Open Haus: Multi-Factor Authentication [VIDEO]

NCP has been present at a number of industry events throughout the year, from it-sa in Nuremberg to SC Congress in New York to INTERFACE in Denver. While these gatherings offer great opportunities for reconnecting with our friends and partners, as well as reaching out to new clients, they also provide an invaluable time for taking the industry’s temperature, so to speak. And if there was one thing we found that was on nearly everyone’s minds this year, it was the growing need for two-factor (or multi-factor) authentication. As data breaches caused by spear-phishing and social engineering tactics have become both increasingly more frequent and more damaging, multi-factor authentication emerges as a common sense solution for reducing the success rate of these cyberattacks. Unfortunately, it’s not as simple as flicking a switch. Cybersecurity budgets may be increasing, but IT professionals are still struggling with the amount of resources they have, and are unsure about where to shift their priorities. How to implement multi-factor user authentication, or how to determine which VPN or defense-in-depth solution offers the best multi-layer fit for your organization, are all pain points for enterprises. How It Works That’s what gives NCP Secure Enterprise Management (SEM) such a leg up on the competition. Unlike other secure remote access VPN providers, NCP’s solution provides integrated multi-factor authentication safeguards to help give your organization greater peace of mind. Protecting login information with just a username and password isn’t safe anymore; it’s all too easy for hackers to guess around these, especially when so many users have simple passwords to begin with. Two-factor or multi-factor authentication setups, instead, require...

CIA Director’s Hacked Email Shows Need for Multi-Factor Authentication

There’s a certain irony to the way the U.S. government approaches encryption and data privacy for its citizens, while simultaneously falling victim to major data breaches itself through embarrassing security lapses. Up until recently, law enforcement agencies like the FBI had lobbied hard for companies like Apple and Google to be forced to program encryption “backdoors” into their services, like iMessage, so that they could listen in on the otherwise-blocked communications of suspected criminals or terrorists. Silicon Valley’s response (and what the White House eventually sided with) was that opening a “backdoor” for law enforcement is tantamount to ultimately opening a backdoor for anyone. The FBI and NSA counter-argued that they would be in control of the keys to those doors, and that user data would be safe with them. That was a hard argument for privacy advocates to accept then, and it’s even less likely to win over anyone now in light of a new data breach scandal. The Guardian recently reported that a pair of hackers managed to access the personal AOL email account of John Brennan, director of the CIA. Not only that, but the data that was compromised through the breach – which included the names, contact information, security clearances and Social Security numbers of around 20 CIA employees – was leaked and published to Twitter. While the contents of these emails were, in Fortune’s words, “mundane” and “peanuts as far as actual revelations and public interest is concerned,” the fact remains that a pair of reportedly teenage hackers managed to hack into the email account of the U.S. Director of Central Intelligence. The joke...

[WEBINAR] Two-Factor Authentication for Tighter VPN Security

If you think that passwords for online profiles are effective at preventing security breaches, consider these two new statistics: The average person has 19 passwords Four in five people say they forget their passwords To counter password forgetfulness, users often take steps that leave network administrators cringing. They may duplicate one password over multiple accounts. They could use birthdays or other numbers that can be easily guessed. Or they might write them down, sometimes in plain sight. Actions like these make it that much easier for attackers to successfully breach a network, and indeed, many recent breaches share a common origin – an employee’s password that was copied, discovered or given away. To counter this wave of password theft, an avalanche of popular sites and apps, including Google, Amazon, Facebook and now even Snapchat, have replaced one-dimensional passwords with a form of user login credentials that help better protect sensitive information. Download Whitepaper Enter two-factor authentication. This approach combines two (or more) methods of credentials authentication to establish the unambiguous identification of each user, including: Something Users Know: Password, PIN, one-time password (OTP), certificate Something Users Have: Token or calculator (with OTP), soft token, text message (with OTP), machine/hardware certificate, smartcard, trusted platform module (TPM) Something Users Are: Fingerprint, face recognition, iris recognition, keystroke dynamics Network administrators have all these options at their disposal, and the idea is to pick at least one form of authentication from two of the lists. An administrator may even pick a factor from all three lists, or combine multiple items from each. With this additional protection, users gain the convenience of anywhere-anytime access without...

Two’s (or More) Company: How to Use Two-Factor Authentication the Right Way

These days, you need a password to access every aspect of your digital life, and we all know how problematic that can be. You can either come up with a unique (albeit difficult-to-remember) password for every website, or use easy passwords, or even duplicates, that leave your accounts insecure. Fortunately, many prominent websites today – Dropbox, Google, Apple, Facebook and PayPal – all support a security approach known as two-factor or multi-factor authentication. And it’s easy to see why. This process enhances security by adding another step (or more) to the user verification process, making even risky passwords much stronger. That’s because in addition to the factor that a user knows (a password), every login attempt requires the user to supply a factor he or she owns, such as a one-time access code or PIN sent to their mobile device via SMS text or email, and/or one that reflects who they are, like a fingerprint. Through this relatively simple extension of the traditional authentication scheme, a lost or stolen password becomes plain useless to a hacker. No successful login is possible without the additional factor or factors. If your security demands are higher than average, it’s also important to generate the second authentication code, or OTP, only when the user has already started the session and the first factor has been exchanged successfully. It might be simpler to implement and roll out tokens with pre-fabricated codes, but this kind of implementation is inherently easier to compromise, but is still almost impossible to break. As a rule, token solutions require a seed that contains the base data for generating the...

Two-Factor Authentication Transforms Even ‘123456’ Into a Secure Password

Since 2011, the same two passwords have ranked as the most common (and worst) among users. Care to take a guess as to what they are? You don’t have to be a savvy hacker to figure them out – “123456” and “password” have again topped the list this year. The good news is the prevalence of these two passwords in particular has fallen quite a bit, from 8.5 percent of all passwords in 2011 to less than 1 percent now. As a password to an individual’s Facebook or Tumblr account, these are probably adequate. The accounts they’re “protecting” are low-profile, unlikely targets, and hackers wouldn’t really gain much from breaking into them anyway. It’s a different story when a user sets up a work-related email or credit card account – much more likely targets of attackers – using these easy-to-crack passwords. Instead of using brute force and repeatedly trying passwords, hackers barely have to break a sweat or exert any effort. They can simply type in “1-2-3-4-5-6” or “p-a-s-s-w-o-r-d” and they’ll be granted entry on their first try. A gold mine of information suddenly materializes right at their fingertips. At first glance, network administrators appear to have a few different courses of action to prevent these types of weak passwords and shore up their network security. They could try employee education – teaching their workforce best practices when it comes to setting up their credentials. Or they could provide them with tools that both randomly generate secure passwords and then store them securely for easy recall. The problem with each of these solutions is that they’re really just temporary...

Why Two-Factor Authentication is Too Important to Ignore

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time. On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach.  Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts. Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that...