Two Factor Authentication
What is it, how does it work, and why is two factor authenticaion better than just one factor authentication?
In this interview with Paul Herbka from South Seas Corporation (services and solutions based out of Colorado), we go in depth in a discussion of two-factor authentication, and why it’s important for any individual or business to seriously consider two factor authentication for any sensitive data.
You can listen to the interview, and/or read the transcript below
Download the two-factor authentication Interview in MP3 Format”
The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: Welcome back to IdentityTheftSecrets. This is Jonathan Kraft and I am here again today with Paul Herbka who is the President of the Information Systems Security Association here in Denver, Colorado; as well as the Vice President of South Seas Corporation which is headquartered in Littleton, Colorado. He is a certified Identity Theft Risk Management Specialist by the Institute of Fraud Risk Management and he holds the state contract for encryption in the State of Colorado as well as Arizona and I know you’ve spoken at a bunch of different conferences. So Paul, thank you very much for taking a few minutes with us today.
South Seas VP (on two factor authentication): Thank you and I appreciate the opportunity to get to speak with people and share some information with them. I know a lot of times people know they need different solutions or have questions about different technology that has been out there, and really need help clarifying what’s real, what’s not. Also cutting through some of the marketing hype from the different vendors, right? I mean we all know that they all say they’re Number 1 and they’re the best — and they slice, they dice, they solve every problem! We in fact know that’s not true, but there are a lot of solutions that are out there that do solve problems and so it’s good to know which ones do what and which ones work well.
Identity Theft Secrets: Right? And given the award for Winner’s Choice Award for blah, blah, blah. You know, “three out of four doctors approve us” and they only interviewed four doctors who already buy their products so…(laughs).
South Seas VP (on two factor authentication): Exactly.
Identity Theft Secrets: Well today I just wanted to take a few minutes here and talk to you about two -factor authentication. I know you know quite a bit about this and definitely some people have had some questions about it. So what is two-factor authentication?
South Seas VP (on two factor authentication): Absolutely. So two-factor authentication falls under a category of “strong” authentication. The two-factor authentication means that they have two factors, right? So it’s something they have and something they know. Or it’s something they are and something they know. So something they have might be like a little Smart Card or a key fob or a token which holds some information and then something they know would be like a password or a PIN or a pass phrase to unlock that information on that Smart Card or token or what not. Or if they are using biometrics, then two-factor authentication might be something they have like their fingerprint or an iris read, an iris scan and then a password or a PIN or something that goes with that as well. So it’s just like the name implies, its two factors, right? It’s something you have or something you are and then also something you know. So that it’s not just one factor. It’s like a log-in and password, right? So typical credentials are a log-in and password in most places. Well, that’s all just something you know and that can be stolen, that can be faked. Someone in New Zealand could take that information and pretend that they’re me logging into something in New Zealand when in fact, it’s not me. So by adding stronger authentication or by adding two factors to it, now not only do they have to have something that I know that might be easy to get, but they are also need to have that other factor whether it’s something I have or something that I am. And that way it’s much stronger authentication.
Identity Theft Secrets: So you, as a company, South Seas Corporation, talks a lot to companies about solutions they can put into place. Two-factor authentication is obviously more involved than just a simple log-in and password. When do you recommend that to companies?
South Seas VP (on two factor authentication): Well, we recommend it to companies when they have data that they need to be secure and when they have a lot of mobility for that. Because as we know, it used to be you’d put down my firewall and you locked your network and then everything inside your building was safe. You locked your front door, you locked your firewall down and you were good. Well now, as we’ve become a mobile environment and everyone wants to work remotely and maybe they VPN through a FSL VPN or an IPsec VPN and then tunnel in remotely. While that’s a secure connection, the PC they’re using to get onto that may already be owned by a Root Kit or a Trojan or a botnet. And therefore if it’s a hotel kiosk, or a different friend’s computer, it’s a home computer that maybe doesn’t have the same security standards, now then that log-in and password might be gotten and therefore it’s not as secure.
If you’re a larger corporation and you’ve got something secure or even if you’re a smaller corporation but you’re using either … you’re in the financial world, you’re in the banking, you’re doing payment cards or you’re receiving and storing credit cards and you fall under Payment Card Industry (PCI), SOX, HIPAA; any of those, you’d want to use a stronger authentication because what we’re finding is passwords just aren’t good enough anymore. If you have a breach or you have an issue and you say, “well, yeah, but we had passwords.” It’s kind of …, gee, you didn’t really use your best effort. You did kind of well, ok; and even then if you ask, “are they strong passwords or were they written down on a sticky underneath keyboards?” The answer is usually, “oopps, well yeah they might have been.” And so it’s harder to control that.
