Tuesday, August 30, 2011

Passwords, Hacking and Two-Factor Authentication

There's a lot of discussion lately about incidents of hacking major web sites - Citibank, Sony and others are prime examples of what happens when the worst happens.  There's little that a user can do to prevent that type of hacking (the perpetrators attacked the servers in these cases) but users can certainly take simple precautions like choosing a hard-to-crack password.

This article in the LA Times offers a step-by-step guide to picking a good password.  There's a different point to be made here, though, about security in general, and that's this:

Regardless of which password you select, unless you have what the web site security industry refers to as either "second level authentication" or "two-factor authentication" your account is significantly more likely to be hacked.

This authentication could be, for example, the use of the highly reviled "security token" (a "key fob") showing a random series of numbers on it.  (Anyone that does  business banking online what those are.) But these fobs are easily misplaced or forgotten, leading to a huge hassle for the user.

In today's world, though, security tokens are getting tossed on the junk pile in favor of a new method utilzing text messaging from the device that everyone already carries… their cell phone.  After all, if cell phones have already replaced cameras, navigation systems, calculators and boarding passes, why not the hated "fob" provided for this single purpose?

In a properly designed system the user sees a code appear on their screen after entering the proper ID and password.  The code then has to be sent via text message to a specially designated number and ONLY from the phone pre-associated with that ID and password.  If no code is sent, or the wrong code is sent - or if the right code is sent from any other phone number - access is denied.

Security is critical but has to be done right - and conveniently - or it's useless.  For an illustration of how security can be done right see TextPower's new product called "TextKey™".  It's easy to implement, inexpensive and doesn't require any additional equipment at the web site or for the user. 

No comments:

Post a Comment