Multifactor (two-factor) authentication of Multi-factor authentication, MFA Two-factor authentication
Use of password authentication in an information system of the enterprises and organizations becomes obsolete. Continuing to apply this traditional technique of access to own information resources, the companies actually threaten profitability and, thereby probably existence of the enterprise.
The directory of solutions of authentication is available on TAdviser.
This statement makes sense and belongs, first of all, to the companies of the financial sector as, however, and a number of the companies performing research, developmental and technology works (Research and Development) in hi-tech sectors of the market.
According to the standard of the Russian Federation about data protection, three main properties define secure state of the processed information – its confidentiality, availability and integrity. Let's remember that password authentication is one of the first barriers which appeared in IT systems along with the operating systems implementing multiple access to information resources. Almost 20 years it costs at the first boundary of control. It is obvious that, among the main advantages of this technique there are protection, – its simplicity. And hardly anyone will begin to dispute sufficiency of use of password authentication in many organizations and the security level of use of information, at the corresponding organizational approach. However …
80% of incidents in the field of information security happen because of use of weak passwords - the Trustwave company based on own research which covered a number of the companies in 18 regions of the world came to such conclusion. Analysts devoted the research to vulnerability of elements in information security systems in the course of which they studied more than 300 incidents taking place in 2011. The main conclusion made as a result: weak passwords of users in the IC - the most weak spot which is actively used by malefactors. It concerns both the large, and small companies.
Weak password - it is bad in terms of regulations of information security, but a reverse side of application of difficult passwords – difficulty of their deduction in memory of the person. As a result – negligence of their storage in the form of working records, and in this case does not matter any more whether pair the login/password will be written in a personal notepad of the employee or is fixed on the monitor by a sticky leaf. Knowing tradition of treatment of such these employees of the Russian companies, for example, the malefactor without special work will receive these data … If still to consider often applied "synchronization" of passwords for access to different applications and corporate systems … And here, at least two of three pillars of information security of the enterprise are prostrate in digital dust.
Some foreign companies operating in the field of incident analysis in security systems draw a conclusion: unauthorized access to information of limited use on financial activity of the enterprise, agreements and diagrams is capable to entail not that losses - ruin. Annual losses from information leaks are estimated at the USA in billions of dollars. The Russian industry portal "Information Security of Banks" in assessment of financial damage from potential abuses of employees refers to researches of Association of experts in fight against fraud (ACFE, the USA) which sees this amount in the amount of 6% of profit of bank in a year. According to association, losses at similar incidents, on average, reached $100 thousand, and in 14.6% exceeded $1 million.
The Javelin Strategy research company in the annual research published in February, 2012 estimated the world volume of fraud and date leaks from the companies and the organizations for 2011 at $18 billion. Not trust experts there are no bases, and and not publicity of the Russian banks and companies everyone has the right to make the amendment on lag of Russia in the field of informatization.
Despite of a set of computer aids and a broad spectrum of technological solutions, the choice of methods of authentication for the companies planning the future it is small – multifactor authentication (of course if in the nearest future there is no technology break in control of computing systems by means of a thought). One-factor or password authentication for safe work with information systems in the developed business is already not enough.
Two-factor authentication is a technology of access control in two stages: when in addition to input of the login and the password to the account, the user ask to confirm the personality by an additional method, for example, to enter the code received in the Sms on the mobile phone into a form. In addition to such option, TeleSign offers additional verification by means of voice commands and tokens.
Mobile identification allows to execute access to corporate applications only from "reliable" devices and users. For implementation of these opportunities different technologies can be used (in a specific case — one or several): certificates (for users and devices), coding of applications, authentication and so forth. Even more often EMM tools apply the different context information (for example, time or location) helping to make decisions when providing access.
Strong and weaknesses of multifactor authentication
It is possible to refer its capability to advantages to protect information, both from internal threats, and from external invasions. A certain weakness can be considered need of use of additional hardware and software systems, storage devices and data reading. At the same time, at the moment statistics of cracking of the systems applying two-factor authentication is absent or is insignificant.
