Thursday, March 6, 2014

A Password is Not Enough, Part 2

Earlier this week I wrote about the limitations of passwords as a security measure. Based on a conversation with a reader though I believe it would be useful to write a somewhat less technical explanation.

A secret word (i.e. a password) is one way of limiting access to something (email, bank, club, etc.). If you don't know the secret, you don't belong - but a secret can be found out. In the physical world, a secret may be discovered by eavesdropping, or by someone sharing the secret. In the online world the password may be stolen by viruses and other malware, or through digital eavesdropping. So while a strong password is a good start, by itself a password could be compromised.

Multifactor authentication is combining a secret with something else - often a smartphone or a keycard. If an attacker steals the password, it does them no good unless they also have the cellphone, or keycard, or whatever the second factor is. Granted a determined adversary may still overcome this hurdle, but it is exponentially harder than simply stealing a password.

Note that a second secret (such as the "password reset questions" that some websites ask you to set up) is not the same thing as multifactor authentication. If one secret can be found out, so can another (especially if the second secret is something easy to lookup, such as your mother's maiden name or the elementary school you attended). True multifactor authentication means something from at least two of the following categories: something you know (such as a password); something you have (such as a cellphone or a key); and something you are (such as a fingerprint or a retina scan).

Now that you know what multifactor authentication is, go back to my original post and see how it is implemented by a handful of popular online services!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.