Secure IT Foundation

Secure Passwords #3 – Two factor authentication

Posted on: September 12, 2009

In the first part of this blog we told you about the history of password, the second part we explained how to create a secure password. The third part of this trilogy is to explain how to improve your security by using something you know i.e. a password, with something you have i.e. a token, dongle, USB stick, fingerprint reader etc. This is called two factor authentication. Although not foolproof it is more secure as the bad guys need more than just your password. Normally it means he must steal your two factor token so must know where you live and be able to get access. This geographic side of two factor authentication means the bad guys can’t use your computer, access your passwords or use your banking information (if you live in NL) without being in the same geographic space as you.

So what two factor authentication should I use?

Online

We already recommend you use software called ‘LastPass‘ to store all your passwords when online. To make this even better there are two options to add two factor authentication. First they allow you to use any USB stick to store a special file on it. After you enter your password to LastPass then it requires the USB stick to be inserted to prove it really is you. Their second option is to combine the two factor authentication using a Yubikey which gives a code when inserted into your USB slot that LastPass can read to prove it is you. The Yubikey is more secure than just a USB stick as the token cannot be copied so easily, but either method is better than just using a password on its own.

Offline

To logon to your Windows computer you cannot use an Internet based solution for two factor authentication. For local access using a password and a token, then you need a different approach.

If you already have encrypted your hard drive using TrueCrypt then you have done half the work. It is possible to add a USB stick storing a special file to prove it is you, to the TrueCrypt settings. See the guide here. It is even possible to tie it to a smartcard but this can become an expensive option if you have many users.

Windows for home computers can be converted to use two factor authentication, like many big companies who use smart cards or token, using the Rohos software product, which works with many device types or just an ordinary USB stick. It is a matter of personal preference if you like to use a USB stick with TrueCrypt plus a different method with a Rohos device for the ultimate in dual two factor authentication, but personally the TrueCrypt with password and USB stick is the simplest. It keeps your hard drive encrypted and provides secure pre boot authentication.

Another popular method is to use fingerprints. Many laptops have fingerprint readers built in to them, and the manufacturers offer various forms of software to make the most of it. Also you can buy USB based fingerprint readers like the DigitalPersona U.areU. devices. Problem with fingerprints is in the situation if you were forced to hand over your computer accounts to a bad guy.

If you have read the Home Computer Policy then you will have all your computer and password manager accounts written down on one piece of paper, stored safely. If you are forced by a bad guy to hand over your passwords then you can give them the piece of paper, without the shock of the bad guys affecting your memory, and hopefully they leave. If you then tell them you have a fingerprint based solution they will need your fingers. Worst case you will be going with them to provide the access at their safe location and then you will be surplus to requirements and know too much about the bad guys… or best case just fingerless. Better to give out the information and enable the bad guys to make a clean exit then becoming a problem to them. Changing your passwords to online information is easily done before they can use the information, so the only loss would be the information on the hard drive. As long as you have a recent backup of your computer then the damage will be limited in scope and the risk will be known.

No solution is perfect or unbreakable despite many media claims. There is always a human involved! So use simple two factor authentication with a USB stick containing your TrueCrypt pass file, plus a strong password. You will be more secure than most but without the expensive of becoming MI6 or the CIA.

SB

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


  • None
  • Coldwind: Couldn't agree more. I downloaded a piece of software just now, disabled the 'toolbar' 'offer' (which fortunately for me has become a reflex); but co
  • ModemJunki: I only discovered this today - I had updated the firmware to the latest out of habit, and I could STILL access my TrendNet cams on the local network w
  • PrentOS – a Simple Secure Computer « Secure IT Foundation: [...] September 2010 we said it was time for a brand new start to computing, well it is starting to take shape… [...]

Categories

%d bloggers like this: