We want to talk to you today about a topic that has been around for a while now, but is starting to bubble up in the eyes of many security and compliance experts – and that is the idea of multi-factor authentication.
Now when we look at a lot of the data breaches that have been happening over the years we see that a lot of times it is blamed on user negligence, possibly the reuse of similar passwords perhaps between a Yahoo! Mail account or a LinkedIn profile, and a corporate VPN account.
When these types of environments are breached a lot of times the information being sought is the credentials so they can attempt in a criminal way to utilize that information and access perhaps a another more valuable service.
Unfortunately, we see that people are not very cognizant about developing passwords that are strong. The most common password is 123456, followed by the word “password”, which is quite startling and of course the butt of many jokes.
Now the reality is that a lot of us, 40-50 percent, are reusing that same password. So be it a strong password or a weak password, we are recycling it. And even if it is a strong password, if it is somehow stored in an insecure manner and someone is able to gain access to that—regardless of the strength of the password—now they have attained those credentials and they can reuse them somewhere else.
Now part of the reason this is bubbling up is because of compliance regulations. When we look at PCI for example, the latest round of PCI enhancements includes the requirement for multi-factor authentication to be used by any administrator not signing on directly to the server console. So we want to take advantage of our ability now to use a technology that helps not only identify that the credentials are correct, but also to make sure that the user leveraging those credentials is the right user.
Now the way we approach this is through multi-factor authentication. It is sometimes referred to as two-factor authentication because usually when implemented it involves two factors. It comes down to really two out of three things; something you know, something you have, and something you are.
Now the something you know is typically going to be a password. Most of us rely on that as being one of the factors. It is worth noting that the second factor cannot be another password because again it is still just things you know and that information can be gleaned somehow.
So we want to combine what we know with a factor such as something you are, which may be a fingerprint or a retina scan. If you have an iPhone you are probably familiar with using your thumbprint to open up and unlock your phone.
You can also have something you own or something you have, which is usually a device or some type of communication technology that allows a server to communicate directly to you. If you do any online banking or work with the IRS or do anything like that, a lot of times when you try to sign in you supply your password and then they are going to send you a one-time code often to your cell phone. You enter that code and then the assumption is that you would not only know your password, but of course you would also be in possession of that particular device.
HelpSystems has solutions in this space. We have two-factor authentication in some of our products, but we also have a solution designed specifically for enabling two-factor authentication.
Now the way we’ve approached this is to facilitate a sending of a code to a YubiKey or to a cell phone or to a PC device that you can obtain that code and enter it in addition to the password and now we have authenticated that you are not only the person that you say you are, but that you are the person we expect you to be.
If you would like more information about our multi-factor solution, request a live demo today.