Multifactor or expanded authentication is applied by a number of the Russian companies in the field of finance during creation of services of Internet banking, mobile banking, filesharing, etc. of solutions for end users already today. It is based on sharing of several authentication factors (knowledge, means or objects of storage of one of information components of the legitimate procedure of authentication) that considerably increases safety of use of information, at least, from the users who are connected to information systems on the protected and insecure channels of communications.
As an example the process of two-factor authentication of the user implemented in a number of the Russian banks can serve: logging into the personal account of the user by means of the Internet is possible after password entry on the page then (in case of the confirmed legitimacy), transfer of the one-time password (in the form of the SMS) on the mobile phone which is earlier registered by the user follows.
Similar schemes of control and management of powers of the user, his further actions in corporate or other information systems, can be implemented using the most different means and methods which choice is rather broad, as on technological effectiveness, cost, execution, and on possible combinations of the listed properties.
The session of work of the user can be also controlled regarding compliance, both the IP address of the last successfully complete session, and the MAC address of the corresponding network equipment. Further there can be actions of confirmation or an access denial to information resources, but the trust to these two parameters of control cannot be owing to their technology weakness: The IP address can be changed, and it is simple to rewrite the MAC address in a system work progress, and even without reset. Nevertheless, as certain control values these data can be used.
Reverse side of multifactor authentication
The first problem of multifactor authentication is the method of its implementation. Now the most popular second factor used by suppliers of service is the one-time password one time password — OTP.
Applying this type 2FA the user enters the personal password at the first authentication level. On the next stage it should enter a marker OTR which is usually sent using the SMS to its mobile device. The idea of a method is clear. OTR will be available only to the one who as it is supposed in the theory, entered the password unavailable to the stranger.
However, alas, to send OTP to the SMS, generally speaking, it is unsafe as often messages are sent by clear text. Even the beginning hackers can read similar text messages, actually everything that it is necessary for them — the target phone number.
Besides, multifactor authentication is not able to prevent the attacks of the class MitM which are often used during the phishing companies using e-mail. In case of success of the attack the user will follow the fraudulent link and will get on the website similar to the online portal of bank. There the user will enter information on login and other confidential data which will be used by the malefactor to get access to the real website.
And though this attack will be possible for implementation only a limited time frame, it nevertheless is possible.
Requirements of the Federal Service for Technical and Export Control for multifactor authentication
At the beginning of 2014 the Federal Service for Technical and Export Control (FSTEC) approved the methodical document on information measures of protection in the state information systems. The document cleared many aspects, the concerning organizational and technical measures of protection of information taken in the state information systems according to the approved order of FSTEC of Russia of February 11, 2013 No17.
FSTEC strongly recommends to refuse completely usual authentication on the basis of static passwords for all users without exception and to pass to more reliable multifactor authentication. Mandatory requirements for multifactor authentication is use of hardware authenticators and the mechanism of one-time passwords at remote and local access.
Examples of two-factor and multifactor authentication
The authentication technique by means of the SMS is based on use of the one-time password: advantage of such approach, in comparison with the permanent password that this password cannot be reused. Even if to assume that the malefactor managed to intercept data in the course of information exchange, he will not be able productively to use the stolen password for gaining access to a system.
And here the example implemented using biometrics devices and methods of authentication: use of the scanner of a fingerprint which is available in a number of models of notebooks. At login the user should undergo the procedure of scanning of a finger, and then confirm the powers with the password. Successfully complete authentication will grant to it the right to use local data of the specific PC. Nevertheless, by regulations of work the separate procedure of authentication for access to network resources of the company which in addition to input of other password can include a number of requirements to representation of authenticators of the subject can be provided in the IC. But even at such implementation, the security of a system, undoubtedly, amplifies.
Also other biometric authenticators can be the same way used:
- hand geometry;
- outlines and sizes of the person;
- characteristics of a voice;
- pattern of an iris of the eye and retina of eyes;
- drawing of veins of fingers.
