual MFA Applications
Virtual MFA applications allow you to install a free or paid application on your smartphone, desktop or tablet that allows you to supply a second factor for authenticating you to any service. Examples are:
Google Authenticator is a virtual MFA that lets you set up Google 2-step authentication. The Authenticator provides a one time six digit password for you to use during login in any of the many supported services.
Android, Blackberry, iOS, dozens of other 3rd party implementations
Google authenticator works with a variety of services such as: Google, Amazon Amazon Web Services, Salesforce, WordPress and dozens more. Additionally there are many
Amazon AWS Virtual MFA
Amazon’s AWS Virtual MFA for Amazon’s cloud services. At this time it is available on Android platform only. Amazon AWS also support virtual MFA from Google Authenticator, Windows Authenticator on a variety of other platforms..
Amazon AWS Options
Windows, iOS, Android, etc.
Microsoft’s virtual MFA for Windows Phone come in the form of Microsoft Authenticator. It works with Windows Azure to offer multi-factor authentication and several other Microsoft services.
Hardware based MFA solutions add an additional layer of security with a small cost. They are not subject to the weaknesses of a trojan or man in the middle attack. A determined cybercriminal would have to obtain these devices from you to gain access to that OTP generated by the device. This is in stark contrast with the known security issues with todays mobile smart phone platforms. Noting the low cost and minimal complexity of this solution it should be a no brainer for the average user or systems administrator. Below are a few of the many options to investigate deploying:
PayPal Security Key
Gemalto MFA for Amazon AWS
Given the known weakness of today’s password technologies any technologies to enhance it until we have an alternative are welcome. 2FA options in virtual MFA and hardware MFA are inexpensive, easy to implement and a powerful step in the right direction. I hope that you will explore and deploy these easy solutions to a more secure world.