Is your password putting you at risk?

One major cause of data breaches is the stolen password. Once hackers have an email address and password, a world of possibilities are open to them. The dangers are not just limited to the account they have access to. Their hacker’s next steps usually include not only selling the details to other criminals but also “credential stuffing”; taking the login details for one account and trying it on others. Imagine if your ISP account was hacked – your work email, online shopping and other accounts most people possess would be targeted.

Companies would do well to introduce Two Factor or Multi-Factor Authentication to protect their employee and customer digital identities. Put simply, this requires another authentication criteria to be satisfied before granting access to a site or account. Many large corporates are turning to 2FA to help derisk their customer’s exposure to a data theft. Sony Playstation, Apple, Instagram, and Gmail all offer this additional security measure.

Simply put Two Factor Authentication, requires two out of three regulatory-approved authentication variables such as:

  • Something you know (such an email password).
  • Something you have (the physical bank card or an authenticator token, which can be hardware or digital).
  • Something you are (biometrics like your finger print or iris pattern).

The majority of attacks come from remote connections and 2FA can make distance attacks much less of a threat because accessing passwords is not sufficient for access and it is unlikely that the attacker would also possess the physical device associated with the user account. Take the Dropbox account holder hack for example. Hackers are unlikely to take your credentials and use them successfully on a second website if they are asked to provide a unique one-off code. It’s just too much work for them unless the gains are incredibly high. Each additional authentication factor makes a system more secure. Because the factors are independent, compromise of one account should not lead to the breach of others.

If your employer has a significant online presence, I would urge them to explore the potentials gains of 2FA. Of course KeyIdentity offers multiple solutions here, but irrespective of vendor the key principle is passwords alone are insufficient to provide adequate safeguards in the face of threats are expanding in scope and volume. Authentication should be able to perform whether you are online or offline, and in way that minimises user disruption. One of my favorite examples is Blizzard, the company who create games such as World of War Craft and Diablo, have a free authenticator, and it seems to work very effectively.

To sum up, if you want to avoid data about yourself, your company or organization and your customers being accessed:

  • Make your password non predictable and use unique passwords for each and every application
  • Check the privacy settings on any social media accounts, and turn them on if you haven’t already
  • Don’t use real birthdays and other identifiable data unless you really need to. Receiving a “Happy Birthday” email from a loyalty card provider a few days early or late is preferable to sharing a major personal identifier.
  • Do not enter easy answers to password forgetten questions. Best case choose something as answer that has nothing to do with the question at all. An example: What is the name of your dog? Answer:”I love companies that makes it so easy to attackers to steal my identity”.
  • Explore the benefits for 2FA or MFA inside your organization and look for it when you sign up for a new online service or similar.

Lastly, stay alert to any news of data breaches and immediately change your password or create a new account if you believe you have been affected. Don’t forget to also consider where else you may have used the same password and personal details. Hackers are constantly trying to get the better of us, so don’t give them any extra chances to succeed.

 

FIDO U2F: what it is and how you can secure your web applications using LinOTP

This is the first part of a series of blog entries about FIDO U2F and how you can use FIDO U2F and LinOTP to secure your web applications.

Kicking off, we would like to introduce you to FIDO U2F and explain the idea behind it. Following blogs will be about the protocols and how you can use LinOTP to integrate FIDO U2F in your application.

What is FIDO U2F?

FIDO U2F is a technical specification defining a mechanism to reduce the reliance on passwords to authenticate users. It can be used to enrich a password-based authentication with a second factor or to replace the password-based login completely, depending on the use case.

FIDO U2F is developed by the FIDO Alliance (KeyIdentity is a member) and actively extended to new authentication models and markets. The driving idea behind FIDO U2F is to allow the user to bring their own token to their registration process and allow you to securely validate the identity of the user going forward and the user only having to use one token for all websites without compromising security.

U2F_TheUserExperience

Source: FIDO Alliance

USB, NFC and Bluetooth are now defined as transport protocols and a wide range of devices is available to make use of them. Your users can decide on the method and vendor they prefer, based on costs, design or availability. The FIDO U2F implementation on the side of the web application is the same for all tokens implementing the FIDO specifications.

FIDO U2F is based on public key cryptography. When the user registers at your site, a key pair specific to your site is generated in the FIDO U2F token and, depending on the device, is stored on the token. The public key is then registered in your LinOTP backend. When the user authenticates later on, a challenge is presented to the FIDO U2F token and proof of the possession of the private key is presented by signing the challenge. The FIDO protocols are designed to protect the user’s privacy. It is not possible to track a user across services even though the same token is used.

The handling of the device and the communication with the USB, NFS or Bluetooth transportation protocols is provided by the user’s browser and built-in or available as a plug-in. Currently only Google Chrome has built-in support, but support by Microsoft and plug-ins for Firefox are available.

FIDO U2F is still a pretty young standard, but adoption is picking up. After being developed mainly by Google and Yubico, the FIDO Alliance now has an impressive set of members and the range of specifications grew actively and in interesting areas over the last year.

This was just a quick introduction, in the following parts we will look at the registration and authentication process and how an implementation of FIDO U2F can look.