At the same time of course the corresponding equipment and the software is used, and costs for its acquisition and support can differ many times.
However, it is worth understanding – biometric authenticators are not absolutely exact data. Prints of one finger can have differences under the influence of the external environment, a physiological status of a human body, etc. For successful confirmation of this authenticator of rather incomplete compliance of a print to a standard. Methods of biometric authentication contain a definition of confidence figure of compliance of the operating authenticator to a standard. As for biometric authentication and remote access to the IC, yet modern technologies have no opportunity to transfer on the insecure channels reliable data - a fingerprint or result of scanning of a retina.
These technologies more suit for use in corporate networks.
Voice authentication and signs to that can become the most popular technology in this direction in the near future are obvious. A significant amount of developments in this sphere is available already today, implementation projects of similar mechanisms of management/control found the place in a number of large banks of the Russian Federation. As an example of practical application of the systems of voice biometric authentication, it is possible to specify the authentication on a key phrase applied in a number of call centers, audio-passwords to access to the systems of Internet banking, etc., confirmation of actions of personnel at implementation of important transactions of an information access, control of physical access and presence in the premises.
In addition to the technologies connected with use of biometric authenticators there are also hardware-software solutions, such as autonomous keys for generation of one-time passwords, readers of RFID tags, cryptocalculators, program and hardware counters (tokens), electronic keys of different types – Touch Memory and a key/smart card and also biometric ID cards. All systems and methods of multifactor authentication listed within article, and in addition to them also a control and management system for access (ACS) can be integrated, combined, be fulfilled in turn and in a complex. From here it is possible to draw a conclusion: in the market of Russia there is enough offers for gain of information system protection, as from internal, and external invasions. The companies have a possibility of the choice limited by only a size of the budget.
Today trusts the protection methods based on techniques of multifactor authentication a large number of the foreign companies among which there are organizations of hi-tech, financial and insurance sectors of the market, large banking institutions and the enterprises of a public sector, the independent expert organizations, research firms.
At the same time, private companies and the organizations in the world, in general, not really willingly expatiate on implementation at themselves technology new products in the field of security and data protection, understandably. It is known of projects in public sector much more – since 2006 successfully implemented technological solutions in public institutions of Canada, Saudi Arabia, Spain, Denmark and some other countries are publicly known.
the new method of a bypass of two-factor authentication Is provided
At the end of December, 2019 the group of hackers which is presumably connected with the Chinese government was accused of network hacking worldwide. Experts consider that hackers developed a new technique of a bypass of two-factor authentication that the community of cyber security disturbed.
For the first time the hacker activity attributed to APT20 group was detected in 2011. She was engaged in cracking and data access of government institutions, large companies and service providers in the USA, the countries of South America and Europe. In 2016-2017 the group dropped out of sight specialists, and only recently Dutch company Fox-IT specializing in consulting services on cyber security detected traces of intervention of APT20 in networks of one of the clients who asked to investigate violations in integrity of network.
Researchers of Fox-IT in detail described a cracking technique. According to specialists, the group of hackers used Web servers as point of entry, in particular, the platform of corporate applications Jboss. Having got into a system and having set web covers, hackers dispersed on networks of the victims. The found passwords and accounts allowed malefactors to steal data with the help of standard tools, without installation of viruses.
But worst of all there was the fact that APT20 group could bypass multi-factor authorization, having got access to the protected accounts of VPN. It is the most probable that hackers could steal a program token of RSA SecurID from the cracked system and modify it so that to terminate communication with a local system. Usually without it the RSA SecurID program gives an error message, however hackers bypassed all complex of initial check and using the stolen program could generate freely one-time codes for a bypass of two-factor protection.
Use of multifactor authentication blocks 99.9% of cracking
In cloud services of Microsoft about 300 million attempts of a fraudulent input in accounts are daily made. Multifactor authentication (MFA) can help to protect accounts from many types of the attacks.
According to specialists from Microsoft, the users who turned on multifactor authentication for the accounts as a result block 99.9% of the automatic attacks. The recommendation extends not only to accounts of Microsoft, but also to any other profile, the website or online-service. If the service provider supports multifactor authentication, Microsoft recommends to use it irrespective of whether it is something simple as one-time SMS passwords or expanded biometric solutions.
According to researchers from Microsoft, such old councils as "never use the password which was ever compromised" or "use really long passwords", in recent years not really help. Now cybercriminals have the different methods allowing to obtain credentials of users at the order, and in most cases the password and its complexity do not matter.
Will protect inclusion of multifactor authentication from permanent attempts of a fraudulent input. It will not be able to block only 0.1% of the attacks during which cybercriminals use technical solutions for capture of tokens of MFA, but they occur extremely seldom.
The claim against Apple for "illegal" inclusion of two-factor authentication
On February 11, 2019 it became known that the resident of California Jay Brodsky filed a lawsuit against Apple company for "illegal" inclusion of two-factor authentication. Brodsky complains that two-factor authentication significantly complicates life to users as from them the password is required not only to remember, but also to have access to the entrusted phone or the phone number. Read more here.
2017: Google refuses the SMS at multi-factor authorization
Google plans in the summer of 2017 instead of the one-time validation codes sent using the SMS, to users outputs screen notifications with a request to confirm the login. Similar approach is considered more reliable, than sending confidential codes through the SMS as it is more difficult to intercept them.
From Google will be specified in messages the device from which the login, its physical location and also time of attempt of an input is performed. Users will need to watch closely this information not to allow an unauthorized input of strangers.
Transition to screen notifications will be offered only those users of Google at whom two-factor authentication is already activated. It is not obligatory to accept the offer - the option of preserving of sending the code through the SMS is provided.
SMS passwords are recognized unsafe
The National institute of Standards and Technology of the USA (The National Institute of Standards and Technology, a NIST) submitted in the summer of 2016 the preliminary version of the future of Digital Authentication Guideline (the document which will set new regulations and rules concerning digital methods of authentication): the OTP SMS mechanism initially did not intend for authentication and cannot be considered as a full-fledged factor .
The document contains the direct instruction on the fact that use of Sms for two-factor authentication can be "inadmissible" and "unsafe" (section of document 220.127.116.11).
Completely this paragraph looks so: "If verification on the external channel is performed by means of the Sms in public network of mobile telephone communication, the verifier should be convinced that the used previously registered phone number really is associated with a mobile network, but not with VoIP or other program service. Later sending the Sms for previously registered phone number is possible. Change of previously registered phone number should not be possible without two-factor authentication during change. Use of Sms in authentication on the external channel is inadmissible, and will not be permitted in future versions of this manual".
The main concerns of experts of National Institute of standards and technologies come down to the fact that the phone number can be tied to VoIP-service, besides, malefactors can try to convince service provider that the phone number changed, and similar tricks need to be made impossible.
Though the document recommends to producers to use tokens and cryptographic identifiers in the applications, authors of amendments also note that the smartphone or other mobile device can be always stolen, or can temporarily be in hands of other person" - it is said in the document NIST.
Mechanisms of a compromise of SMS passwords exists quite a lot, and they were already repeatedly used generally for stealing of money of clients of the Russian banks. It is enough to list some methods of cracking of SMS passwords:
- Replacement of the SIM card using forgery documents
- Use of vulnerabilities in OSS-7 protocol
- Readdressing of calls at mobile operator
- False base stations
- The specialized Trojan programs for smartphones intercepting SMS passwords
Cracking of the gateway between bank and the telecom operator can be considered as one more method.
That circumstance that the mechanism of SMS passwords is used by all banks offers wide prospects for hackers. It is obvious that having written once a trojan for the smartphone, it can be used for an attack to all Russian banks, at its (trojan) of the minimum customization.
At the same time it is possible to foretell that the first "under distribution" large banks will get – the big customer base of the last allows swindlers to expect powerful result even at small account balances of clients.
