Two-factorAuthentication
Latest
Evernote plans two-factor authentication following last week's hack
In a move that's often more reactive than proactive these days, Evernote has shared plans to add two-factor authentication to its login process. This latest announcement follows last week's hacking attack and subsequent site-wide password reset, and will be available to all of the site's 50 million users beginning later this year, according to an InformationWeek report. It's too early to say exactly how the Evernote team plans to implement the new security feature, whether through a dedicated app or text message password, but given the service's scale, we can likely count out a hardware fob option, at least. For now, your best course of action is to create a secure password, or, if you're especially paranoid, you may consider delaying your return until the security boost is in place.
Google experiments with hardware-based authentication, envisions passwordless future
2012 was not a great year for security. From the "epic hack" of Wired's Mat Honan to the breach of Dropbox and the breakdown of barriers at Blizzard (not to mention countless smaller incidents), last year held frequent reminders that what you put online is never truly safe. Google has, in the wake of such public failings, began pushing its two-factor authentication with a pretty heavy hand. But even that system has its short comings, and Mountain View is looking for ways to shore up users' accounts. In particular the web giant is exploring hardware authentication options and experimenting with a device called YubiKey -- a USB-based token system. The research will be unveiled in a paper being published later this month in IEEE Security & Privacy Magazine, and includes preliminary work on a protocol for using a hardware device to unlock an online account. If carrying around and jacking in a USB key sounds too cumbersome, fear not. Google is also working on a wireless version of the platform that could be embedded in a cellphone or even a piece of jewelry like a ring. We may never ditch the password entirely, but we can hope.
Dropbox two-step verification available for testing (Updated)
Update: It looks like 2-step authentication is now available for everyone. As reported by Techdows, Dropbox is allowing users to enable two-step verification on their accounts. Two-step verification requires users to enter a six-digit security code along with their password when they login to Dropbox, or add a new computer, phone or tablet to their account. Users need to install the latest beta forum build of Dropbox (version 1.5.12) to their computer and then visit Dropbox's website to activate two-step verification. Customers can choose between receiving their security code via text messaging or an authentication app like Google Authenticator (free). Command-line savvy Mac users can also use the Terminal-based OATH Tool to generate a code if needed. Dropbox also provides an backup code that customers can save for emergency access to their account if they lose their phone. Though it my be inconvenient to enter in both a password and a variable code each time you login to Dropbox, some users may feel that it's worth it for the extra security. You can follow the instructions in Dropbox's forum post and on its website to get started. Interest in two-factor auth and other "enhanced security" settings for cloud services has stepped up dramatically in the weeks since Wired's Mat Honan got hacked. Honan details the process of getting his data back in this recent post. [Via The Verge]
Intel and MasterCard to offer Ultrabook users 'safer' NFC checkout via PayPass, impulsive shoppers rejoice
Entering a 16-digit credit card number may be a thing of the past with a new initiative from MasterCard and Intel, which allows users to checkout online by tapping a PayPass-enabled card, tag or smartphone to their Ultrabook. Calling the checkout "safer" and "simpler," Intel is bringing its Identity Protection Technology to the potluck, giving shoppers two-factor authentication and chip-based display protection when forking over that hard earned cash. Here's how it all works: when you tap a NFC smartphone or other PayPass-enabled device, it will communicate with the Ultrabook, generating a six-digit code from the embedded processor or from within the Manageability Engine. The ME hardware, encrypted with third-party algorithms, then transacts with the e-commerce site, hopefully offering shoppers more protection than standard software solutions. Since using the feature requires an NFC-connected device as well as the Ultrabook and a username and password, forgetful folks who tend to misplace their phone or computer won't have to worry about unwarranted spending. Sadly, the solution won't protect your wallet from the perils of a late night shoe shopping spree. Check out the full PR after the break.
RSA SecureID hackers may have accessed Lockheed Martin trade secrets, cafeteria menus (update: no data compromised)
RSA SecureID dongles add a layer of protection to everything from office pilates class schedules to corporate email accounts, with banks, tech companies, and even U.S. defense contractors using hardware security tokens to protect their networks. Following a breach at RSA in March, however, the company urged clients to boost other security methods, such as passwords and PIN codes, theoretically protecting networks from hackers that may have gained the ability to duplicate those critical SecureIDs. Now, Lockheed Martin is claiming that its network has come under attack, prompting RSA to issue 90,000 replacement tokens to Lockheed employees. The DoD contractor isn't detailing what data hackers may have accessed, but a SecureID bypass should clearly be taken very seriously, especially when that little keychain dongle is helping to protect our national security. If last month's Sony breach didn't already convince you to beef up your own computer security, now might be a good time to swap in 'Pa55werD1' for the rather pathetic 'password' you've been using to protect your own company's trade secrets for the last decade. [Thanks to everyone who sent this in] Update: According to Reuters, Lockheed Martin sent out a statement to clarify that it promptly took action to thwart the attack one week ago, and consequently "no customer, program or employee personal data has been compromised." Phew! [Thanks, JD]
RSA hacked, data exposed that could 'reduce the effectiveness' of SecurID tokens
If you've ever wondered whether two-factor authentication systems actually boost security, things that spit out pseudorandom numbers you have to enter in addition to a password, the answer is yes, yes they do. But, their effectiveness is of course dependent on the security of the systems that actually generate those funny numbers, and as of this morning those are looking a little less reliable. RSA, the security division of EMC and producer of the SecurID systems used by countless corporations (and the Department of Defense), has been hacked. Yesterday it sent out messages to its clients and posted an open letter stating that it's been the victim of an "advanced" attack that "resulted in certain information being extracted from RSA's systems" -- information "specifically related to RSA's SecurID two-factor authentication products." Yeah, yikes. The company assures that the system hasn't been totally compromised, but the information retrieved "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." RSA is recommending its customers beef up security in other ways, including a suggestion that RSA's customers "enforce strong password and pin policies." Of course, if security admins wanted to rely on those they wouldn't have made everyone carry around SecurID tokens in the first place. [Thanks to everyone who sent this in]
