Tue, Jun 4, 2013: With a recent surge in processing power and the ability to outsource password cracking to the cloud, password-only based authentication is no longer sufficient to secure your critical data. Recently, researchers at Fortinet’s FortiGuard Labs published a report that predicted a marked increase in businesses migrating to two-factor authentication in 2013. Companies like Amazon, Apple, Dropbox, eBay, Facebook, Google and Microsoft have recently made the transition to adopt two-factor authentication as a better means of securing its users’ data. According to TechNavio, the global two-factor authentication market is expected to grow 20.8 percent between 2011 and 2015; while Markets and Markets forecasted that the multi-factor authentication market will reach US$5.45 billion by 2017.
Why Single Factor Authentication is Doomed
“In the early days of Internet authentication, plain text passwords were often sufficient, as the number of threat vectors were minimal and processing horsepower and password repositories weren’t readily available to just anyone,” said Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs. “As newer password cracking tools, faster processors and always-on Internet connections arrived, plain text passwords started to come under fire. With the advent of cloud cracking services, such as Cloud Cracker, which leverages the power of distributed computing, 300 million password attempts can be made in as few as 20 minutes for around US$17. As such, even a strong, encrypted password can be cracked with a little patience.”
Two-Factor Authentication Best Practices
Protecting sensitive data online by using multiple factors of authentication is the best policy for ensuring the safety and integrity of data. However, when matching authentication methods to a user’s needs, don’t assume that any two methods will work for that particular purpose.
Two–factor authentication, also referred to as multi-factor authentication, strong authentication and 2-step verification, consists of two of the following three methods of authentication:
- Something a user “knows”: This can be a password, challenge question or finger swipe movement over the face of a mobile device. This is commonly known as a knowledge factor.
- Something a user “has”: This can consist of a small hardware device, such as a smart card, USB key fob or a keychain dongle or a smartphone token, which generates a unique one-time password that’s sent to or generated by an application on a user’s mobile phone. This is known as a possession factor.
- Something a user “is”: This typically involves a biometric reader that detects something that validates something uniquely personal, such as a fingerprint, iris or voice. This type of authentication is known as an inherence factor.
While two-factor authentication can offer greater protection, there are two types of attacks (masquerade and session hijacking) that can undermine any type of authentication. A masquerade attack is exactly what it sounds like: an attack that’s able to assume a falsely-claimed digital identity and thus, bypass the authentication mechanism. Session hijacking, also known as TCP session hijacking, happens when an attacker surreptitiously obtains a session ID and takes control of an already authenticated session. Keep in mind that given enough time and resources, no type of password encryption is infallible.
“At Fortinet, we believe the best way to keep a network and its end-users safe is to leverage on technologies like two-factor authentication as part of a multi-layered security strategy. Adding two-factor authentication provides another layer of solid protection on top of any current security infrastructure,” said Eric Chan, Fortinet’s Regional Technical Director, Southeast Asia and Hong Kong.