One-time passwords through the SMS
- delays in delivery
- possibility of interception at the level of a communication channel or input in a system
- possibility of interception at the level of mobile operator
- possibility of renewal of a sim card of the client on the swindler according to the counterfeit power of attorney (and interception of the SMS)
- possibility of the direction to the client of Sms from substitution number
- growth of operating costs it is proportional to the customer base
One-time passwords through PUSH
- non-quaranteed delivery
- direct prohibition AppleGoogle//Microsoft on use for transfer of confidential information
- purpose – only informing
Researchers showed the simple attack for a bypass of two-factor authentication
Scientists from Vrije Universiteit Amsterdam Radhesh Krishnan Konoth, Viktor van der Victor van der Veen and Herbert Bos showed a practical attack on two-factor authentication using the mobile device. Researchers showed the attack of "People in the browser" (Man-in-the-Browser) against smartphones based on Android and  to IOS.
The problem with two-factor authentication arose because of increase in popularity of smartphones and desire of owners to synchronize data between different devices. Two-factor authentication relies upon the principle of physical device contention for protection against the malware. However synchronization of data does similar segmentation absolutely useless.
Researchers showed the attack using installation of the vulnerable application through Google Play. They managed to bypass successfully check of Google Bouncer and to activate the application for interception of one-time passwords.
For an attack on iOS researchers used the new possibility of OS X under the name Continuity allowing to synchronize Sms between iPhone and Mac. If this functionality is activated, it is enough to malefactor to have access to the computer to read all Sms.
According to researchers, the application for plunder of one-time passwords was added to Google Play on July 8, 2015 and remained well for users within two months, to a release of video with attack demonstration.
The Apple company was notified on November 30, 2015, however researchers did not receive the answer.
"Yandex" and Mail.ru started two-factor authentication
Usually two-factor authentication means password entry on the website, and then confirmation of the personality using the branching code received in the Sms on the mobile phone.
In implementation of two-factor authentication of Mail.Ru the first factor is the password, and the code which the user receives by the SMS on the phone number connected to the account acts as the second. According to solution designers, it is the most available method covering including audience which does not use smartphones on popular operating systems.
"At us it is still simpler" — Vladimir Ivanov, the deputy manager of department of operation of "Yandex" says. The company suggests not to enter the password on the website at all. Instead the user will need to photograph the QR code on the page of service (for example, "Yandex.Mail") using the smartphone and to enter a four-digit PIN code on the smartphone, he told.
The photo of the QR code will come to the application " Yandex.key " and in it it will be already necessary to enter the specified code. The application " Yandex.key " needs to be delivered on the device in advance if the owner wishes to use new technology of "Yandex". Besides, in advance it will be necessary to include two-factor authentication in " Yandex.passport ", Ivanov reported. Owners of smartphones and Apple tablets instead of a PIN code can use Touch ID fingerprint scanner (at its existence in model).
Two factors of authorization in the system of "Yandex" the following: information on device accessory to the specific user which is stored on servers of "Yandex", and knowledge by the user of the four-digit pin (or his fingerprint), explained in the company.
Every time when entering a PIN code (or at Touch ID operation) in the application is generated the unique one-time code which works 30 seconds. At the same time a part of the code is generated from a PIN code which is known only the user by both "Yandex", and a part — from data of the application. In the one-time code both "secrets" are ciphered. "Thus, the option when one of factors was compromised is excluded and the malefactor selects data of the second factor" — added in "Yandex".
If it is impossible to consider the QR code, for example, the camera of the smartphone or not Internet access the application " Yandex.key " does not work will create the one-time password from characters. He will also act within only 30 seconds.
After transition to two-factor authentication the existing user password will cease to work at all installed programs using the login and the password of "Yandex", including "Yandex.Disk", the email clients configured on collecting of mail from "Yandex.Mail", synchronization in "Yandex.Browser" warned in the company. The new password will be necessary for each application — it will be created in " Yandex.passport ", in the Passwords of Applications setup. It will be necessary to enter it once in each application.