Identity Theft Secrets: So then you recommend if they’ve got some sort of secure information that really needs to be secured and they’ve got people connecting in through some sort of virtual connection, virtual private network so that they can actually have some sort of more robust solution for authentication.
South Seas VP (on two factor authentication): Exactly. The other example … so all those definitely … and then the other example would be someone who often logs in remotely or logs in front of other customers. So if I have to log-in and authenticate with my log-in and password, whether I’m a network administrator, or a system administrator, help-desk troubleshooter or someone that’s out in the field and I’m collecting data, then they’re going to see that. And if they see if over and over and over, or even like the teacher, then the student is going to pick up and it’s not going to take long for them to find that log-in and password.
In fact, I was just told of a scam that they’re using to get the PINs at a certain resort, it actually happened at multiple resorts, but this in particular happened at a resort in Mexico where they were hiring young boys to go and just learn one PIN number a day from people using the ATMs and then they would have that. So that was a password and it’s secure as long as no one finds it but just by watching someone do it over and over, you’re going to learn that PIN or password so that’s why they’re no longer secure.
Identity Theft Secrets: That’s very interesting. So two-factor authentication would be having some sort of thumbprint scanner or retinal scan plus something you know. Who are the major players in offering solutions in this area?
South Seas VP (on two factor authentication): There are several, probably the most well-known one is RSA. In fact, they have a large secure world conference. But RSA Security; they were now bought by EMC. So they’re part of EMC, but their own division. Then there’s also another company called Aladdin, Aladdin Knowledgeware and their tagline is “Securing the Global Village.”
So those are two of the leading ones and they provide all the different types, they’ve got the Smart Cards which look like a credit card-sized thing. It has a little Smart Card on it. Or they have the USB tokens which are Smart Cards in a USB form factor because most PCs now have a USB or multiple USB ports. Rather than having to find one with a Smart Card reader built in, they can just plug it into the USB drive and it has that encrypted Smart Card right on there and it can read it on any of those PCs.
And then they also have ones that are called OTP or One-Time Passwords and what those are used for is for remote VPN access in. So the RSA version uses a changing code that every 60 seconds changes and in that way you put that in plus your PIN, depending on how you have it configured and you get remote access. And the nice thing about it is then that code is no longer valid after sixty seconds. That code’s not valid, so even if someone watches me and writes down that code, it’s no longer good within a minute and so it makes you more secure.
So both of those companies provide those and they also have other ones that are combination tokens; where they have the Smart Card as well as the changing code or one-time password. They also have some where they’re the Smart Card and then they also have a Flash drive which is actually memory you can store in, just like a thumb drive only it can also be encrypted or it comes encrypted. So those are some cool options out there.
There’s several other companies that do that; we actually work with the top five. Then there’s several companies that also work with the biometrics whether it’s a thumb drive or fingerprint reader or if it’s an iris scan or a retinal scan. So the cool thing is there’s a variety of options out there. What we find is that the easiest to use and the least expensive is actually going to be usually the USB Smart Card and/or the USB Smart Card and One-Time Password tokens and again, you only need the one-time password piece of a token or a part of a solution if you’re using that for remote FSLVPN or IPsec VPN.
Now there are some that don’t require a certificate or a client or that log-in and so some examples of that would be F5’s SLVPN product called the Fire Pass and that’s a client list one where all you need is the log-in and password, but again you’re back to, is the client that you’re using secure? So there’s multiple different solutions out there and it’s just a variety of what fits with you. What are you doing to protect it and what else is protected from that appliance in to your infrastructure?
Identity Theft Secrets: Sure, wow. That’s a lot of things for people to think about when they’re thinking about this. I imagine it’s kind of difficult for somebody to do this on their own.
South Seas VP (on two factor authentication): Yes and it’s funny because a lot of people call us and say, hey we just need to buy some tokens or some Smart Cards or something like that. Then when we start asking the questions, well how are you using it or why are you using it and are you using it in conjunction with this or that? You have this kind of checklist of things to go through; they realize, wow, this is bigger than I thought! And then when you add to that, that “you may want to look at certificates.”
Certificates are another type of credential like a log-in and password. Only a certificate can’t be fooled or spoofed, it’s much more secure. So I can assign certificates to people that they carry on their token and then they digitally sign email or they sign other documents or they get access to specific databases or file shares or applications based on that certificate authenticating them as saying they are who they are and they have the right credentials for it.
By putting that on a secure two-factor authentication token, you now have a secure certificate that’s being securely held and requires something they are or have with something they know before they can even unlock that certificate. So you can get very, very secure and again, is the average Joe Blow going to do this for their home computer? No. But if you fall under SOX-compliance or PCI-compliance or HIPAA-compliance, or if you have any kind of personal data that you need to protect or corporate data, or you know corporate secrets that you need to protect for development, research and development, that’s when you definitely want to use two-factor strong authentication.
Identity Theft Secrets: This is like a whole different language world. I mean I think what’s interesting … I remember having a Hotmail account back in 1996 that was in high school. And I told one of my friends, “why don’t you just email me at my hotmail address at “whatever”@hotmail.com.” And one of my friends goes, “what is that some kind of porn site?” Like they were laughing at me about hotmail. Well today, hotmail is unambiguous, everybody understands what hotmail is.
Do you see, and it sort of feels like right now the words, I mean “download” happened that way and “www” happened that way where people were … it was like this whole foreign concept and now it’s just part of our everyday language. Do you see, I mean this is sort of a side topic, but do you see “certificates” and “token” and those kinds of words becoming mainstream usage?
South Seas VP (on two factor authentication): I do. I see in the future, and the future being obviously closer because of technology and the cycles that it brings; it used to be I’d say it was 5 to 10 years out. Now it’s, I’d say 3 to 5 years out, where people are going to be carrying around a token that’ll have their security certificate on it and that’s what they’ll use for work. They may even use it for even like an example, E*TRADE uses that for their larger customers and their larger accounts because they know they need to secure that and they don’t know where the end-user is going to log-in. They realize the problem of botnets and all the other Trojans and issues that are out there and so they said, “how can we limit our risk and limit our exposure?” So I really see that people are going to be using that now for corporations, for security, for logging in.
The other cool thing about it is that this technology can be coupled or married with our RFIB or the ability to actually do building security so PAC or physical access so you can integrate it with your physical access. So now I can turn around the token that lets me into my building and then let’s me into my computer. And then with that certificate lets me log into different applications, different network components, different applications on the web. And it understands and stores all my information so no longer is it a password that I’m carrying around, it’s a token and my pass phrase that allows me to get into all these different things is now all stored on one little thing that fits on my key ring.
Identity Theft Secrets: You’ve done this with probably quite a few companies. Can you tell me about a company that’s actually been able to use a two-factor authentication solution and what it was for?
South Seas VP (on two factor authentication): Absolutely. There’s actually two examples; one is a company that had a lot of remote users and they were a retail company and they ended up having a lot of issues with lost or breached passwords and log-ins and what not. And so they decided that they wanted to use two-factor authentication and as a result they now don’t have to worry about that. If an issue is … or if a token is lost, they can just de-issue that token, issue a new token for the customer and then Fed Ex it to wherever they need to be and in the meantime they can still get into their system, if they need to, without a token. So that’s one example.
Another example is another customer who had just a bunch of people that were mobile, out in the field all of the time and their biggest problem was that they kept forgetting passwords because they had to make them so strong because they were typing them in front of customers. So now what they’ve done is they’ve made it to where they have a token and because they can just put the token in and then type in the password, it doesn’t matter if the people learn that password because without that token, it’s useless. So it really solved that issue of people fat-fingering or forgetting their password because it had to be so long and complex, by just adding the second factor of having that token, of something you have, they were actually able to make it much easier for the end-user which made the whole experience of computing and doing their work easier and smoother just by adding a simple solution.
Identity Theft Secrets: Now I hear the people who are fearing Armageddon coming (laughs) and they look at the book of Revelations in the Bible or they look at other things that have happened along the way as far as people’s information becoming more secure and less secure at the same time. Because when we can be identified on one little token with information out of our mind and well that information that what we are; but as we’ve seen in the past, both retinal scans and fingerprint scans be faked; people become very concerned about this kind of thing. And they go, “well if I have two-factor authentication that’s great, but if that means I’ve got to carry around one of these little tokens, and it means that that token now becomes as valuable as if it were actually me when someone can fake my retinal scan or fake my thumbprint;” do you get much of that from people? Or I imagine the people who are calling you probably aren’t in that arena, but how do you respond to those kinds of people?
