Using “two factor authentication” (2FA) has long been one of the basic ways of ensuring cyber security. It’s a simple way of adding strength to (all too often weak) passwords.
The principle is simple. Entry to an account requires two things: something you know (such as username and password) and something you possess (such as a smart phone).
With 2FA, a code can be sent to a device that you possess, such as your mobile phone, to be input alongside the thing you know, your password. Hackers would need that code as well as your password to gain entry to your account.
One of the flaws of 2FA though is that the code might well be sent to the device you are using to access your account. This happens if you are accessing your account with your smart phone and have set up 2FA (as most people do) to send the code to your phone.
Enter a new generation of 2FA. Companies such as Duo security provide 2FA. But it is not 2FA as you probably know it.
Alongside the ability to send a code to your phone, Duo’s system does a lot more. As well as authenticating you as the user, it authenticates your device, checking parameters such as:
- whether it is running a secure operating system and an up-to-date browser (and so is secure)
- whether it has been “jail broken”or “rooted” (and so may be insecure)
- whether the site you are trying to access has valid security certificates (fake ones won’t)
- whether the device is a valid one (so if your phone has been stolen it is simple to disallow access, whether or not the 2FA code has been received)
It captures all this information because, in the words of Duo’s Steve Manzuik, Director of Security Research: “We are in the path of authentication”.
That means a lot of valuable information is passing through the Duo system while authentication is being performed, information that can used to strengthen security.
With this type of system, users can choose various levels of security, such as blocking out all (or just some) sites that fail to produce up-to-date security certificates.
The Duo system can even be used to manage access to corporate networks, for instance disallowing access from particular locations such as China (if no one in your organisation is located there) or particular devices such as unauthorised tablets.
This is powerful functionality and it can be argued that using this type of 2FA negates the need for protection through VPNs.
And that could save a lot of headaches for hard-pressed IT security personnel trying to stem the flow of cyber risks that the world of “bring your own device” has delivered.
Photo copyright Christopher Robbins under licence from Thinkstockphotos.co.uk