2 Factor 2 Furious: dive into 2 Factor Authentication
Mo’ Passwords, Mo’ Problems
The hackers are coming for you. For your data, for your systems, and for your money. You have proper password requirements without dumb restrictions on allowed characters or maximum length. You are salting and iterating hashes like there is no tomorrow. Then a user logs into their email on a friend’s infected computer or has their credentials stolen from a dating site, and all of your hard work is meaningless.
But do not despair. What if I told you there was a way to add another level of verification? What if there was a way to know the person logging in had a specific, physical piece of hardware and was probably not a hacker? Welcome, my friend, to 2 Factor Authentication.
Forget about those terrible banking sites that required a second password, usually posing as the linguistically awkward “PIN Number” (terrible icing on a cake of insecurity). With today’s cheap embedded crypto hardware and a smartphone in every pocket, stepping up your security game has never been easier.
Now, don’t think I’m giving you keys to a hacker-proof kingdom. Many 2 factor solutions (such as one time passwords) are vulnerable to man-in-the-middle attacks, as well as any implementation bugs you may have created out of boredom or a callous disregard for authority and documentation. You should take all the standard security precautions such as peer-reviewed code, avoiding wheel reinvention, and getting a tattoo of Bruce Schneier.
Waiting by the phone
SMS makes for simple and easy 2fac. Send your user a text message with a random one time password (OTP), and you will be fairly sure that the person logging on is in possession of the user’s cell phone. It will cost you a few cents per login to send the messages, but there is no equipment cost for you and almost everybody will have the required hardware. There are plenty of libraries, plugins, services, and opportunities for poor home grown solutions to protect your systems.
The downside to SMS is the lack of integration if you are securing multiple systems. Instead of a single provider, you have a mish-mash of different implementations.
There’s an app for that
Mobile app 2fac is so hot right now. Known as Time-Based One Time Passwords (TOTP), an app generates a new 6 digit token every 30 seconds. With Google Authenticator or it’s open source fork FreeOTP (and many other apps), your users point their phone’s camera at a QR code and the app is completely configured. Since these apps are based on open standards like RFC 6238 and not being a jerk, compatibility is broad. There are auth plugins for every language you could possibly be working with, integrations on cloud services such as Github and AWS, as well as SSH and VPN servers.
These are a great choice to secure all of your business systems with a single solution. If you want to move up to the big-leagues with enterprise management and security scans of your employee devices, you should look at Duo Mobile.
The key was in your USB port all along
If you are securing a lot of company systems requiring employees to login several times a day, you should look at hardware devices to make things more convenient. My work for the big blue social network has me tapping a YubiKey Nano constantly. This is a tiny dongle that hides in my USB port with only a metal loop peaking out. When prompted, I tap the metal loop and an OTP is entered as if I typed it myself.
The YubiKey also implements FIDO U2F. This is a challenge-response protocol that is resistant to man in the middle attacks if your users are on Chrome (or a native app that supports U2F). It also supports message signing through OpenPGP and other nifty extras like enterprise management.
These dongles are expensive (starting at $50), but they are so convenient that you can make 2fac pervasive without a user revolt. I highly recommend them for any company that can afford the price.
Now that you have a better idea of your options, go out there and defend your systems. With great options ranging from free to enterprise-ready, there is no excuse for falling victim to a list of leaked passwords.
Revelry Labs is a digital solutions partner
with over 20 years of experience delivering technology products
Here is a small sample of our work: