Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Three great alternatives to two-factor authentication via text-message

Christina DesMarais | June 3, 2013
Asking customers or employees to pull out their phones and input a code every time they want to log onto your site is too much friction.

After a series of high-profile hackings, Twitter last week finally joined the likes of Google and Facebook and introduced two-factor authentication. Users opting to use the new security tool must now enter a code they receive via a text message sent to their cell phones each time they log into the microblogging service.

While Twitter's decision to provide account holders with two-factor authentication is good news—especially considering the string of news organizations and big brands such as Jeep and Burger King that have been hacked in recent months—some experts warn that it won't be enough to prevent the hijacking of high-profile accounts.

For one thing, the new security option isn't likely to help organizations that have many staff members posting to a single Twitter account. Obviously, they don't all use the same mobile phone. It also won't protect users from man-in-the-middle attacks through which a user is lured to a fake Twitter login page, enters his or her login credentials and the six-digit two-factor authentication password, thereby giving a bad guy entry to the account.

For brands, a hacked Twitter account can be disastrous. It's not only costly to shut down an account and extricate it from a hacker's control, but there are also customer relations and reputation management concerns to consider. Stock prices can even take a beating, as they did in April when the Associated Press's account was breached and hackers tweeted about explosions at the White House.

The good news is that SMS codes sent to mobile phones are far from the only way you can use two-factor authentication to protect your brand. Here are three other good options to consider.

Hardware Token: The YubiKey
The YubiKey, made by a Swedish-American company called Yubico, is a small piece of hardware that looks like a USB stick that your customers or employees plug into the computers' USB port. Each time a user logs onto your website or system, they must push a button on the YubiKey to generate a one-time password validating that the person is who they say they are. Yubico also makes a near-field communication (NFC) variant of the device called the YubiKey NEO, which enables contactless communication for securing NFC enabled mobile devices.

Scads of high-profile companies are equipping employees, users and customers with YubiKeys, including Google, Microsoft, the U.S. Department of Defense and the government of Turkey. Yubico is also partnering with several single-sign on services, including OneLogin and Clavid, so that the YubiKey can work across dozens of services including Adobe, Salesforce, LinkedIn, and more. It also works with password managers such as LastPass, PasswordSafe and Passpack. In fact, the company says more than one million users in 120 countries are using the hardware token.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.