After companies like Google, Blizzard and others made the decision to protect their user accounts with direct two-step (really two-factor) authentication we saw a rise in the use of this technology in the consumer market. TFA (Two-Factor Authentication) has been around for a very long time and has been used to ensure security for corporate networks that utilize VPN (Virtual Private Network) connections. TFA helps to remove the possibility that someone has picked up a mobile device (stolen or lost laptop etc.) and is trying to get into the network using a user’s account. This type of security was typically accomplished using an issues RSA security token. A user would get a challenge number (4-6 digits) and was required to type that in to their token to get the proper response. This type of technology was and still is expensive. Because of this it was not viable for the consumer market not to mention that most internet users were not storing as much information on cloud services as they are now which made the need for this very small.
In a fortuitous event Blizzard became an instrument of change when they launched World of Warcraft. Shortly after the launch they experienced a rather large number of user account hacks. These hacks prompted Blizzard to invest in technology (inexpensive technology) that would allow their users to establish an extra step in logging into their accounts. The technology is pretty simple, when you establish the account you setup a shared secret between you and your authenticator (either an application on a mobile device or a standalone product) this secret is used to generate continually expiring random numbers. When you log in the authentication serves will ask you to input the current number, if this number matches the current number you can get it, if not you are denied.
The technology is so simple (and cheap) that we are surprised that other companies did not follow suit rapidly. Unfortunately only Google picked up the torch for the first couple of years. We saw other third party companies the developed solutions (like Yubico) and made them much more affordable, but integration with common online services was not that common. This left things very open and actually insecure until a few… let’s say more public individuals had their twitter, Facebook, Gmail and other accounts hacked. This final straw has pushed many companies to make the changes they should have years ago so now we are finally seeing Microsoft and Twitter move to the same type of two-step authentication that Google has had for a while.
Why this has taken so long is a mystery to us especially as we hear claims about how much more secure the cloud is. There is no way that the cloud can be secure at all if user accounts are left vulnerable to weak passwords and key loggers. The only reason that we can think of is cost, but that is really no excuse as the cost is relatively minor compared to other security technologies so we will not buy that as an excuse this time. For now as more companies begin using even basic two-step (factor) authentication things will begin to calm down… at least until the bad guys start targeting the systems that run the authentication services. At that point we are back to square one…
Tell us what you think in our Forum