Photo - Eric Chan - Fortinet's Regional Technical Director for Southeast Asia & Hong Kong
Networking security provider Fortinet is urging enterprises in Malaysia and Southeast Asia to move to multi-factor rather than single factor authentication, which it believes is easily cracked.
"In the early days of Internet authentication, plain text passwords were often sufficient, as the number of threat vectors were minimal and processing horsepower and password repositories weren't readily available to just anyone," said Fortinet's FortiGuard Labs security strategist and threat researcher, Richard Henderson.
"As newer password cracking tools, faster processors and always-on Internet connections arrived, plain text passwords started to come under fire. With the advent of cloud cracking services, such as Cloud Cracker, which leverages the power of distributed computing, 300 million password attempts can be made in as few as 20 minutes for around US$17. As such, even a strong, encrypted password can be cracked with a little patience," said Henderson.
"At Fortinet, we believe the best way to keep a network and its end-users safe is to leverage on technologies like two-factor authentication as part of a multi-layered security strategy," said Fortinet's Malaysia-based regional technical director, Southeast Asia & Hong Kong, Eric Chan.
"Adding two-factor authentication provides another layer of solid protection on top of any current security infrastructure," said Chan, adding that researchers at Fortinet's FortiGuard Labs published a report that predicted a marked increase in businesses migrating to two-factor authentication in 2013.
Recently, companies such as Amazon, Apple, Dropbox, eBay, Facebook, Google and Microsoft have adopted two-factor authentication.
Multi-factor authentication market growth
According to TechNavio, the global two-factor authentication market is expected to grow 20.8 percent between 2011 and 2015; while Markets and Markets forecasted that the multi-factor authentication market will reach US$5.45 billion by 2017, said Chan.
Two-factor authentication, also referred to as multi-factor authentication, strong authentication and two-step verification, consists of two of the following three methods of authentication:
- Something a user "knows": This can be a password, challenge question or finger swipe movement over the face of a mobile device. This is commonly known as a knowledge factor.
- Something a user "has": This can consist of a small hardware device, such as a smart card, USB key fob or a keychain dongle or a smartphone token, which generates a unique one-time password that's sent to or generated by an application on a user's mobile phone. This is known as a possession factor.
- Something a user "is": This typically involves a biometric reader that detects something that validates something uniquely personal, such as a fingerprint, iris or voice. This type of authentication is known as an inherence factor.
Fortinet's advice is that while two-factor authentication can offer greater protection, there are two types of attacks (masquerade and session hijacking) that can undermine any type of authentication. A masquerade attack is exactly what it sounds like: an attack that's able to assume a falsely-claimed digital identity and thus, bypass the authentication mechanism. Session hijacking, also known as TCP session hijacking, happens when an attacker surreptitiously obtains a session ID and takes control of an already authenticated session.
Sign up for CIO Asia eNewsletters.