After Gmail hacking: conventional password protection is not enoughSecurEnvoy 16/09/2014, Archive
Hackers recently got their hands on almost five million Google Mail passwords and published these on the Internet. Such news stories show that conventional password protection is no longer sufficient on its own. SecurEnvoy, the inventor of tokenless two-factor authentication, has been looking at this issue for many years and designs technologies that ensure greater security for network login procedures. The company will be demonstrating its solutions at the it-sa trade fair in Nuremberg, Germany, which is being held from 7th to 9th October. Technologies such as its new "One Swipe" method will be presented at Stand 528 (in Hall 12). This new solution enables secure two-factor authentication even when users are offline.
The use of a password alone is not usually secure enough for protecting network access. This statement is supported by recent headlines about millions of hacked passwords. Such thefts can be extremely damaging to companies in serious cases. Many companies have already implemented two-factor authentication in their networks, but still use methods that involve dedicated tokens, which have been proven to be cumbersome to use. With this approach, employees don't just enter a username and password/PIN when logging in, but must also authenticate themselves using a physical token, such as a smartcard. This means that users must carry these tokens with them wherever they go in order to be able to gain access to the network.
But, in the opinion of SecurEnvoy, such authentication methods are too inflexible and the company believes that the costs associated with physical tokens should be kept to a minimum. It therefore developed a technology with which smartphones, which virtually everyone has with them all the time anyway, can be used as tokens. With SecurEnvoy, the passcodes required for authentication can be requested by users via SMS, e-mail, voice call or soft token app. And a further option is now available in the form of the new One Swipe offline authentication function.
QR code resolves the issue
With the One Swipe method, proof of identity is provided by means of a PIN and a unique QR code. Only the correct combination of these permits a successful login. One Swipe allows users to authenticate themselves in a network even if they do not have mobile phone reception or an Internet connection. They enter a PIN into the soft token interface, after which the smartphone or tablet generates a single-use QR code. This code is then scanned using a webcam on a computer or on a mobile device. The information thereby transmitted provides conclusive evidence regarding the identity of the employee. This completes the network login process.
"Our tokenless two-factor authentication method combines something that the user knows, e.g. his/her PIN, and something that he/she possesses, such as a smartphone, tablet or laptop," comments Steve Watts, Sales and Marketing Director at SecurEnvoy. "In order to make such authentication possible even if the user is offline and has no mobile phone reception, we developed the One Swipe technology, which already works on the new iPhone 6. With One Swipe, the time and place from where the user logs in is now irrelevant. All users can flexibly and unambiguously authenticate themselves in their corporate network using a mobile device that they have with them anyway. This is an increasingly important aspect for employers in this age of increased remote working."