Ask anyone how their systems, mobile computers, networks and applications are protected and it is highly likely that the answer that you will get is “via passwords.” Ask them again if they feel confident of it or sleep soundly at night thinking that everything is secure, they will likely say:
- Yes, because I/we use complex passwords.
- Yes, because we change our passwords every thirty days.
- Yes, because our passwords are linked to a captive portal or an Active Directory.
I say, you should not be confident of it. Why? For one, passwords, who have been here for the longest time, have been protecting our systems for such a long time. Sure, it does the job, but did you know that:
- Passwords can now be brutally breached? Brutal password databases now are getting to be savvy.
- If some unauthorized user breaches the Active Directory, then the passwords are useless.
This is where a second layer of authentication comes in. Also known as the two factor authentication, it does not only protect user access to a facility, but ensures that the user accessing the facility is really the person who is supposed to be in that facility.
Second layer of authentication is now to be one of the biggest items in information security. Two factor authentication technology has now made it possible for it to be integrated into applications, databases or even identity management solutions like Active Directory infrastructure. Before, it was largely used as a second layer of authentication for users using public facing web applications, but the past few years, it has evolved in such a way that it is also used for internal systems and networks.
Two factor authentication systems have also evolved in such a way that it uses different methods of transmitting the second layer key. Before, it started just by using special devices or hard tokens, but due to the costs involved in the purchase of such hard tokens and devices, it again involved in transmitting the second layer key via SMS messages. However, such transmission had some issues due to the fact that the traffic rate for the transmission of these keys via SMS can take time due to traffic within the SMS network, which makes it undesirable for those applications using a real-time process requirement such as ATM machines. Because of this issue and requirement, it again involved, together with the use of smartphones via mobile applications that you can download, install in your mobile phone and would give users a real-time authentication facility in real time.
How secure is it? On a scale of 10, I would say that it is at the rate of 9. Why not a perfect 10 if you want it to be really secure? I would say, it is because of other factors like configuration and probably human error. We cannot also discount the fact that the authentication application that you may be downloading may already be tainted or has some vulnerabilities that we still cannot determine, unless such mobile authentication apps are fully certified by a reputable software vendor.
Would we need one? Definitely. Due to reasons that most of the computing technologies we have now are already connected to each other. There has to be a point of protection somewhere to protect files, records, transactions, emails and even identities.
Incidents of data breaches and identity theft had made it really important to implement such technologies. You may be an individual consumer wanting to store files in the cloud, or accessing your social media account, a corporate consumer wanting to access your bank accounts via the web, or a network administrator ensuring that what goes into your area are really the people who are supposed to do so, but the bottom line would be protection. How can you protect your files, your identity and your transactions in a connected world?
Passwords? Encryption? Certificates? These are basic identity protection mechanisms that work, and still continues to work. But what would happen if these are breached? How can you be so sure?