What is Two-Factor Authentication?
Two-factor authentication requires a user that is logging onto a computer network or cloud service Internet provider, to have more than one means of proving who they are. Ergo, simply knowing a single password that you can remember won’t provide access without having a second factor to prove your identity.
- Two-Factor Authentication But Not Specific to Same Service
- Two-Factor Authentication Applied to a Single Service
- Two-Factor Authentication Using Physical OTP Password Devices
Two-Factor Authentication But Not Specific to Same Service
Shared static keys (think WiFi router password at work or home) are often a second factor that home users need to supply in order to access an Internet email provider from a home password protected wireless network using a new home laptop for the first time.
In this situation, the user must first have the access key to their router (first factor) and then the password to their webmail provider account to check email (second factor). In this scenario, both the router and the web provider are only requiring a single factor to authenticate and provide access to the user.
Two-Factor Authentication Applied to a Single Service
Two-factor authentication deployed on a wireless router used at your place of work often is used to ensure that leaked passwords don’t result in unauthorized computers gaining access to other computers behind your workplace firewall. Most companies implement such two-factor security by requiring a wireless password credential (factor one), plus whitelisting (second factor) wireless network MAC address (think unique telephone number for your wireless network card).
Typically, your network administrator would record your unique MAC address and add it to a “whitelist” of wireless network devices authorized to gain Internet access after passing the first factor of authentication (the user or router password). Only if both factors are satisfied would a wireless router allow the user to access the Internet.
To the extent possible, every computer user should attempt to establish a second authentication factor to be one that can’t be easily copied from your computer or networks that you connect to. In the wireless router example, the second factor whitelist of allowed devices to reach the Internet could be compromised by a remote hacker if the hacker obtains access to the wireless router’s web server from a vulnerable computer on the network and uses the router’s administrative credentials to authenticate. Once logged on, the hacker could easily add other MAC addresses of unauthorized network devices to the allowed list, thereby rendering the second factor “whitelist” authentication method ineffective.
Two-Factor Authentication Using Physical OTP Password Devices
A physical second-factor authentication solution that generates a One Time Password (“OTP”), based on a protected algorithm contained securely within the physical device, is a superior safeguard against remote online hackers. In such a scenario, the password generated by the device expires shortly after it is generated, making remote hackers who may be monitoring your network traffic with tools such as WireShark much less able to authenticate against services that require an effective physical OTP generation device.
Servers requiring both first factor logon credentials teamed with a second factor secure One Time Password generated by a properly configured physical OTP generation device, are protected from compromise by a hacker sniffing network packets using a tool like Wireshark in an attempt to intercept and later use the identified password to gain unauthorized access at a later time. OTP generation physical devices that have their algorithm securely protected, such as the Yubikey, can effectively generate short shelf-life passwords that become invalid soon after they are generated, thereby protecting your data from eavesdropping hackers that successfully intercept authentication passwords and attempt to access to your electronically stored information (ESI).
Examples of such OTP second factor authentication options that we have used are the Yubikey and Google Authenticator services. I would recommend every company and law firm we work with begin exploring such options to help protect the security of their data.
Yubikey by Yubico
The Yubikey is a physical device that generates an OTP (One Time Password). The device generates a static password plus a time-based algorithmic password that expires in less than a minute and is validated by a secured Yubico validation service either in the cloud or run internally behind a firewall. The device is fairly reasonable in price selling for around $25 each, with bulk discounted purchase options available. I strongly advise everyone reading this to purchase at least 2 keys for yourself. If you decide to buy the product at all, buying only one key could put you at risk for loss of access to services or permanent loss of encrypted data in the event that you lose your only key. The second key gives you a backup device that can be configured to allow access in the event that the primary key is lost or destroyed. This key can be stored securely in a safety deposit box so that you are confident that you are the only person with physical access to the second backup key.
The Yubikey makes it difficult for a potential hacker to simply obtain your password and login. The Yubikey when properly configured to work with your various logon services, can require the user logging on to have physical possession of the Yubikey in order to generate the OTP.
The Yubikey has to be registered with the authentication service you are using before it will work, e.g., Google mail, Active Directory, VPN access, and others. During the configuration of the key to the service, the administrator is typically allowed to associate one or more keys to work with a specific network user account ID.
What the Yubikey Does
Essentially, the first 12 characters unique to the physical key that are generated when pressed are associated with the user logging on. The remaining 32 characters that are generated are based on a protected formula contained within the Yubikey that rotates faster than it would be possible to manually type the resulting value generated by the key. The resulting 32 characters generated are authenticated either by Yubico’s free cloud service or your own local Yubico HSM authentication service if you don’t want to rely on theirs. Since this is a second factor of protection, even if the Yubico formula for the OTP were to be compromised somehow by Yubico staff or hackers, the user would still need to know your logon password in order to access the service they are trying to compromise.
An example of the OTP generated when I press the key now is:
“cdfwfaajidsehibvidfurukigfdeehrrhhtbvdfkgnbr” If I wait 30 seconds and press the key again,
“cdfwfaajidsekglrdcurnjdjlghutcdkennreucjdgir” is the resulting value. And another 30 seconds..
“cdfwfaajidsebunnntkkuuvrcvdlirevbebknetehkdi” is the resulting value.
[12 Character Static ID Mapped to the User ] + [32 Character OTP Generated Value] = OTP
The Yubikey effectively acts as an additional keyboard when plugged into a Mac, Linux or Windows-based computer. It may also be configured to pass the OTP text via tapping the screen of many smart phones. The 32 character code emitted as a OTP is high grade 128-bit strength, effectively offering a “whopping” 3,402,823,669,209,384,634,633,746,074,317.7 times 100 million combinations to try if someone wanted to attempt a brute force password attack against the key. This is tank level security and something every law firm and business should seriously consider.
More information on Yubikey is available at the Yubico Website.
This service allows you to receive a text on your cell phone or run an application preconfigured and mapped to your identity in order to generate a 6 character OTP that is unique to your identity. More information on Google Authenticator is available here.
Cell Phone SMS Second Factor Authentication
Many service providers today are offering their customers the option to require entry of a second factor passcode when logging in for the first time from a new device, or each and every time they log in. For example, Facebook offers users the option add add a cell phone number that provides a second factor for log on to the account.
Checking the Login Approvals checkbox to Require a security code to access my account from unknown browsers will allow the user to configure cell phone SMS second factor authentication.
A Facebook user who enables Login Approvals is able to prevent unknown computers from accessing their profile with a guessed password from afar. Screenshots detailing the steps you must walk through to turn this on follow.
Your cell phone will then receive the Confirmation Code which you must enter to confirm and enable the service. You will be prompted to log on each time you authenticate from a new device to Facebook.
This type of second factor is a good idea to consider, but it may still be subject to interception by a hacker if you forward your cellphone SMS text messages to another email account, or if your cell phone becomes compromised.
Is Your Sensitive Data Secure? How Safe Are You?
Ask yourself if your personal finances and access to company data would be at risk if a peering thief recorded your keystrokes while logging into your work in the morning or paying your bills online electronically? If your reaction to that question makes you uneasy, you should take action now to protect yourself because you will be hacked at sometime in the near future if you don’t adopt a physical second factor OTP technology.
How Safe Are Sensitive Documents You Share With Your Vendors?
If you are working with any outside vendor to collect, process, host or produce sensitive information, you should ask the vendor to explain what steps end-users must perform in order to access your data at work or from home. If the vendor doesn’t describe needing a second physical device, token key generator, or cell phone device on authentication, then your data is not likely to be effectively secured against today’s security threats.
Secure Your Organizaiton
Forensicon has continued to research cutting edge security technologies in order to protect our clients and the data they entrust in us. We hope to see many of our customers and colleagues embrace these technologies within their own organizations so they may avoid potential catastrophic harm to their organizations, employees and clients. Our staff are available to consult and assist you with implementation of these technologies should you have an interest in taking your corporate security to another level.
Note: Forensicon, Inc. and its shareholders do not own any Yubico or Google stock and are not receiving any commissions or other economic benefits from them for writing about these products.
- Staff Recognized for Departing Employee Investigations - The first issue of Corporate Counsel Business Journal, CCBJ, includes an interview with our Director of Digital Forensics, Yaniv Schiff, and Solutions Architect, Curtis Collette, on the evolution of departing employee investigations. Departing Employee: When Do Investigations Become Necessary? appeared in the print publication, online edition, and on CCBJ’s In-House Tech website. For Increasing Numbers of Employers, Departing Employee Investigations[...Read More]
- Chicago Office Food Drive – The Results Are In - QDiscovery’s Chicago Office collected nearly 1,000 containers of food for the local food bank this Holiday Season! Our office competed with sister offices in Indiana and Connecticut. Alas, we came in third. Our sister offices each collected nearly 2,000 containers for their local food banks. Relatively new to the company-wide food drive, the Forensics Division[...Read More]
- QDiscovery QMobile App Wins Innovation Award - QDiscovery’s QMobile is winner of a 2017 Relativity Innovation Award. Presented at Relativity Fest, the Innovation Award celebrates organizations that create apps or integrations that extend the functionality of Relativity’s eDiscovery software. Our development team created an application that makes the analysis of mobile collections much more manageable. Relativity users can now produce and review mobile[...Read More]
- Moving and Changing - Acquired by Connecticut-based QDiscovery in 2016, Forensicon’s capabilities multiplied overnight, both in forensics brain power and eDiscovery expertise. As part of a leading provider of end to end litigation support, moving to larger offices that are more central to the Chicago legal community was inevitable.
- QDiscovery Named One of the Top 20 Providers of Legal Services! - Leading industry publication, CIO Magazine, has named Forensicon’s parent company, QDiscovery, to it’s Top 20 Providers of Legal Services. The annual listing includes 20 companies that are at the forefront of providing legal solutions and impacting the marketplace. Read the whole article here. Featured in the publication alongside QDiscovery President, Dave Barrett, is Director of Digital Forensics, Yaniv[...Read More]