South Seas VP (on two factor authentication): Well there are really three responses. The first response is as we are becoming a more connected society and a more connected world, definitely there are some of those fears whether it’s from the Logan’s Run era to the “Big Brother is watching us and do we want to give all our database information to them?” And really I’d like to say that to one extent the law is already there and this is just another way of implementing that.
If we look at social security numbers which have been around for forever it seems, right? They haven’t been, but it seems that way. With just that, I can go out and wreak havoc in someone’s life and gain those other pieces of information that are already public knowledge and wreak havoc in their life.
I would tell them to be concerned just about a token seems … I mean you could be just as concerned about having a social security number which we already all have and it’s already in databases everywhere as well. So half of me would say, you could worry about it but it’s just one more thing that you could worry about and I wouldn’t waste the time.
The other option is there are ways to make it more secure and there’s always… right? It may cost more, but there are always ways to make things more secure and within that we can also, and this is technology that is already out there and is being used, is you can make this into a chip that someone shoots into your arm and just like they use it for tracking dogs now — you can use this to track humans and identify humans and store medical records and store a bunch of other things on there and I know those are already being used today. And the whole issue of medical records of being out there is another issue and that … you know, half of me says there are things we need to be concerned about, that becomes very much an issue especially with medical identity theft, but at the same time it’s kind of like trying to hold back a tidal wave with putting a finger in a hole in a damn and then there’s five more holes that are sprouting leaks. I’m not sure this is something that you can stop; so half of me would say don’t waste your time trying to stop it. Instead, find the best solution and find the best “mousetrap” that’s going to help make you secure and your information secure.
And then the last item would be — just worry about everything and try to hide. But that’s not much of a life.
Identity Theft Secrets: Right, go crawl under a rock and that might be … that’s about it!
South Seas VP (on two factor authentication): Exactly.
Identity Theft Secrets: I actually learned about a website called EscapeArtist.com. This isn’t like, for anybody listening to this, I’m not like promoting it or whatever. But Tim Ferriss recommended it in “The Four Hour Work Week,” I don’t know if he “recommended” it, but he referenced it in “The Four Hour Work Week.” And it’s a very interesting website for the people who really want to go get lost and for the people who this is really a concern for; escapeartist.com is a good place to start as a resource if you really are interested in figuring out how to live under a rock. So!
But I’m kind of with you there Paul; I think its unfortunate maybe that a lot of our privacy has been eroded. But it’s been eroded since I’ve been around on the planet you know. I was assigned a social security number at birth and all of my information has been irretrievably out there since probably the mid-80’s and if not, definitely by the mid-90’s with the advent of the internet and all those databases being hacked and information being posted all over the place. So I’m kind of with you though I think. Find the best solution and create it for yourself!
South Seas VP (on two factor authentication): Exactly!
Identity Theft Secrets: So tokens and certificates. What else can they be used for — going back to the topic here. Outside of medical, can you think of other applications for them like going to the hospital obviously or getting into your workplace. Can you think of other applications that might be of interest for people?
South Seas VP (on two factor authentication): Absolutely. In fact there’s a bunch of scenarios. And one of the cool things if you look at it – one of the problems and frustrations of people within IT and people that are using technology have, is that it used to be you had one password, maybe two. And now maybe you have 5 or 10. If you’re in the IT world, you have maybe 15 or 20 and they all have different times that they change and they’re for different websites and different log-ins and different accounts and different check-ups and follow-up. And the more you do online, the more accounts you have. The cool thing is you can now store all those different credentials whether it’s a certificate, a log-in and password for a specific website or application. So people that are doing online banking, this is a way to make that more secure, right?
So am I saying throw the baby out with the bath water? No! I’m just saying hey maybe you use clean water with the baby and it’s a better solution. And make it a little more secure, maybe you make it safer; maybe you make it so the baby can sit up so it’s not going drown. Whatever the solution is, make it a better solution.
