Fortinet advocates two-factor authentication as breaches escalate

• With cloud-cracking, passwords are no longer sufficient to secure your critical data
• Companies increasingly adopting two-factor authentication to better secure users’ data

WITH a recent surge in processing power and the ability to outsource password cracking to the cloud, password-only based authentication is no longer sufficient to secure your critical data, according to network security company Fortinet.
 
Researchers at Fortinet’s FortiGuard Labs recently published a report that predicted a marked increase in businesses migrating to two-factor authentication in 2013, the company said in a statement.
 
Amazon, Apple, Dropbox, eBay, Facebook, Google and Microsoft have recently made the transition to adopt two-factor authentication as a better means of securing their users’ data.
 
According to TechNavio, the global two-factor authentication market is expected to grow 20.8% between 2011 and 2015; while Markets and Markets forecasted that the multi-factor authentication market will reach US$5.45 billion by 2017.
 
“In the early days of Internet authentication, plain text passwords were often sufficient, as the number of threat vectors were minimal and processing horsepower and password repositories weren’t readily available to just anyone,” said Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs.
  
“As newer password cracking tools, faster processors and always-on Internet connections arrived, plain text passwords started to come under fire.
 
“With the advent of cloud cracking services, such as Cloud Cracker, which leverages the power of distributed computing, 300 million password attempts can be made in as few as 20 minutes for around US$17. As such, even a strong, encrypted password can be cracked with a little patience,” he added.
 
Best practices
 
Protecting sensitive data online by using multiple factors of authentication is the best policy for ensuring the safety and integrity of data, Fortinet said.
 
However, when matching authentication methods to a user’s needs, don’t assume that any two methods will work for that particular purpose.
 
Two–factor authentication, also referred to as multi-factor authentication, strong authentication and two-step verification, consists of two of the following three methods of authentication:

• Something a user ‘knows’: This can be a password, challenge question or finger swipe movement over the face of a mobile device. This is commonly known as a knowledge factor.

• Something a user ‘has’: This can consist of a small hardware device, such as a smart card, USB key fob or a keychain dongle or a smartphone token, which generates a unique one-time password that’s sent to or generated by an application on a user’s mobile phone. This is known as a possession factor.

• Something a user ‘is’: This typically involves a biometric reader that detects something that validates something uniquely personal, such as a fingerprint, iris or voice. This type of authentication is known as an inherence factor.

While two-factor authentication can offer greater protection, there are two types of attacks (masquerade and session hijacking) that can undermine any type of authentication.
 
A masquerade attack is exactly what it sounds like: An attack that’s able to assume a falsely-claimed digital identity and thus, bypass the authentication mechanism.
 
Session hijacking, also known as TCP session hijacking, happens when an attacker surreptitiously obtains a session ID and takes control of an already authenticated session.
 
Keep in mind that given enough time and resources, no type of password encryption is infallible, Fortinet said.
 
“At Fortinet, we believe the best way to keep a network and its end-users safe is to leverage on technologies like two-factor authentication as part of a multi-layered security strategy,” said Eric Chan (pic), Fortinet’s regional technical director, South-East Asia and Hong Kong.
 
“Adding two-factor authentication provides another layer of solid protection on top of any current security infrastructure,” he added.
 
Related Stories:
 
Security no longer about ‘no,’ but ‘know’
 
The end of passwords, and other IT predictions
 
Signatures are passé, you need AI to StopTheHacker
 
Adaptive identities coming to forefront of security: RSA
 
Security as a business enabler, not a bottleneck
 
 
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.