Aujas Blog: Two-factor authentication – Getting Security basics right

Quick Search

Search only in titles: Keyword:

Search in:

Date Range:

Advanced Search

Basic Search
Subscribe

Blog Entry
September 2010

Su Mo Tu We Th Fr Sa
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30
Recent Entries
1. Addressing Phishing Risk
  Monday, May 31, 2010
2. Security by the Wall
  Tuesday, March 09, 2010
3. Aujas completes 2 years of successful operations
  Wednesday, February 10, 2010
4. Aujas @ CIO Year Ahead | 2010
  Wednesday, December 16, 2009
5. The Long Tail of Security
  Monday, October 26, 2009
6. Our Psychology and Security: The way we think
  Tuesday, September 29, 2009
7. Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment
  Monday, August 17, 2009
8. IT Amendment Act, 2008- An act to amend the IT Act 2000
  Thursday, April 02, 2009
9. It’s raining in Cloud?
  Thursday, March 19, 2009
10. Is it time for Security Analytics
  Saturday, March 07, 2009
Recent Comments
1. financial metrics on PCI Compliance in INDIA
  3/10/2010
2. Sasi Kumar on Applications Downloads – Are they from trusted websites?
  10/21/2009
3. Web developer on Applications Downloads – Are they from trusted websites?
  10/20/2009
4. Yogi on PCI DSS 1.2 and Wifi Security
  8/18/2009
5. pci compliance on PCI DSS 1.2 and Wifi Security
  6/5/2009
6. pci on PCI Compliance in INDIA
  6/4/2009
7. pci compliance on PCI Compliance in INDIA
  5/29/2009
8. Sumit on VOIP and Security
  1/29/2009
9. manjula on PCI DSS 1.2 and Wifi Security
  11/5/2008
10. Maneesh on PCI DSS 1.2 and Wifi Security
  11/5/2008
Syndicate
Monthly Archives
Category Archives
Back to Main Page

Two-factor authentication – Getting Security basics right

I have online accounts with many financial institutions and I do most ofmy transactions online. Being a security conscious user, I take all precautionsfor using strong and different passwords along with managing my passwords in asecure way. But frankly, all these are too much complicated. The fear ofmis-managing the passwords and possibility of your bank account being pilferedremains.

Password based authentication is past its use-by-date. With the current advancesin technology and skills, password authentication is like providing passbook tothe person who mentions the account number (an unsophisticated but a real lifeexample in non urban banking in India till couple of years back). I am notgoing into the details of how a password can be cracked or known by others. Themain problem is that once password is known, the intruder's job is done and hehas uninterrupted access.

Two-factor authentication alleviates this adding one more factor forauthentication. Along with password (which you know), you need to provideinformation based on what you have. One of my bank has given me security tokenwhich generates an unique number every time I press a key. I need to enter thisnumber along with password for authentication. So even if my password iscompromised, an intruder cannot login as he does not have this token and cannotspecify the unique number. Of-course there are various other ways to providethe second factor in authentication based on what you have (software basedtoken, phone, cell phone). Again the advantages are same.

Note that two-factor authentication is not solution for ‘Man-In-Middle’ orTrojan attacks. Both of these attacks will not need your the input passwords orunique numbers. These attacks which take place with the help of phishingare more active threats to be worried about. But that is a topic for anotherpost.

In summary, by using two-factor authentication, we are juststrengthening the already existing security mechanism against a known threatand not really dealing with any new threats. So in that way two-factorauthentication has become a first step in any security implementation.