Aujas Blog: Two-factor authentication – Getting Security basics right

Quick Search

Search only in titles: Keyword:

Search in:

Date Range:

Advanced Search

Basic Search
Subscribe

Blog Entry
March 2010

Su Mo Tu We Th Fr Sa
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
Recent Entries
1. Security by the Wall
  Tuesday, March 09, 2010
2. Aujas completes 2 years of successful operations
  Wednesday, February 10, 2010
3. Aujas @ CIO Year Ahead | 2010
  Wednesday, December 16, 2009
4. Our Psychology and Security: The way we think
  Tuesday, September 29, 2009
5. Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment
  Monday, August 17, 2009
6. IT Amendment Act, 2008- An act to amend the IT Act 2000
  Thursday, April 02, 2009
7. It’s raining in Cloud?
  Thursday, March 19, 2009
8. Is it time for Security Analytics
  Saturday, March 07, 2009
9. Dr.C S Rao joins Aujas Advisory Board
  Wednesday, January 28, 2009
10. Applications Downloads – Are they from trusted websites?
  Tuesday, January 06, 2009
Recent Comments
1. financial metrics on PCI Compliance in INDIA
  3/10/2010
2. Sasi Kumar on Applications Downloads – Are they from trusted websites?
  10/21/2009
3. Web developer on Applications Downloads – Are they from trusted websites?
  10/20/2009
4. Yogi on PCI DSS 1.2 and Wifi Security
  8/18/2009
5. pci compliance on PCI DSS 1.2 and Wifi Security
  6/5/2009
6. pci on PCI Compliance in INDIA
  6/4/2009
7. pci compliance on PCI Compliance in INDIA
  5/29/2009
8. Sumit on VOIP and Security
  1/29/2009
9. manjula on PCI DSS 1.2 and Wifi Security
  11/5/2008
10. Maneesh on PCI DSS 1.2 and Wifi Security
  11/5/2008
Syndicate
Monthly Archives
Category Archives
Back to Main Page

Two-factor authentication – Getting Security basics right

I have online accounts with many financial institutions and I do most of my transactions online. Being a security conscious user, I take all precautions for using strong and different passwords along with managing my passwords in a secure way. But frankly, all these are too much complicated. The fear of mis-managing the passwords and possibility of your bank account being pilfered remains.

Password based authentication is past its use-by-date. With the current advances in technology and skills, password authentication is like providing passbook to the person who mentions the account number (an unsophisticated but a real life example in non urban banking in India till couple of years back). I am not going into the details of how a password can be cracked or known by others. The main problem is that once password is known, the intruder's job is done and he has uninterrupted access.

Two-factor authentication alleviates this adding one more factor for authentication. Along with password (which you know), you need to provide information based on what you have. One of my bank has given me security token which generates an unique number every time I press a key. I need to enter this number along with password for authentication. So even if my password is compromised, an intruder cannot login as he does not have this token and cannot specify the unique number. Of-course there are various other ways to provide the second factor in authentication based on what you have (software based token, phone, cell phone). Again the advantages are same.

Note that two-factor authentication is not solution for ‘Man-In-Middle’ or Trojan attacks. Both of these attacks will not need your the input passwords or unique numbers. These attacks which take place with the help of phishing are more active threats to be worried about. But that is a topic for another post.

In summary, by using two-factor authentication, we are just strengthening the already existing security mechanism against a known threat and not really dealing with any new threats. So in that way two-factor authentication has become a first step in any security implementation.