The good news is that there are effective ways to foil enterprise Web-based email attacks. Probably the most straightforward strategy is to use two-factor authentication. It is often said that there are three forms of authentication:
- Something you have (i.e. a debit card)
- Something you know (i.e. a password)
- Something you are (i.e. your fingerprint)
Password-protected Web email is an example of single-factor authentication (something you know). Since passwords are often remotely guessed or stolen, this is a fairly low-security method for restricting access.
For Web-based email, I recommend using at least two-factor authentication, such as RSA Security Inc.'s hardware SecurID token. These tokens fit in the palm of your hand, and they display a different password for every login. The password is never repeated, and the odds of guessing it at the right time are extremely small. The user generally also types in a personal PIN, combining the hardware token (something you have) with the PIN (something you know). There are also many other ways to implement two-factor authentication, such as software-based authenticators or cell phone-based systems.
You can also reduce the risk of brute-force webmail attacks by limiting login attempts (i.e. three failed logins in one minute results in a 15-minute lockout). This dramatically limits an attacker's number of guesses. Make sure you have a strong password policy so passwords are difficult to guess, and test accounts regularly. Finally, if you have a password reset system, ensure the answers to questions are not easily attainable from public records or social networking sites.
This was first published in July 2009