Page 68 - index
P. 68
Two-factor authentication with Security Key
By Dean Wiech
Google recently introduced a new log in technique that uses a USB stick that would provide an even
stronger protection for particularly security-sensitive individuals. And it’s not just any USB stick —
the company claims it will replace the use of the traditional password and username to log in to a
system. The so called Google Security Key is a physical USB second factor that only works after
verifying the log in site is truly a Google website, not a fake site pretending to be Google. Rather
than typing a code, the user inserts the Security Key into the computer’s USB port and taps it when
prompted in Chrome.
To facilitate this, Google supports the U2F standard, a multi-factor authentication technique
intended to offer users enhanced security. Multi-factor or two-factor authentication involves logging
in with something you know (password), and something you own (a smartphone, token, biometrics
or USB stick). For instance, users could use a password to log in; they then receive a four-digit
code on their mobile phones that they are prompted to input. Google’s Security Key works
according to the same principle, but slightly different. It eliminates the possibility of phishing, a risk
that is still present with verification codes received on a smartphone.
However, another, perhaps easier, form of two-factor authentication is to log in using a combination
of an access badge and a PIN code. Many companies offer their employees access to their
premises with an access badge, which can be conveniently used for log in procedures, but also for
self-service printing or payment in the company’s restaurant. After placing the access badge on a
card reader and entering a PIN code, users gain access to the network. Since they already have the
badge in their possession, in my view, it would be easier to use this log in technique rather than
provide employees with yet another additional device, in this case, in the shape of an USB stick –
doing so only means they will have one more “device” to manage.
If organizations combine the access badge/PIN code approach with single sign-on at the point of
log, employees and the organization are ensured a secure and user friendly experience at the same
time. Why? Because a single sign-on solution enables end users to log in just once after which
access is granted automatically to all of their authorized applications. If you want to facilitate a
secure login, SSO can be used a as medium of exchange for your end users.
Regarding card readers, you may say: But card readers also comprise additional hardware. And
you would be right. In fact, a card reader also is a USB device that allows employees the ability to
use their access badge as an additional authentication factor. However, the benefit that a card
reader has over a USB stick is that the card reader does not have to support any type of encryption,
meaning it cannot be hacked.
About the Author
Dean Wiech is managing director of Tools4ever, a global supplier of
access and identity management solutions.
68 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
