Tuesday, June 11, 2013

Fortinet Advocates Two-Factor Authentication Best Practices Amidst Escalating Password Security Breaches

Global two-factor authentication market is forecasted to grow 20.8 percent

MALAYSIA, 11 June 2013 − With a recent surge in processing power and the ability to outsource password cracking to the cloud, password-only based authentication is no longer sufficient to secure your critical data. Recently, researchers at Fortinet’s FortiGuard Labs published a report that predicted a marked increase in businesses migrating to two-factor authentication in 2013. Companies like Amazon, Apple, Dropbox, eBay, Facebook, Google and Microsoft have recently made the transition to adopt two-factor authentication as a better means of securing its users’ data. According to TechNavio, the global two-factor authentication market is expected to grow 20.8 percent between 2011 and 2015; while Markets and Markets forecasted that the multi-factor authentication market will reach US$5.45 billion by 2017.

Why Single Factor Authentication is Doomed
“In the early days of Internet authentication, plain text passwords were often sufficient, as the number of threat vectors were minimal and processing horsepower and password repositories weren’t readily available to just anyone,” said Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs. “As newer password cracking tools, faster processors and always-on Internet connections arrived, plain text passwords started to come under fire. With the advent of cloud cracking services, such as Cloud Cracker, which leverages the power of distributed computing, 300 million password attempts can be made in as few as 20 minutes for around US$17. As such, even a strong, encrypted password can be cracked with a little patience.”

Two-Factor Authentication Best Practices
Protecting sensitive data online by using multiple factors of authentication is the best policy for ensuring the safety and integrity of data. However, when matching authentication methods to a user’s needs, don’t assume that any two methods will work for that particular purpose.

Two–factor authentication, also referred to as multi-factor authentication, strong authentication and 2-step verification, consists of two of the following three methods of authentication:

• Something a user “knows”: This can be a password, challenge question or finger swipe movement over the face of a mobile device. This is commonly known as a knowledge factor.

• Something a user “has”: This can consist of a small hardware device, such as a smart card, USB key fob or a keychain dongle or a smartphone token, which generates a unique one-time password that’s sent to or generated by an application on a user’s mobile phone. This is known as a possession factor.

• Something a user “is”: This typically involves a biometric reader that detects something that validates something uniquely personal, such as a fingerprint, iris or voice. This type of authentication is known as an inherence factor.

While two-factor authentication can offer greater protection, there are two types of attacks (masquerade and session hijacking) that can undermine any type of authentication. A masquerade attack is exactly what it sounds like: an attack that’s able to assume a falsely-claimed digital identity and thus, bypass the authentication mechanism. Session hijacking, also known as TCP session hijacking, happens when an attacker surreptitiously obtains a session ID and takes control of an already authenticated session. Keep in mind that given enough time and resources, no type of password encryption is infallible.

“At Fortinet, we believe the best way to keep a network and its end-users safe is to leverage on technologies like two-factor authentication as part of a multi-layered security strategy. Adding two-factor authentication provides another layer of solid protection on top of any current security infrastructure,” said Eric Chan, Fortinet’s Regional Technical Director, Southeast Asia and Hong Kong.



马来西亚,2013年6月11日 -- 随着处理能力的提升和外包密码破解到云端的能力,只有密码认证已经不再足够保护您的关键数据。最近,Fortinet 的 FortiGuard 实验室研究人员发表了一份报告,预测在2013年,迁移到双因素认证的业务会有显著的增加。很多公司像亚马逊、苹果、Dropbox、eBay、面子书、谷歌和微软最近都实施了双因素认证的转变,作为保护其用户数据的更好方法。根据研调机构 TechNavio 指出,双因素认证的全球市场预计将于2011年至2015年之间增长20.8%,而 Markets and Markets预测多因素认证的市场规模将于2017年达到54.5亿美元。

“在早期的互联网认证,明文密码通常就足够了,当时威胁向量的数量少,处理马力和密码库不是任何人都能随意进入” Fortinet的FortiGuard实验室安全战略和威胁研究员理查德•亨德森 (Richard Henderson) 表示。“密码破解工具层出不穷、更快速的处理器、长期处于连接状态的互联网使明文密码遭到猛烈攻击。随着云端破 (cloud cracking)服务的出现,例如:Cloud Cracker,它利用分布式计算的力量,只需17美元就能在短短的20分钟内设置三亿个密码尝试,这意味着只需稍有耐心,即使是强大、加密密码都可以被破解。”



• 用户所“知道”的:这可以是密码、测试问题或在移动设备表面上轻轻滑过的手指动作。这通常称为“知识因素”。

• 用户所“拥有”的:这可以是由一个小硬件设备所产生的一次性独特密码,发送至手机或由用户的移动电话内的应用程序所产生,如:智能卡、USB密钥卡、钥匙扣加密锁、智能手机令牌。这被称为“占有因素”。

• 用户所“属于”的:这通常涉及生物识别器来检测和鉴定个人,如:指纹、虹膜或语音。此类型的认证称为“内在因素”。

虽然双因素认证可以提供更好的保护,但是有两种类型的攻击手段(伪装攻击和会话劫持) 仍然可以破坏任何类型的认证。伪装攻击是一种能够虚假申报的数码身份,从而绕过认证机制的攻击手段。当会话劫持(TCP 会话劫持)发生时,攻击者会以不正当的方式得到一个会话 ID 和控制一个已认证的会话。记住,只要有充裕的时间和资源,没有任何的密码加密类型是万无一失的。

“在Fortinet,我们相信保护网络和终端用户安全的最佳方法就是善用像双因素认证的科技,作为多层次安全策略的一部分。双因素认证在任何现有的安全基础设施上提供了另一层可靠的保障”Fortinet东南亚和香港区域技术总监 Eric Chan表示。

No comments: