Two Factor Authentication

I spent last night installing the latest version of AuthAnvil and RWW-Guard on our network. Between the two, we now have a far more secure environment that enforces Two Factor Authentication (TFA) for access to critical accounts and resources. Normal Windows authentication is a single factor authentication - your password. Now if you use a really good, very long, password it's a reasonable level of security for most folks. But let's be honest - who really wants to type in a 20 character pass-phrase every time you log in, and keep changing it every few weeks. So, inevitably, we all tend to either go for a much shorter password, or never change it. (or more likely, both) By adding an additional level of authentication, we can increase security without materially increasing the pain of our users. Because, let's face it, users resist pain and find ways around it!

There are lots of kinds of TFA - some based on who you are (biometrics), some on what you know (additional query/response fields), and some based on what you have (token based systems). And many based on combinations of those. With AuthAnvil, I have a little key fob token that generates a one time password (OTP) whenever I press the button. It stays visible for about 30 seconds, long enough to key it in. In addition to that one time password, I also have a personal pin that I need to know. And, of course, my own Windows account name and password. If someone gets my password somehow, it does them no good at all - they don't have the token to generate the OTP. If they are looking over my shoulder when I type it in, I don't care! Use it once and it's never, ever, used again. And if, perish the thought, someone gets my token, knows my pin, and knows my password? I can easily disable that token and it's now useless, except as a keychain. [:P]

What I really like about using an OTP token is that it isn't in any way possible to somehow fake my OTP. Biometrics are often used these days for TFA, and they have their proponents. But most biometric methods that ordinary folks have access to are easily fooled. As anyone who has watched Mythbusters knows! But my OTP token can't be fooled. Yes, I can lose it, or have it stolen. But it's easily disabled, even remotely, and then I just have the annoyance of getting a new one. And without my PIN, the token is useless anyway.

So, what's my number one gripe about AuthAnvil? No 64-bit support, so I can't use it for logins to my Ferrari. Yet. But Scorpion Software's Dana Epp has promised that it's actively being developed, and I'm hopeful we'll see it this fall? And when we do, I'll move all my business to require it for all logins. Right now I'm limited to requiring it for remote logins, either by way of VPN or over Remote Web Workplace. But as soon as the 64-bit GINA (for Windows XP) and 64-bit Provider (for Windows Vista and Windows Server 2008) are available, I'll make the move.

So, if you're concerned about the security of your network, and especially of your remote users and the valuable information they have, you really should be using TFA. And AuthAnvil is an excellent form of TFA.


Followon: So, apparently Scorpion Software reads this blog, since they noticed our comments on AuthAnvil. That's nice, but they have a challenge for us - they want to hear from folks about the need for 64-bit. So, by all means, go on over to the Scorpion Software blog and let Dana know you want 64-bit support in AuthAnvil. And hey, I'll bet if a few folks actually place an order, that will shift his priorities quite quickly. [H]

3 Responses to Two Factor Authentication

  • mitmwatcher says:

    I was wondering You might of heard of a Active MITM attack which will lame all these OTPs..It is no great Rocket Science to automate this attack as kits are found in underground

  • xperts64 says:

    While a theoretical Man in the Middle (MITM) attack is possible, it requires a phishing site that a user would be willing to use and that used the same OTP mechanism. Not relevant or realistic to most (if any) corporate remote sites. Definitely something to think about with a commercial site, where it would need to be combined with additional layers of protection.

  • Matt says:

    Agree with xperts64 about MTTM. Not relevant and not realistic to most (if any) corporate remote sites.

    Another great Strong 2 Factor solution is CAT (Cellular Authentication Token)™. The Token is a java application installed on the users cell phone. The user enters a pin number and access the OTP on the cell phone. Multiple Tokens can be installed on the one cellular device. Very simple to use and real convenient. A device the user always virtually always carries with them.

    Once a hard token user has experienced CAT they would only reluctantly go back to the old hard token.