More and more companies enforce Secure Password Policies, requiring employees to change their passwords at regular intervals.
Their passwords must meet complexity requirements:
at least three of the four character types: lower/upper case letters, numbers and symbols,
passwords must have at least 8 characters,
passwords can not contain part of the user name,
users can not reuse old passwords for 12 or more months, e.g.
Many companies still rely solely on passwords or passphrases to keep their servers, applications and data secure.
Relying on user names and passwords alone to access your confidential data is risky business.
It takes only one weak link to potentially compromise your whole infrastructure.
As a rule of thumb: the greater the value of the protected information is the more secure the authentication method needs to be.
Various authentication methods can be categorized in three groups (also called factors):
Knowledge, Possession and Inherence
Knowledge = something only the user knows:
Password, Personal Identification Number (PIN)
Challenge questions are not regulatory compliant (what is your mother’s maiden name, e.g.)
Possession = something only the user has:
Tokens (Magnetic stripe cards, Smartcards, USB FOB, e.g.)
Mobile Phones (One Time Password via SMS, OTP via Push Notification services, OTP via Mobile device app, mobile signature)
Inherence = something only the user is:
Biometrics (fingerprint, voice-print, iris scan, e.g.)
Keep in mind though that you can reset a password but not your fingerprint – there are challenges with biometrics.
Combining several factors can significantly improve the security of the authentication process (Multi-Factor Authentication).
You probably used two factor authentication for quite some time without being aware.
ATM machines require two factor authentication: your Debit card (possession) and your PIN (knowledge).
As you can imagine three-factor authentication is even more secure.
Apple’s iPhone 5s has already a fingerprint sensor, many mobile device makers will catch up soon.
One doesn’t need much fantasy to imagine an app with three-factor authentication.
1.) You unlock your iPhone (in your possession),
2.) you launch the app that allows you to make a payment, you enter a PIN to authenticate (knowledge)
3.) you use your fingerprint to confirm transaction (Inherence)
Two-factor authentication is more than sufficient for most security requirements.
Before a company can implement such a solution it needs to decide whether to use certificates or OTPs (or both).
There are several commercial solutions available: Vasco, SafeNet, SMS Passcode, Zyxel, e.g.
Start with an extra layer of security immediately by securing your Apple ID, Google Services (Gmail, Google+, Google Docs, etc), Facebook, Twitter, LinkedIn, Dropbox, and others.
You find detailed information and links to step by step instructions on our website here.