Two-Factor Authentication: Still Necessary

Among my other technology-related interests, I follow the security world pretty closely. I've written before about the benefits of using multi-factor authentication with Microsoft Exchange Server (here's one example: "Two-Factor Exchange Server Authentication with PhoneFactor"), and I firmly believe that the best course of action for organizations of all sizes is to move away from systems that require traditional stored passwords.

Last week, the security world was rocked by a disclosure from RSA (now a division of EMC). RSA announced that it's been under attack by an Advanced Persistent Threat (APT), a sophisticated mix of malware that's surpassingly difficult to get rid of. Other major companies have undergone APT attacks, including Google, Chevron, and Halliburton. These attacks have in common that the attackers are well-funded and sophisticated, and they focus on stealing information with commercial value. (There's a lot of evidence linking APT attacks with China, but that's a topic for another column.)

RSA hasn't disclosed all the details of the attack, or of what information was exposed. One troublesome possibility is that the attackers might have stolen the seed codes used to synchronize RSA SecurID tokens. If that's the case, the attackers could create fake tokens for targeted networks and use them to mount further attacks. For obvious reasons, RSA isn't saying publicly one way or another whether this is the case, but I think it's a safe assumption at this point.

The RSA APT attack calls into question whether two-factor authentication is still valuable. The answer, I think, is still a solid yes. Reusable passwords are much easier to compromise through nontechnical means, such as bribery, coercion, or social engineering. Of course, the biggest risk of reusable passwords is that the owner will write them down or otherwise make them available. Add that to the risk caused by users who use the same password for critical and noncritical systems, and you have a large potential for problems.

The question now becomes what second factor you should be using with Exchange Server. I'm a big fan of certificate-based authentication for mobile devices, and I'd like to see additional deployment of certificates as an authentication method to help mitigate the threat of lost or stolen passwords or mobile devices. I have long advocated the widespread use of smart cards, too, although they pose challenges around public key infrastructure (PKI) and smart card deployment. In particular, one drawback of requiring smart cards for network access is that only machines that have smart card readers can be used, rendering web-based applications such as SharePoint and Outlook Web App (OWA) much less useful because authorized users are restricted to using them on reader-equipped computers. This limitation might actually be perceived as a benefit in some quarters, though, since it cuts down on the likelihood that users will access sensitive systems from cybercafés and other potentially insecure systems.

There's a lot more to say about the risks of APTs as they apply to email systems, so I'll be returning to this topic in future UPDATE columns. In the meantime, make sure that you're up-to-date on patches. In particular, I strongly recommend disabling Adobe Flash per Adobe's own recommendation—see "Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat."

Related Reading:

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.