But the myriad of applications out there are untouched. In fact, if you have a full PKI infrastructure within your enterprise, you can now use these tokens and your certificates for just about anything. So now, instead of having to remember 20 passwords or 30 passwords, I can remember one long pass phrase that unlocks my token and now my token is smart enough to know that on this website, here is my log-in and password which changes every 45 days. And on this other website, here is my different log-in and password, different credentials, different set of credentials. And now as I can start using certificates for them they’re more secure, they can be verified and they are much harder to fake. Right now, overall there’ll always be, they’ll learn how to fake them but then we’ll learn how to make them harder, one of those leapfrog or cat-and-mouse games where the current technology won’t be as strong as its needed and therefore they’ll come out with a newer technology. But as you do that you can continue to store on the tokens and it gives you freedom. And so now people learn one pass phrase as the human and then let the token store the 20 different pass phrases or log-ins and passwords or the certificate and log-in and password combinations that are needed for the different applications; whether it’s a secure website or a secure network share or whatever they’re trying to access.
So really when people start seeing that “wow, you mean I can carry one token and just learn one pass phrase or one password and then I can get into all these different things?” I can maybe do my online banking and I can log-in to my different accounts, I can log-in at work. I can log-in into my email and my other email, like you mentioned, my hotmail account, my email account, whatever different email accounts you have. Now they become excited about that. And so that’s really where I think it’s going to take off in the next 2-3, definitely within the next 5 years, people will be carrying around tokens on their key chains just like another type of key merely because the benefit and the use of that being able to carry around one thing and use it for multiple things – people like that.
Identity Theft Secrets: Well without question it is a “brave new world” we’re moving into — to use a literary reference in there.
South Seas VP (on two factor authentication): Yes it is.
Identity Theft Secrets: I mean it’s, I guess with or without the people who decide to participate, it’s going to happen. So I think out of this, I would say to people, just decide how you’re going to participate. Don’t let it just “happen” to you. Just decide how you’re going to participate and decide to be ok with that. Instead of just letting it happen to you; where the majority of people will probably just let it happen to them. But I think it’s really fascinating to talk about these topics and I really appreciate you taking the time to talk about two-factor authentication and how all of this kind of ties in together with everyday average users and how their lives are going to change because of it over the next 2 to 3 to 5 to 10 years for sure.
Where can people get in touch with you if they’d like to get more training or solutions for this for their companies or for themselves or installation help, anything like that?
South Seas VP (on two factor authentication): Absolutely. We’d be happy to help them whether it’s just understanding the technology or kind of wading through the different solutions out there. Or more importantly, once they’ve decided hey, here’s what we want to do, what combinations of solutions works best and is going to grow with the environment that they need?
So probably the best way to get a hold of us, we have a toll-free number: its 1-866-794-1655. That’s 1-866-794-1655. Or they can email me, Paul Herbka; my email is pherbka, p as in paul, h-e-r-b as in bravo, k-a@SouthSeasCorp.com. So that’s South and then seas, like the 7 seas, Corp dot com. So pherbka@SouthSeasCorp.com.or 1-866-794-1655. Again, we’d love to help them just understand the different options out there. And again we help with implementations and trainings nationwide. We’ve also done a few worldwide roll-outs; but for the most part, we work within the United States. Again, we are headquartered in Colorado and would love to help anyone looking at two-factor authentication.
Identity Theft Secrets: And if they mention they heard about it at IdentityTheftSecrets at least you’ll know what base they’re starting from.
South Seas VP (on two factor authentication): In fact, we will give them a discount, I can offer them a 2% discount …
Identity Theft Secrets: That’s nice!
South Seas VP (on two factor authentication): Yeah! If they mention that they heard about this on your website, we can give them a 2% discount. They will have to mention that upfront and make it clear. So if we’re already working with customers and then they come across this, it’s too late. But if they mention that upfront, we can certainly help them with that.
Identity Theft Secrets: Wow, that’s great! I didn’t even know we could do that. Nifty!
South Seas VP (on two factor authentication): Absolutely, anything for you and your customers.
Identity Theft Secrets: Well just user base really, I don’t really even have any customers through the site but a very good, active group of people who are very interested in helping protect people in this space. So obviously we’re adding you to the mix and I really appreciate your knowledge and you taking the time to talk with us about two-factor authentication again.
This has been an audio interview with IdentityTheftSecrets.com. We can be found online at www.i-d-e-n-t-i-t-y-t-h-e-f-t-s-e-c-r-e-t-s.com. IdentityTheftSecrets.com.