Multi factor is now essential for security
CEO & Founder of Server Density.
Published on the 28th August, 2012.
It’s always been well known in the sysadmin community how easy it can be to crack password based logins. SSH key-pairs have been standard for a long time (does anyone even still use password based SSH logins?). This kind of knowledge is now becoming more mainstream with the combination of a number of events:
- E-mail being the skeleton key to access all your accounts; a single point of failure for password based logins and insecure security questions in particular.
- More and more data and documents available and being stored online so personal details can be easily researched and then access gained to your entire digital life.
- High profile cracking of human managed security barriers such as account reset procedures.
After ensuring secure passwords the solution to these problems is multi factor authentication – requiring you authenticate using a code generated by a device you should always have with you. Banks have been using this for almost 5 years and it’s now becoming popular with services we now consider critical to maintain the security of – e-mail providers like Google, online storage apps like Dropbox and sever administration consoles like AWS Console.
The great thing is that there is a common standard – Time-based One-Time Password – which means you can write your own app to generate the code or use one of the standard ones like Google Authenticator for iOS or Android (also open source).
This seems like a new standard piece of any sysadmin’s security toolbox. Setting up MFA for SSH logins is easy with the freely available PAM module (and easy packages for Ubuntu, other OSs and there’s even a Puppet module).
However, there are still potential security holes in MFA. A successful cracking attempt at Cloudflare earlier this year was achieved through changing SMS/phone forwarding rules and breaking into voicemail services at AT&T. The takeaway from this incident was to remove all associations with phone based authentication so there is no chance of redirection attacks – only use a local app.
It’s also no good if you don’t have 100% coverage of all accounts. Unfortunately Google Apps has no way to force users to use 2 factor authentication but they do have a report that can be downloaded from the admin panel which shows the status for all users. Then badger them to get it enabled.
So what’s the next step? Understand which services you have accounts with that could potentially cause a security issue if breached and find out if they support MFA. E-mail. Document sharing. Server logins. Cloud control panels. Blogs. Internal customer systems. Payment processors. Then get it set up for all your users. And if not, make sure you request it from the vendor!