The server of authentication will integrate verification processes
The authentication purpose — as much as possible to complicate use of the strangers (stolen, who are picked up) credentials. This process should be simple for the legal user, and inventing and storing of resistant passwords length of not less nn of characters and inclusion in them of special characters, digits with high probability irritates users.
In the company there can be several different information systems, sources of the resources requiring authentication:
And as the user is faced by a task - to conform to requirements of security policy for complexity and uniqueness of passwords, its solution presents certain difficulties for execution by the user, and in the technology roadmap are the separate authentication systems which are not connected among themselves, not flexible, requiring the large volume of resources for support. Everything together conducts to additional expenses and "slowness" of the company at making changes in authentication methods.
Can resolve questions and help with the solution of the standing tasks the authentication server — the uniform center of administration of all verification processes of authenticity at once for all applications / services / resources. Industrial servers of this kind support the whole set of methods of authentication. As a rule, it is OATH HOTP, TOTP, OCRA, PKI certificates, RADIUS, LDAP, the normal password, the SMS, CAP/DPA and others. Each resource using the authentication server can use a method which is required to it.
Using authentication servers IT administrators receive the single interface of management of credentials of users, flexible opportunities for change of methods of authentication. Business receives reliable protection of access to services and resources in the form of two-factor authentication that increases loyalty of users, both internal, and external.
Adding of the second factor for authentication, at the operating authentication server, will not demand from the company of creation of new program technical means and purchase of new tokens.
As an example: bank A verified authenticity of owners of debit or credit cards in the client bank by certificates on USB tokens. Its payment cards were only with a magnetic band, but at some point the bank adjusted card issue with the EMV chip which, in fact, is a microcomputer. The card with the EMV chip can be used for authentication on an algorithm Master Card Chip Authentication Program (CAP). So now bank A can refuse application for each user of expensive PKI tokens and replace this method of authentication with CAP which requires only the inexpensive cryptocalculator. After a while bank A begins the payment card issue with the display and the implemented algorithm of OATH TOTP and to save the user from use of the additional cryptocalculator, configures authentication of TOTP for the client bank. It is necessary to understand that in addition to remote banking in bank A there is a set of other services, both internal, and intended for the clients or partners demanding authentication. For each application the Information Security Service can make the demands for necessary methods of authentication of users. All authentication of bank A can be made on the authentication server. There is no need to be engaged in developments for each application separately.
Such flexibility and ease of adding of new methods of authentication is unattainable without authentication server. Reduction of time for these tasks is so considerable that allows to speak about speed of input of a product in operation as about competitive advantage.
Availability of strict authentication in the form of a specialized software allows to add a mnogofaktornost to the applications which before do not have it functionality without complex completions. Practically all information systems, services, applications which are not supporting strict authentication "from a box" can use possibilities of the server of authentication for access for users.
2014: Google against passwords: Sales of USB keys for access to the websites began
Google announced in October, 2014 start on the websites of two-factor authentication using a physical USB key. It is possible to purchase a key on Amazon (link). Now in shop three models of keys worth from $6 up to $60 are provided.
All keys use the open protocol of Universal 2nd Factor (U2F) drafted by FIDO Alliance. Keys can be used on any website (not only Google) which will add support of this protocol.
USB keys do not require installations — to place enough it in the USB port of the computer after password entry on the website when the website asks about it. All keys work with Windows, OS X, Linux and Chrome OS. For work with an USB key it is necessary to use version 38 Google Chrome browser above.
Use of USB keys is completely free, however users should purchase them at own expense. Keys differ in design. The most expensive model for $60 is equipped with Java Card technology.
Google started two-factor authentication with sending of the Sms with a confirmation code in 2011. In January, 2013 the corporation reported that it is going to develop and offer physical means of confirmation of the personality. In particular, then it came about access to Google services using USB keys.
