Password dead: New Era of dual Verification

At the beginning of this year, a well-known cloud recording software vendor reported that data was stolen, forcing the company to reset the password of 50 million users and urgently notifying users to set a new password. Subsequently, the company announced the adoption of double authentication (two-factor authentication) to protect user data.

Other companies that have changed their verification methods, including Amazon, Apple, Dropbox, eBay, Facebook, Google, and Microsoft. According to a TechNavio survey, the Global dual-validation market is expected to grow 20 from 2011 to 2015. 8%; the market research report of MarketsandMarkets pointed out that the multi-factor verification market will reach $5.4 billion in 50 million. In addition, Fortinet's self-owned dual-validation product FortiAuthenticator has seen a three-digit growth recently, these signs undoubtedly show that this is a new era of dual verification.

The single-factor verification is out of date.

Why is the single-factor verification method outdated? In the past, network threat attacks were not as diverse as today, and the processor's computing power was not strong enough. But today, cyber criminals have more sophisticated password cracking tools and extremely powerful processors. The most important thing is that computers connected to the Internet are everywhere 24 hours a day, these make the traditional plain text password form very easy to attack.

In addition, with the emergence of the Cloud password cracking service (such as Cloud Cracker Using Distributed Computer computing), it takes less than 20 minutes to try 3 million password cracking attempts, and it only costs 17 US dollars. This means that even a more comprehensive and encrypted password can be cracked with only a little patience.

There are currently four password management methods, but none of them are impeccable:

1. plaintext: this password management method is very dangerous, because hackers only need to steal a plaintext password file to easily scan the user password of the entire server. Both the Australian Tax Office (ATO; w.alian Tax Office), the British Communications Headquarters (GCHQ) and the retailer Tesco have experienced data theft and finally admitted that passwords are stored in plaintext.

2. Basic encryption: This method encrypts and stores individual passwords, that is, hash-encrypted files, such as MD5 or sha1. However, if an object is stolen, it is not much safer than a plaintext password. Because the CPU processing speed is getting higher and higher, new password cracking software is getting more and more easy to obtain. In addition, lookup (function) and Rainbow table (Data Structure table) are used for table-based attacks, it is only a matter of time before hash-encrypted files can be unlocked, depending on the computing resources and time.

3. random string encryption: This method adds a string to each password before encryption. This prevents hackers from obtaining the stored values before calculation, make it unable to query and compare (also known as Salted hash ). Salted hash is certainly not foolproof, because if the added "salt" is too short, or the same material has been used in all passwords, then they may be easily cracked.

4. Multi-encryption: this refers to the password value that has been added to "re-encryption", that is, the extended (stretching) re-encryption, so that a password is encrypted multiple times. However, whether this method can enhance security remains controversial.

Salted hash encryption or extended re-encryption, in the short term, is more secure than simply plaintext or only one encryption password. However, if you fully utilize today's extremely powerful CPU performance, the result is only when the attack is cracked, not which encryption method will be cracked. We must understand that, as long as there are time and computing resources, no encryption method is absolutely safe.

Add another verification factor

Double verification is also called multi-and two-phase verification. It basically includes the following two verification methods:

1. something a user knows: it can be a password, a default problem, or a slide on a mobile phone. Basically, it is usually a "knowledge factor) 」.

2. Something a user has: it can be a small hard device, such as a smart card, USB, E-dog, or smart phone token. They generate unique one-time passwords, typically generated or transmitted by applications on users' mobile phones, which are considered as possession factors )」.

3. Something of a user: This usually requires a biometric feature identification device to detect the physical characteristics of a person, such as fingerprints, Iris around the pupil, or sound. This type of validation factor is defined as "inherence factor )」.

At present, there are many major dual verification methods on the market, including the second password, smart card, mobile phone or hardware token, or a wide range of biometric identification technologies, each of which has its advantages and disadvantages. For example, although it is convenient to use a second password or customs clearance password Based on Knowledge factors, it is simple, insecure, complex, and easy to forget. It is also easy to be cracked, or stolen by the key record program.

As for the smart card, mobile phone, or hardware token, although it is more secure than the password, it is not easy to be cracked by hackers, but it must be held at login, or even different websites (or services) different smart cards or tokens may be lost or stolen. The biological feature, an inherent factor, is divided into two types: Physiological Characteristics and behavioral characteristics. Physiological features such as fingerprint, face, Iris, retina or hand scanning, and behavioral features mainly include speech and handwriting. The advantage of biometric features is that you do not need to remember passwords or hold additional objects. However, because you need to compare the sample files, if the sample files are damaged or the device identification is not accurate enough, the problem will also occur.

Implementation of two-factor verification

Using Multi-factor verification to protect sensitive data is the best implementation strategy to ensure data security and integrity. However, in the case of matching verification, there is no guarantee that any two methods can serve special purposes.

It should be clear that although two-factor verification can provide high security protection, there are still two types of attacks (masquerade attack and Session hijacking )) it can corrupt any type of verification.

When planning verification policies, remember that the security of some types of two-factor verification should be significantly better. Sometimes, even a single-factor verification may be more secure due to inherent natural properties than some two-factor verification, such as fingerprint scanning.

Factors to consider before implementation of two-factor verification:

Ease of use: how much effort is spent in daily operations to train IT personnel? Time when the application is initialized?

Integration with existing software platforms: is it a "non-fast customer" for the existing architecture "? Do you need any custom software development?

Security/compliance: whether there are any regulations in the industry.

Security of the tool itself: whether the encryption algorithm is strong enough.

Supplier support: the supplier of the selected product can provide assistance.

Cost: based on the average cost, maintenance cost and after-sales support of each user.

Scalability: whether it can be upgraded.