Ouch 201211 en


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ouch 201211 en

  1. 1.  sOUCH! | November 2012  IN THIS ISSUE…• The Problem• A Solution• An ExampleTwo-Factor AuthenticationGUEST EDITORFred Kerby is the guest editor for this issue. He is aformer Information Assurance Manager for the NavalSurface Warfare Center, Dahlgren Division. He is also aSANS Senior Instructor and track lead for the Intro toInformation Security course (SEC301). Fred alsoteaches Information Security Leadership (MGT512) andSecurity Essentials (SEC401).THE PROBLEMTo use many of the services on the Internet today, such asemail, online banking or online shopping, you must firstprove you are who you say you are. This process ofproving your identity is known as authentication.Authentication is done by using something you know (suchas your password), something you have (such as yoursmartphone), or something unique to you (such as a retinalscan or fingerprint). Traditionally, one of the most commonways of authenticating has been a username and apassword. The problem with using just a password forauthentication is simple: all an attacker needs to do is guessor compromise your password and they gain instant accessto your online account and information. If you use the sameusername and password for multiple accounts, the harm canbe even far greater. To better protect your online accounts,websites are moving to stronger authentication methods thatrequire the use of more than one factor to authenticate. Wewill explain what this is, how it works and why you shoulduse it.THE SOLUTIONStronger authentication uses more than one factor; not onlydo you have to know something like your password, but youhave to have something (such as your smartphone) orpresent something unique to you (such as your fingerprint).Two-factor authentication is exactly what it sounds like; youneed two factors to prove who you are instead of just one.A common example of two-factor authentication is yourATM card. To access your ATM you need to have© T h e S A N S I n s t i t u t e 2 0 1 2 http://www.securingthehuman.org
  2. 2.  sOUCH! | November 2012Two-Factor Authenticationsomething (your ATM card) and you need to knowsomething (your PIN). If an attacker steals your ATM card, itdoes them no good unless they also know your PIN (whichis why you never want to write your PIN on the card). Byrequiring two factors for authentication you are betterprotected as opposed to just one.Two-factor authentication works online in a manner similarto your ATM card and PIN combination. You use yourusername and password when you want to access youronline accounts. However, after you successfully enter thecorrect password, instead of going directly to your accountsthe site requires a second factor of authentication, such as averification code or your fingerprint. If you do not have thesecond factor then you are not granted access. Thissecond step protects you. If an attacker has compromisedyour password, you and your account are still safe, as theattacker cannot complete the second step without havingthe second factor.EXAMPLESLet’s walk through an example of how two-factorauthentication can work. One of the most widely usedonline services is Gmail. Many people authenticate totheir Gmail account or other Google services with theirusername and password. Google now offers improvedsecurity with two-factor authentication, or what Googlecalls two-step verification. Google’s two-step verificationrequires two things for authentication: your password© T h e S A N S I n s t i t u t e 2 0 1 2 http://www.securingthehuman.org(something you know) and your smartphone (somethingyou have). To prove you have your smartphone, Googlewill send it a one-time verification code via SMS that isunique for you (note that messaging charges may apply;check your service plan for information). You then enterthe code. Also, if you prefer, instead of Google sendingyou the one-time verification code via SMS, you caninstall an app that generates the unique code for you.This way you do not even need access to your serviceUse two-factor authenticationwhenever possible, it is one of thestrongest ways to protect accessto your accounts and information.
  3. 3. s  OUCH! | November 2012Two-Factor Authenticationprovider, just your smartphone. The value of this strongerauthentication is even if an attacker has compromised yourGoogle password, they cannot access your Googleaccounts unless they also have physical access to yoursmartphone. You and your valuable information areprotected.Keep in mind, these verification codes sent to yoursmartphone are unique; they are different every time youauthenticate. As such, you will have to go through this two-step process every time you have to authenticate to yourGoogle account. In addition, this feature is not enabled bydefault. To enable this feature, log into your Googleaccount, go into your Account Setting, select security andfollow the options for two-step verification.Other online sites also offer two-factor authentication, suchas Dropbox, Paypal or perhaps even your bank. Some ofthese services may support your smartphone, while otherssuch as PayPal, may send you a special token to generateyour unique verification codes. Other sites may usespecial devices that plug into the USB port on yourcomputer, such as Yubikey. If any of the services you useoffer two-factor authentication, we highly recommend youenable and use it.RESOURCESSome of the links have been shortened for greaterreadability using the TinyURL service. To mitigate securityissues, OUCH! always uses TinyURL’s preview feature,which shows you the ultimate destination of the link andasks your permission before proceeding to it.Google Two-Step Verification:http://preview.tinyurl.com/cncte9nPayPal (and EBay) Security Key:http://preview.tinyurl.com/838dpdsCommon Security Terms:http://preview.tinyurl.com/6wkpae5SANS Security Tip of the Day:http://preview.tinyurl.com/6s2wrkpBECOME A SECURITY PROFESSIONALBecome a certified security professional from the largestand most trusted security training organization in the worldat SANS 2013. Over 40 security classes taught by theworlds leading experts. March 08-15, 2013 in Orlando,FL. http://www.sans.org/event/sans-2013/  OUCH!  is  published  by  the  SANS  Securing  The  Human  program  and  is  distributed  under  the  Creative  Commons  BY-­NC-­ND  3.0  license.  Permission  is  granted  to  distribute  this  newsletter  as  long  as  you  reference  the  source,  the  distribution  is  not  modified    and  it  is  not  used  for  commercial  purposes.  For  translating  or  more  information,  please  contact  ouch@securingthehuman.org.  Editorial  Board:  Bill  Wyman,  Walt  Scrivens,  Phil  Hoffman,  Lance  Spitzner        z  © T h e S A N S I n s t i t u t e 2 0 1 2 http://www.securingthehuman.org