Three great alternatives to two-factor authentication via text-message
After a series of high-profile hackings, Twitter last week finally joined the likes of Google and Facebook and introduced two-factor authentication. Users opting to use the new security tool must now enter a code they receive via a text message sent to their cell phones each time they log into the microblogging service.
While Twitter's decision to provide account holders with two-factor authentication is good news—especially considering the string of news organizations and big brands such as Jeep and Burger King that have been hacked in recent months—some experts warn that it won’t be enough to prevent the hijacking of high-profile accounts.
For one thing, the new security option isn’t likely to help organizations that have many staff members posting to a single Twitter account. Obviously, they don’t all use the same mobile phone. It also won’t protect users from man-in-the-middle attacks through which a user is lured to a fake Twitter login page, enters his or her login credentials and the six-digit two-factor authentication password, thereby giving a bad guy entry to the account.
For brands, a hacked Twitter account can be disastrous. It’s not only costly to shut down an account and extricate it from a hacker’s control, but there are also customer relations and reputation management concerns to consider. Stock prices can even take a beating, as they did in April when the Associated Press’s account was breached and hackers tweeted about explosions at the White House.
The good news is that SMS codes sent to mobile phones are far from the only way you can use two-factor authentication to protect your brand. Here are three other good options to consider.
Hardware Token: The YubiKey
The YubiKey, made by a Swedish-American company called Yubico, is a small piece of hardware that looks like a USB stick that your customers or employees plug into the computers’ USB port. Each time a user logs onto your website or system, they must push a button on the YubiKey to generate a one-time password validating that the person is who they say they are. Yubico also makes a near-field communication (NFC) variant of the device called the YubiKey NEO, which enables contactless communication for securing NFC enabled mobile devices.
Scads of high-profile companies are equipping employees, users and customers with YubiKeys, including Google, Microsoft, the U.S. Department of Defense and the government of Turkey. Yubico is also partnering with several single-sign on services, including OneLogin and Clavid, so that the YubiKey can work across dozens of services including Adobe, Salesforce, LinkedIn, and more. It also works with password managers such as LastPass, PasswordSafe and Passpack. In fact, the company says more than one million users in 120 countries are using the hardware token.
“A service provider who wants to add YubiKey support could chose to use OATH, [the open authentication standard], our free open source server components, or our hosted service, the YubiCloud,” says Yubico CEO Stina Ehrensvard. “With a simple web API, it takes approximately 20 minutes to integrate the YubiCloud, which works out-of-the-box with a YubiKey purchased on Yubico web store.”
A enterprise with up to 5,000 users that use Yubico’s hardware, software and services can expect to pay $13 per year, per YubiKey—that’s somewhere around $318,000 for five years. For smaller businesses, Ehrensvard says that it’s possible to purchase a tray of 50 YubiKeys from Yubico’s web store. This is a one-time cost of $750 and it works with the free version of YubiCloud or free open source software.
Ehrensvard said her company is working with Google and other IT giants on a new open authentication standard: “This is expected to be launched in 2014, allowing our premium YubiKey, the YubiKey NEO, to work out-of-the box with Google services and a range of other cloud and financial services.”
A User’s Phone Location: Toopher
The Toopher two-factor authentication solution can be installed on a company's website with just a few lines of code, and it works through an app on a user’s phone. When the person begins to to log onto a site, the software verifies their identity by detecting which computer they’re using and where their phone is physically located.
After installing the Toopher app, the user pairs it with your web service. The first time the person tries logging onto your site from a new location, he or she must give permission to do so through the app. After that first log-in from a particular location, a user can opt to have permissions given automatically so that the app runs in the background and operates invisibly. In this way, it’s different from the SMS-based two-factor authentication used by Twitter, Google and Facebook, which require users to enter a code each time they want to log in.
Toopher CEO Josh Alexander maintains that hassle will keep adoption of Twitter’s new two-factor authentication option low: “Having to pull your phone out of your pocket every single time you want to do something as arbitrary as logging in is too much friction.”
Toopher is free for companies with 50 users or less. While pricing can be as high as $2.50 per user per month for internal deployments, it scales to pennies per month per user for sites and companies with thousands of users.
A Smart Complement to Two-Factor Solutions
Wile it isn’t a two-factor authentication provider, Redwood City, California-based Impermium protects websites and individual users from account hijacking by using proprietary statistical and machine learning models to provide threat intelligence and risk-based authentication.
Started in 2010 by Mark Risher, who was formerly general manager of Yahoo Mail, the company has garnered around 500,000 companies as clients, including CNN, Pinterest, Typepad and Tumblr.
The draw? Because Impermium monitors how people are behaving on all those many sites, including how they’re using social media, the company is able to know if someone trying to login to a site has a pattern of abuse or a pattern of good behavior. In that way is able to predict if an attempted attack is likely. Basically, it sniffs out deviations in user behavior across all those online territories, looking at what devices people are using, their network and physical locations as well as the social reputation of whomever is trying to login to a site.
Impermium offers two products: one for business users of software as a service platforms and another that protects companies’ websites.
The former, called Accountability, is a new service that monitors Twitter, Salesforce, Box, Facebook, and Marketo accounts and sends email or text message alerts to users if it detects fishy activity. For now, the beta service is free.
Impermium’s second product, called CloudSentry, helps web-hosted applications identify suspicious behavior.
“It integrates into the log-in flow of the site and performs analyses of the circumstances around someone trying to connect,” Risher says. “So if you’re logging in from [your usual city] from your regular iPad that you use all the time, that’s a low-risk scenario and we’d identify it as such. If someone is logging in with your credentials from a cybercafé in Indonesia, that is a higher-risk scenario and so we would give that a higher risk rating and suggest that [a client] maybe suspend the account, give it some reduced privileges, or ask for a secondary authentication like Toopher.”
Risher likens what Impermium offers to the alarm system that augments the locks on the front door of your house, and in that way is an important complement to two-factor authentication solutions.
“YubiKey and Toopher… are both well regarded products that strengthen the front door. But a site and an application needs intelligence, needs real-time risk analyses to be able to determine [whether] even if someone has the key, should we let them in or not?”