Widespread authentication catches on
Google, Facebook and Amazon add two-factor ID
24 March, 2011
category: Digital ID, Library
Since its launch in January 1996 millions of organizations have made the switch to Google Apps. 30 million users now depend on the messaging and collaboration tools that make up the Google Apps suite.
Google Apps is a series of Web-based applications with offerings–email, calendar, word processing, and spreadsheet–comparable to those found in traditional office software bundles.
PhoneFactor, a provider of phone-based multi-factor authentication, believes more companies would convert to these cloud-based applications if they were confident in the security measures available.
Cloud computing can enable a company to save money on IT expenses by reducing software and hardware purchases. But in a recent survey conducted by PhoneFactor, cloud services including Google Apps, Amazon Web Services, and SalesForce were rated only moderately secure or worse by three-quarters of respondents.
To meet the need for improved security and particularly this increasing need for multi-factor authentication, Google announced at its annual European event dedicated to cloud computing the availability of two-step verification across Google Apps accounts, mainly in business environments.
For Google Apps, Premier, Education and Government Editions, administrators now have the ability to secure user logins with a combination of the conventional username and password plus a one-time verification code provided to their mobile phone.
According to Google this will add an extra layer of security to fend off risks like phishing scams and password reuse. Once a user enrolls in two-step verification they can select whether they want to receive the verification code as an automated text message or phone call. Users with smart phones can also download the Google Authenticator app, available for Android, BlackBerry and iPhone, which can generate verification codes without a network connection.
Either way the next time the user signs in to their Google account on a new browser or device, they enter their traditional username and password and are prompted to enter the one-time verification code. Users can opt to check “Remember verification for this computer,” to enable 30 days of unfettered access for that specific browser.
“The two-step verification process helps protect a user’s account from unauthorized access should someone manage to obtain his or her password,” says Google. “Even if a password is cracked, guessed, or otherwise stolen, an attacker can’t sign in without access to the user’s verification codes, which only the user can obtain via their own mobile phone.” Google says the feature will be added to Google Apps Standard Edition as well as individual Google user accounts in the coming months.
“We think phone authentication is going to be the dominant authentication going forward,” says Steve Dispensa, co-founder and chief technical officer at PhoneFactor. “So we’re happy to see Google embracing it.”
PhoneFactor offers a two- or three-step authentication system for cloud computing sites. The first two factors use a password and a phone. The third factor takes a biometric voiceprint. Users type in their username and password, then their phone would ring followed by a prompt to speak their pass phrase. The system validates the pass phrase itself and also makes sure it was actually the authorized user saying the phrase.
In the study conducted by PhoneFactor, more than 300 information technology professionals were surveyed from a wide variety of industries, questioning their organizations’ current and planned use of cloud computing, their perceived benefits of making the change and what’s holding them back.
Results indicated a major interest in cloud computing because of the cost and scalability, but an equally strong fear about whether security in the cloud would be adequate. “The interest is definitely there, but 42% of respondents said that security had really stopped them, prevented from them from adopting cloud computing,” Dispensa says. “We heard that echoed in the user comments that we collected toward the end of the survey as well.”
The security necessary for cloud computing isn’t typical either. “It goes beyond the traditional ‘put up a firewall and run a virus scanner,'” says Dispensa. “You really have to trust your cloud service provider to take a couple extra steps beyond that, keeping cloud services clean not only of traditional viruses but also things like cross-site scripting and SQL injection attacks, all of which seem to haunt so many Web-based cloud service providers.”
When asked what security measures were critical to securing the cloud, 81% of respondents cited multi-factor authentication. “A lot of people are in regulated environments that literally require the use of multi-factor authentication, so a cloud-based application that doesn’t offer multi-factor is just off the table,” Dispensa says. “But even if you’re not in an environment where you have an explicit regulation to use multi-factor authentication, clearly the industry best practice today includes multi-factor for any kind of remote access.”
Software exists that is explicitly designed to look at Web sites and steal user’s passwords as they’re logging in. A piece of malware could sit there and grab your password as you’re typing it in on your keyboard. “That’s not an unknown, that’s not a theoretical attack,” Dispensa says. “That attack is costing online banking providers, for example, just millions of dollars year in losses.”
Facebook adds OTP option
Facebook, too, has recognized the need for stronger authentication. The popular social networking site unveiled a new service that supplies users with one-time passwords for temporary login needs.
“We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” says Jake Brill, Facebook product manager. Users simply text “OTP” (one-time password) to the number 32665 on their mobile phone, and they’ll receive a randomly generated, temporary password.
The password can only be used once and expires in 20 minutes. At that point the system reverts back to the original password. In short, this means that if a public computer has been injected with password-compromising malware the only thing lost is the temporary password that cannot be used again.
The feature is currently only offered in the U.S., but Facebook says they’re rolling this out gradually and it should be available worldwide in the near term.
Amazon Web Services goes key fob route
Users of Amazon Web Services are adding an additional layer of security in the form of a physical OTP token. In addition to the standard login credential, users must enter a valid six-digit, single-use code from the hardware device before access is granted.
Endorsed by Amazon Web Services, leading digital security company Gemalto is offering its Ezio Domino key fob. The user simply presses a button on the Time Token and a unique six-digit, one-time password is displayed. The generated password is only good for one access attempt within a short time interval.
“Cloud computing and Web services are experiencing strong adoption within enterprise accounts,” says François Lasnier, vice president and general manager of Gemalto’s North American security business unit, “and it is essential to ensure only appropriate users are gaining access.”
At each login, access will only be granted after the correct combination of Amazon email-ID and password plus the code from the authentication device are provided. This multi-factor authentication combines something they know, their e-mail address and password, with something they have, the authentication device, to ensure only authorized users are accessing their AWS account.
Primary barriers to adoption of cloud services
Source: 2010 Cloud Computing Survey, PhoneFactor