Data Security through Multifactor Authentication

Leaving data unprotected can compromise your finances, put critical information at risk, and even damage your online reputation. Increasingly, companies are turning to multifactor authentication security options to secure critical data.

Basic RGB

Multifactor authentication refers to a computer system, application, or file that requires at least two separate and independent login credentials in order to gain access. One of the credentials is usually a password and another can be something as simple as an online code sent to a registered cell phone, a physical object like a security token (a USB drive loaded with login information, for example), or smartcard such as an ATM card. Other examples of login credentials are biometrics—unique identifiers like thumbprints and irises, which can be scanned.

The importance of using multifactor authentication and other security measures was reaffirmed last month when a hacker gained access to Wired and Gizmodo writer Mat Honan’s Apple account, deleting all of the data on Mat’s iPhone, iPad, and MacBook, and then posing as Honan on Twitter.

Surprisingly, the hacker didn’t use sophisticated hacking tools and technologies to gain access to these accounts—he simply got in touch with customer service representatives from Amazon and Apple. The hacker had found Honan’s email address and billing address online, and used that information to access his Amazon account. This hacker could then see the last four digits of all credit cards on file. Pretending to be Honan, the hacker then called AppleCare and asked them to reset the passwords to his iCloud account using just Honan’s billing address and the last four digits of his credit card as verification.  Because Honan’s accounts were linked together, the hacker was then able to delete years of photos, emails, and other data, as well as post offensive messages on Twitter under Honan’s name.

Honan takes the blame for leaving his online life unsecured, admitting that multifactor authentication, also known as two-factor authentication, could have protected his accounts.

“In many ways, this was all my fault” Honan wrote in a Wired.com article about the incident. “Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened… .”

Eshutterstock_278170997

Multifactor authentication is becoming a common tool to protect both personal data and data collected by companies and government organizations. Google released a multifactor authentication option in 2011, which requires users to log into Gmail with a password. A code is then sent to users’ cell phones, which they then type in to access their email account.

In the public safety world, CJIS (Criminal Justice Information Systems) Security Policy 5.0 requires that agencies use multifactor authentication on vulnerable computers—like those in substations and patrol cars—to help guard against attacks and information leaks.

Spillman offers a new software and hardware component designed to help agencies meet CJIS Security Policy 5.0 and protect sensitive data through options like multifactor authentication. Spillman PassKey enables agencies to manage security options for specific computers and users and keep a record of users who try to log in to the system. Agencies can also choose to require multifactor authentication before a user can log into the system from a vulnerable computer. If an agency enables multifactor authentication, users must insert an authorized USB drive into the computer before a login can be completed.

Mr. Honan may have been able to slow and possibly stop the damage that the hacker was able to do by enabling multifactor authentication on his Gmail account. What we can do is learn from this attack and take steps, such as utilizing multifactor authentication, to better protect the information we are responsible for in our private and professional lives.