The use of two-factor authentication has been around for years, but the recent addition of this security feature in cloud services from Google and Dropbox has drawn widespread attention. The Dropbox offering came just two months after a well-publicized security breach at their online file sharing service.
Exactly What Is Two-Factor Authentication?
Of course, most online applications require a user name and password in order to log on. Much has been written about the importance of managing your passwords carefully. However, simple password protection only goes so far.
Two-factor authentication involves not only the use of something the user knows such as a password, but also something that only the user has. An intruder can no longer gain access to the system simply by illicitly obtaining your password.
- ATM Cards: These are perhaps the most widely used two-factor authentication device. The user must both insert the card and enter a password in order to access the ATM.
- Tokens: The use of tokens has increased substantially in recent years. Most of these are time-based tokens that involve the use of a key sized plastic device with a screen that displays a security code that continually changes. The user must enter not only their password, but also the security code from the token. Tokens have been popular with sensitive applications such as on-line bank and
- Smart Cards: These function similarly to ATM cards, but are used in a wider variety of applications. Unlike most ATM cards, smart cards have an embedded microprocessor for added security.
- Smart Phones: The proliferation of smart phones has provided the perfect impetus to expand two-factor authentication to widely used internet applications in the cloud. In these cases, users must enter not only a password, but also a security code from their phone or other mobile device. This code can be sent to a phone by the service provider as an SMS text message or generated on a smartphone using a mobile authenticator app. Both Google and Dropbox now use this method.
Yahoo! Mail and Facebook are also introducing two-factor authentication using smart phones. However, their methodology only prompts the user to enter the security code if a security breach is suspected or a new device is used.
So What’s Next?
Cloud security is a hot topic and two-factor authentication is one way to mitigate users’ well founded concerns. As a result, development and adoption of two-factor authentication systems is proceeding at a rapid pace and should be available for most cloud applications within just a few short years.
The shift from token based authentication to SMS based authentication is also likely to accelerate along with smart phone use.
Two-factor and even three-factor authentication using biometrics will become more popular. Finger print readers are already quite common on laptop computers. Use of facial recognition, voice recognition, hand geometry, retina scans, etc. will become more common as the technology develops and the price drops. The obvious advantage of these biometric systems is that the physical device cannot be stolen or otherwise used by a third party to gain access to the system.
As with any security system, two-factor authentication is not 100% secure. Even token systems have been hacked and there is no doubt that there will be breaches in SMS authentication tools as well. However, two-factor authentication still provides the best way to stay safe in the cloud and it’s advisable to use it whenever possible.
This post is by Rackspace blogger Thomas Parent. Rackspace Hosting is a service leader in cloud computing, and a founder of OpenStack, an open source cloud operating system. The San Antonio-based company provides Fanatical Support to its customers and partners, across a portfolio of IT services, including Managed Hosting and Cloud Computing.