Date: Jun 06, 2012
Aseem Asthana, Director of Product Management Celestix
The spate of bad security news continues unabated. This morning about 6.5 million LinkedIn passwords were reportedly stolen. The file containing the passwords was posted on a web site. While most of the passwords were secured using a one-way hash, with fast machines and a brute force approach it is possible to recover them.
For users, this is pretty bad on a number of fronts. At the least our LinkedIn information is vulnerable to unauthorized use. However, most people have a few passwords and they use those passwords on different sites. This means that anyone who has your password can potentially misuse it on other popular sites like Facebook, Gmail, Groupon or worse, your bank.
For application developers this is a sign to think about security from the ground up – not that another one is needed. Passwords are vulnerable since users write them down, or worse reuse passwords. There is nothing that can be done to change that basic aspect of human nature. However, it means that even if the passwords are NOT stolen from your site, hackers will try to use passwords they might have gotten from another website – compromising your users security. So what can you do to prevent losses and secure your users? Augment the password (which is something that the user knows) with something they have – like a security token, or a One Time Password(OTP), that is generated based on a unique code.
With two-factor authentication, your users will have to enter their regular password as well as the OTP. So even if the users' password is compromised, the hacker won't be able to use it since they won't have the OTP. If the hacker tries to use the password that they obtained from another site on your site, you would still be protecting your users since your site would require a second form of authentication. Now you might be wondering if this is any good since the users will have to carry a special device to generate the OTPs. Tokens can be generated on smartphones so users don't have to carry any additional devices.
Protecting logins with two-factor authentication is a secure way to protect passwords as well as ensure stolen passwords are not reused on your website or application.
Celestix Networks is the leader in two-factor authentication with support for generating tokens on all smartphones, desktops and laptops as well hard tokens when needed. Contact us to learn more about Celestix HOTPin.