Many people have a great deal of faith in the security of their desktop computers and operating systems. But there is a constant stream of evidence that shows that this faith is unfounded. Take some time and read about what is contained in your operating system’s next update. How many ‘patch Tuesdays’ have gone by without a security update? It’s terrific that the operating system vendors have been investing in creating those patches, but keep in mind that at any given time there are entire categories of vulnerabilities in your operating system that attackers know about. If you are being targeted, you can be successfully attacked. In March, eight groups of security researchers at the Pwn2Own contest earned a total of $850,000 by publicly hacking just about every major browser technology. Do you browse the Web or read PDF files?
There is a very high probability that the technology you use was compromised during this competition. Thankfully, many patches for these vulnerabilities have been released, but that’s not the point. At any given time, these researchers are aware of other unreleased vulnerabilities. And so are the criminal organizations. So, if we can’t completely trust our desktop operating systems, what can we do? You probably use social media sites that implemented two-step verification. Twitter’s implementation utilizes their mobile app to authenticate when using new computers. Google Authentication is a mobile app that issues a short-lived, one-time passcode that is utilized for authentication.
There are other examples and most utilize smartphones to enhance authentication security. This is a very good trend. When you are considering second-factor authentication technologies, be sure to match the strength of the technology to the risk level of the resource you are trying to protect. In a corporate environment, there is an even more important need for second-factor authentication. With almost any level of complexity, you may need to continue to use legacy authentication systems alongside stronger modern authentication. The ability to match risk to authentication strength is a consideration for efficiency. The ability to scale and manage the identities being protected is an important consideration, and this is where identity management systems are vital. If the authentication technique is hard to use, your users may not respond to it. Smartphones can play a strong role as either soft tokens or mobile smart credentials. Strong security and easier usability can be delivered together.