High profile security breaches into cloud-based applications like GMail and Google Apps serve to remind us that when people and companies stores all their information “out there” then security measures are of critical importance.
In most cases the security breaches are “front door” attacks where a hacker has exploited a weak password or the password recovery process. “Security Breach” has many connotations: an insecure applications, unpatched servers, back-doors or inside jobs. But where a hacker exploits a weak password or a user’s use of a favourite password across multiple sites, who is to blame? Perhaps the only failing in such circumstances is that the application allowed a weak password, or rather that it used single-factor authentication.
The strength of an authentication mechanism can be judged on how many things it depends on. These factors can be grouped into:
- Things a user knows… username, email address, PIN and password.
- Things a user possesses… inbox, credit card, mobile phone, security token.
- Things only a user has… finger prints, voice, retina, face.
The number of groups involved in an authentication mechanism gives us the number of factors required to authenticate. For example, a passport relies on two factors: possession of the passport and that the person holiding the passport looks like the photograph in it (except a little older and fatter.)
The all too familiar combination of username and password is a single-factor authentication mechanism. It relies on only one group of things; things that a user knows. If I know your username and password, this is all I would need to authenticate myself as you. Banks and some other companies often use additional fields for authentication like PIN or address. Whilst these do make it more difficult to authenticate, this is still single-factor authentication.
Password Recovery
Most online services provide some form of self-service password reset or recovery function. The behavior we have come to expect is that a temporary password gets emailed to our inbox, or an email is sent that contains a link to a web page where we can enter a new password. Some low-security systems will email your actual password in clear text! In all cases, this makes the inbox central to accessing all our online identities. Own the inbox, and you most likely own all the accounts linked to it.
In the case of the Twitter Attack in July 2009, the attacker’s main point of entry was the password recovery process. Once the GMail account was compromised other services could be targeted. The other exploit relied on the user habit of reusing passwords across other sites.
Market Leaders
Two of the heavy weight cloud players have multi-factor authentication offerings. Amazon EC2 supports Multi-Factor Authentication using a time-based security token key-fobs supplied by Gemalto.
Security tokens use mathematical functions to create a difficult to predict sequence of numbers that are valid for a time period, usually 60 seconds. The sequence of numbers is only known to the security provider and is programmed into a key-fob issued to the user. As each number only lasts for a short period and the next number can only be computed using the secret formula you must be in possession of the key-fob and know the username and password to authenticate.
To add additional security to Google Apps, they have a solutions marketplace with a dedicated category for identity management add-ons. Solutions available include LDAP integration and security tokens.
Many banks and other financial service organizations are also starting to add additional layers of security to their Internet Banking services. The most common method are the time-based security tokens.
If you and your organization are planning to move parts of your IT into the cloud, or have already done so. Please consider the risks of single-factor authentication mechanisms. Remember that people are the weakest link. How will you ensure that your staff are using different passwords across all the different services and that those passwords are changed frequently?
Image source: plenty.r.