2013: Two-factor authentication of mobile transactions
Scientists from IBM corporation developed and provided in October, 2013 new mobile technology of protection using authentication on the basis of the wireless standard of a small range (near-field communication, NFC). The technology provides the additional level of protection of access to corporate network or a private cloud at transactions by means of the mobile devices supporting NFC, and contactless smart cards.
According to results of the report of ABI Research research company, in 2014 the number of the used devices with the NFC function will exceed 500 million. These data and also that fact that by 2017 1 billion mobile users will make bank transactions using the devices * confirm the growing risk of loss of data in connection with fraudulent activity.
Staff of IBM laboratory in Zurich who also created the operating system providing functioning and security of hundreds of millions of smart cards developed the additional level of protection of mobile transactions meaning two-factor authentication for the solution of this problem.
Many users already apply two-factor authentication during the work on the computer, for example, entering not only the password, but also the confirmation code received in the Sms. Scientists from IBM applied the same principle when processing number of personal identification (PIN code) and using the contactless smart card. The smart card can be released by bank for service in ATMs or the employer as the certificate of the employee.
"The technology of two-factor authentication based on the standard of the improved enciphering (Advanced Encryption Standard) provides the high level of security" – Diego Ortiz-Yepes, the specialist of IBM Research in mobile security commented.
As the technology works
The user holds a smart card near the NFC reader of the mobile device. After input of the PIN code the card generates the one-time code, then sending it to the server by means of the mobile device.
The technology of IBM is based on subscriber enciphering of data transmission between a smart card and the server according to the Advanced Encryption Standard (AES) standard approved by National Institute of standards and technologies (NIST). The modern mobile technologies presented at the market require presence at the user, for example, of the generator of accidental passwords that not always conveniently and in certain cases less reliably.
The new technology which is available on any device running Android 4.0 with the NFC function now is based on IBM Worklight – the mobile platform entering IBM MobileFirst solution portfolio. Future updates will allow to use new NFC devices, considering market development trends.
Results of the new research IBM Institute for Business Value conducted among the "mobile" enterprises confirmed that the organizations realize importance of providing the high level of safety of mobile transactions. According to the results of poll of specialists, security is in the second place in the list of the most difficult tasks of the enterprise.
2011: Two-factor authentication is too difficult, administrators consider
60% from hundred respondents GrIDsure company of heads of information services are concerned by excessive complexity of methods of two-factor authentication of users, and more than a half of them consider that its implementation will manage too expensive (data of 2011). At the same time every fifth skeptically estimates chances of two-factor authentication to solve problems of traditional authentication by one password. Nevertheless, 36% of respondents consider multilevel authentication of factors of access security by the major. 32% put training of employees on the first place, and only 7% support blackout of remote access.
Password authentication is already not enough for protection of the valuable data, conclude in GrIDsure. However system cost appears a decisive factor. The majority of the solutions which are available in the market are too difficult and expensive in implementations and support. Any system requiring existence of the hardware key or sending passwords for the mobile phone only does authentication process by more bulky.
Only 34% of respondents are sure that employees are able to make all necessary for protection of the company against computer threats.
- ↑ Multifactor authentication — at all not a panacea
- ↑ Chinese hacking group has found new way to bypass two-factor authentication
- ↑ Use of multifactor authentication blocks 99.9% of cracking
- ↑ of One simple action you can take to prevent 99.9 percent of attacks on your accounts
- ↑ autentifikatsiipo to the materials Xakep.ru, PLUSworld.ru
- ↑ [http://www.securitylab.ru/news/481044.php Researchers showed
- ↑ the simple attack for a bypass of two-factor authentication]
- ↑ "Yandex" started two-factor authentication without passwords
- ↑ 9,0 9,1 [http://www.pcweek.ru/security/article/detail.php?ID=171502 Nikolay Korabelnikov
- ↑ [http://www.cnews.ru/top/2014/10/22/google_protiv_paroley_nachalis_prodazhi_usbklyuchey_dlya_dostupa_k_saytam_588952 of Google against passwords
- ↑ : Sales of USB keys for access to the websites began]
- ↑ Two-factor authentication is too difficult, administrators consider