Two Factor Authentication
I spent last night installing the latest version of AuthAnvil and RWW-Guard on our network. Between the two, we now have a far more secure environment that enforces Two Factor Authentication (TFA) for access to critical accounts and resources. Normal Windows authentication is a single factor authentication - your password. Now if you use a really good, very long, password it's a reasonable level of security for most folks. But let's be honest - who really wants to type in a 20 character pass-phrase every time you log in, and keep changing it every few weeks. So, inevitably, we all tend to either go for a much shorter password, or never change it. (or more likely, both) By adding an additional level of authentication, we can increase security without materially increasing the pain of our users. Because, let's face it, users resist pain and find ways around it!
There are lots of kinds of TFA - some based on who you are (biometrics), some on what you know (additional query/response fields), and some based on what you have (token based systems). And many based on combinations of those. With AuthAnvil, I have a little key fob token that generates a one time password (OTP) whenever I press the button. It stays visible for about 30 seconds, long enough to key it in. In addition to that one time password, I also have a personal pin that I need to know. And, of course, my own Windows account name and password. If someone gets my password somehow, it does them no good at all - they don't have the token to generate the OTP. If they are looking over my shoulder when I type it in, I don't care! Use it once and it's never, ever, used again. And if, perish the thought, someone gets my token, knows my pin, and knows my password? I can easily disable that token and it's now useless, except as a keychain. [:P]
What I really like about using an OTP token is that it isn't in any way possible to somehow fake my OTP. Biometrics are often used these days for TFA, and they have their proponents. But most biometric methods that ordinary folks have access to are easily fooled. As anyone who has watched Mythbusters knows! But my OTP token can't be fooled. Yes, I can lose it, or have it stolen. But it's easily disabled, even remotely, and then I just have the annoyance of getting a new one. And without my PIN, the token is useless anyway.
So, what's my number one gripe about AuthAnvil? No 64-bit support, so I can't use it for logins to my Ferrari. Yet. But Scorpion Software's Dana Epp has promised that it's actively being developed, and I'm hopeful we'll see it this fall? And when we do, I'll move all my business to require it for all logins. Right now I'm limited to requiring it for remote logins, either by way of VPN or over Remote Web Workplace. But as soon as the 64-bit GINA (for Windows XP) and 64-bit Provider (for Windows Vista and Windows Server 2008) are available, I'll make the move.
So, if you're concerned about the security of your network, and especially of your remote users and the valuable information they have, you really should be using TFA. And AuthAnvil is an excellent form of TFA.
Followon: So, apparently Scorpion Software reads this blog, since they noticed our comments on AuthAnvil. That's nice, but they have a challenge for us - they want to hear from folks about the need for 64-bit. So, by all means, go on over to the Scorpion Software blog and let Dana know you want 64-bit support in AuthAnvil. And hey, I'll bet if a few folks actually place an order, that will shift his priorities quite quickly. [H]