COLUMN

Two-factor authentication, vigilance foil password theft

By Eric Ogren 04 Nov 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior.

Traditional password protection policies, such as those described by Jeremiah Grossman, one of the industry's top researchers at WhiteHat Security Inc., can be implemented to reduce the risk of an intruder impersonating a user. However, even if the password policy works, it is often unacceptable for IT to disable accounts after a number of bad logon attempts. The business often relies on out-of-wallet questions to avoid expensive help desk calls and a security investigation.

Eric Ogren's recent security columns: Chip and PIN adoption serves lesson for U.S. payment industry: As payment processors offer plans for end-to-end encryption, the UK is finding success with chip and pin deployments. The U.S. payment industry should take notice, expert says. Phishing protection begins with training, antiphishing evangelist: IT organizations can take a lesson from marketers by sending three phishing education emails to users before the holiday season.

End users are also storing passwords in their browsers for automatic logon and those passwords are often used for multiple accounts in different businesses. The result is an organization that is dependent on another organization's security program to protect a password.

Making matters even more difficult for IT is the changing nature of the threat landscape. Attackers are finding it more effective to harvest passwords from keystroke loggers, Trojans or phishing scams.

Two factor authentication through the use of mobile phones or tokens for high-value, off premise or privileged accounts is one direction an enterprise can take. Two factor authentication, which usually involves a physical device in addition to knowledge of a password/PIN secret, works because the authentication credential is enormously difficult to guess and the user can report the loss of the device leading to a security reset of the account credentials. An enterprise that uses single sign-on for critical application remote access, but does not rely on a form of two factor authentication and instead entrusts the keys to the kingdom in a single password, has an irresponsible security policy.

Organizations should also be proactively auditing account activity for signs of break-in attacks, including failed logon attempts, concurrent logons and logons at strange hours. Irregular logon activity may indicate an attack in progress (valid username, invalid password) or a potentially compromised password. A simple phone call or email exchange with the affected end user will confirm acceptable user access or a security incident, in which case IT can take corrective actions with the account credentials and launch a security investigation to determine the extent of the breach.

Security organizations are defending against passwords on multiple fronts, while acknowledging that 100% security is unattainable. Endpoint security software has to detect and block keystroke loggers and Trojans to protect passwords. A user responsibly writing down passwords and prohibiting Web browsers from automating logons also reduces the security risk.

The most effective protection is constant vigilance to identify suspicious logon activity.

Tags: Password Management and Policy,  Two-Factor and Multifactor Authentication Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Password Management and Policy Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults PCI compliance requirement 8: Unique IDs Two-Factor and Multifactor Authentication Strategies Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Apple iPhone app could boost two-factor

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary graphical password  (SearchSecurity.com) identity chaos  (SearchSecurity.com) logon  (SearchSecurity.com) masquerade  (SearchSecurity.com) OpenID  (WhatIs.com) salt  (SearchSecurity.com) session replay  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) TACACS  (SearchSecurity.com) war dialer  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary