Tag Archive for MFA

| August 30, 2020
Comments Off on No Love for 2FA

No Love for 2FA

No Love for 2FAEveryone has gone to the ATM to grab some cash. Swipe your card – enter your PIN and out comes your cash. We have been doing this for years. Using the ATM is one of the most established uses of the IT security best practice of two-factor authentication (2FA). Lets break that down.

  1. You present your ATM card to the machine (something you have),
  2. Next, you enter a secret PIN (something you know).
  3. Without both of these things (authentication factors), you don’t get your cash.

Two-factor authentication (2FA) provides an extra layer of protection for system access, by asking a user for a second means of identification. 2FA also called multi-factor authentication (MFA), requires at least two authentication factors, including:

  • authentication factorsA knowledge factor (something only the user knows, such as an ATM PIN);
  • A possession factor (something only the user has, such as an ATM card);
  • An inheritance factor (something the user is a fingerprint or retina pattern).

The most popular forms of 2FA include answers to secret questions, a code sent to your phone, or one-time password-generating tokens.

Two-factor authentication2FA is a way to mitigate risks associated with unauthorized access, especially in the current COVID-19 era of increased work from home (WFA). And yet, despite these benefits. Computer Economics has posted a report, Two-Factor Authentication Adoption, and Best Practices, which studied the adoption and practice of 2FA. The report says that firms are not using 2FA to the extent they should be to ensure organizational security:

  • 18% do not use 2FA;
  • 25% are implementing 2FA for the first time;
  • 34% practice 2FA formally and consistently.

Why is 2FA needed? Because as followers of the Bach Seat know, username and password pairs as authentication factors suck. CE writes that passwords can be “phished,” stolen, discovered, and cracked in many ways. Humans are as bad at making good passwords and changing them regularly as they are at eating their daily requirement of vegetables.

In the presser Tom Dunlap, director of research for Computer Economics, said,2FA can go a long way to protecting a company

The big picture is that 2FA is inconvenient, and users just want access … Users often rebel against it because the extra layer is seen as onerous or unnecessary.  However … companies face a wide array of security and privacy threats and 2FA can go a long way to protecting a company

Inconvenience isn’t the only issue. As I have chronicled on the Bach Seat each form of two-factor authentication has its own weaknesses. For instance, security questions can often be easily guessed. tokens can be lost and SMS can be hacked.

rb-

Another issue with 2FA is that it is unevenly implemented and there’s no central place to check if a firm has enabled it on its public-facing site. However, a website, Two Factor Auth (2FA) is trying to fill that void. Two Factor Auth (2FA) is a list of websites and whether or not they support 2FA.

Most of the well-known and commonly used sites and services are listed. The site explains what types of 2FA the firm supports. There’s even a Twitter or Facebook link where you can poke them on social media to start using 2FA – if they don’t support 2FA.

Only 1/3 of firms love two-factor authentication to use it well, despite the security benefits it provides to the firm and their customers.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| November 30, 2019
Comments Off on RSA Available?

RSA Available?

Updated 12/26/2019 – The rumor mill says that Dell Technologies is working with too big to fail Morgan Stanley in a bid to sell off RSA Security.

RSA Available?

Is RSA available? In keeping with the wave of cybersecurity mergers and acquisitions the rumor mill is reporting that Dell is exploring the sale of its RSA Security business unit. If the rumors are correct, RSA can be had for at least $1 billion. Rumors about Dell potentially selling RSA have surfaced multiple times over the past few years.

RSA Security logoDell inherited RSA in 2016 as part of its $67 billion acquisition of EMC. EMC bought RSA for about $2.1 billion in 2006. RSA Security was founded in 1982.

RSA is well-known for its products. Well known products include SecurID multifactor authentication tokens and NetWitness for security incident event management and threat detection and response. However, RSA is probably best known for its annual RSA Conference in San Francisco. RSA faces many of the same issues that have precipitated the HP – Xerox face-off. The challenges include competition from fast-growing cloud and software based identity and access management (IAM) firms.  The RSA challengers include Okta and Ping Identity, according to Bloomberg.

Why is RSA Available

RSA SecurID multifactor authentication tokensDell may have put RSA on the block because it is redundant in the Dell portfolio. Dell also owns Secureworks, an MSSP that’s evolved a software-defined era led by threat detection and management services. Additionally, Dell’s VMware business now owns Carbon Black — an endpoint protection and cybersecurity company that works closely with MSSPs. Dell has been connecting the dots between Secureworks, VMware, and Carbon Black as part of its own enterprise security strategy.

Neither Dell nor RSA commented on the Bloomberg report.

rb-

As I have noted a number of times on Bach Seat, the cyber-security market is seeing lots of M&A action. If Dell is really serious about unloading RSA, now is the time to do it. Before the cyber-security bubble bursts and/or the economy tanks again. Not only would selling RSA streamline Dell’s security story the $1 billion would allow Dell to pay down its debt after its purchase of EMC or fund other projects.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| April 2, 2016
Comments Off on 9 Techs That Could Replace Your Passwords

9 Techs That Could Replace Your Passwords

9 Techs That Could Replace Your PasswordsFollowers of the Bach Seat know that passwords suck. I have covered alternatives to the password as far back as 2010 and here and here. Now the Business Insider lists nine crazy alternatives to passwords. The article describes efforts around the globe to develop new gadgets and technology that can save you from the headache of memorizing (and inevitably forgetting) passwords.

BiometricsThe article calls out several ways to replace passwords to authenticate a user. Users can be authenticated based on a physical trait or biometrics. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. Biometrics can offer one of the independent credentials required for multifactor authentication (MFA). MFA combines two or more independent credentials. What the user knows (password). What the user has (security token) and what the user is (biometric verification).

How to replace passwords

Selfies – This might be the password of choice for the Facebook (FB) generation. Companies like Amazon (AMZN) and Mastercard (MA) are already considering selfies. The technology would ask users to snap pictures of their faces on a smartphone before making a transaction. Mastercard’s technology would need a user to blink before their face is scanned. This is a safeguard to prevent hackers from simply placing a picture of someone else in front of the camera.

SelfiesEdible pills – Swallowing pills might be one of the few things more annoying than memorizing passwords. But some researchers think it’s the future. After mixing with stomach acids the pill would emit a unique, low power signal that connects with your PC. Google (GOOG) VP of Advanced Technology and Projects Regina Dugan described such a system a few years ago. According to Ms. Dugan, a person could safely ingest 30 pills every day for the rest of their lives.

Your gait – Going for a stroll might not sound like the most convenient way to log on to your computer. But the way you walk has some unique traits that could serve as a means of authentication. A wearable device, like a bracelet or anklet, could record your physical activity and use that information as a password the next time you need to log on. One study reportedly analyzed the foot pressure patterns and achieved a 99.6 percent accuracy rate. rb- I covered the now-defunct Alohar Mobile attempt to turn how you stroll into a password here.

Your earYour ear cavity – Has anyone ever told you your ear canal is one of a kind? NEC does. They are developing special earbuds, that bounce a sound into your ear’s cavity. They then use the reverberations as a signature to identify you. NEC hopes to have these available within a few years. Another study was able to achieve a 99.6% accuracy rate identifying individuals by analyzing how light reflects off the curves of the ears. rb- Back in 2014 I covered the Descartes Biometrics app that used the shape of your ear as a password.

Your backside – The shape and contours of your posterior are special. So special that some researchers in Japan have explored whether a seat mat could be used to identify you. The experimental mat is packed with special sensors that measure pressure distribution. The mat could be integrated into cars, to prevent unauthorized sitters from driving off with the vehicle.

TattoosTattoos – Google’s Regina Dugan showed off a sticker-like wearable tattoo on her arm a few years ago that she said could be used to unlock a phone or computer. The tattoo, which was only an experimental prototype, was made of flexible circuits and sensors, and could be worn for up to a week, she explained. No word on whether you can get the password tattoo in the design of a fire-breathing dragon.

Your Jewelry – Wearable gadgets like the Fitbit and Apple Watch can already track your sleep and the steps you take. The next step is to track the pattern of your pulse or heart rate, as the Nymi band does, and use that information to identify you. rb- I covered the Nymi earlier and we have seen that the iWatch and other wearables are not secure so how can they log you?

Your voiceYour voice – Nothing is easier than saying a few words, and even the best impersonator can’t perfectly mimic another person’s voice. That’s why one big bank in Britain recently set up technology to identify customers on the phone or online by the sound of their voice. And yes, the system will still work if you have a cold.

Implants – This one is only for hardcore security geeks. Believe it or not, some people have already experimented with embedding a small RFID chip under their skin. The chip emits a radio signal that can theoretically be used to do everything from unlocking the door to an office and starting a car, to logging on to email.

rb-

The biggest problem with biometrics is getting people to use them. How many do you know would be willing to swallow a pill to log in to each of their websites? It is a voluntary decision to swallow pills to log in to Facebook, Instagram, or Google. What if your employer requires you to swallow pills to enter the building, login to Windows, your email, ERP, CRM, HR. What are the implications for privacy? Healthcare? Plumbing?

I wrote about the problems of adapting an eye-based biometric system back in 2012.

The end-user will be the fundamental roadblock to any eye-based biometrics. Traditionally, anything related to eye recognition has received strong resistance, because it is just human nature to be squeamish about having our eyes scanned.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,