NIST Nixes TFA Via SMS

NISTHoly acronyms Batman!  What the heck does this headline mean?  Well, the National Institute for Standards and Technology (NIST) has removed two-factor authentication (TFA) via short-messaging service (SMS) from the approved list of two-factor authentication methods.  The reason is that SMS is an unencrypted service, and the lack of encryption makes it too insecure for use in Federal authentication systems.  NIST is recommending that all companies ...

Continue Reading →
0

Which Is Better – SMS or App-based TFA?

google-authenticatorI am a firm believer in, and user of two-factor authentication (TFA or 2FA).  Heck, if there was three-factor authentication I would probably sign up.  The two most popular authenticator apps are Authy and Google Authenticator.  I primarily use Google Authenticator wherever I can.  I use SMS when Authenticator isn’t an option, or won’t work.  I had trouble, for instance, getting Facebook to work and ...

Continue Reading →
0

Changing Passwords Regularly May Be Insecure

password1Bruce Schneier had an interesting post where he attacked the commonplace practice of requiring regular password changes.  Usual corporate IT policies require changes every 90 days, and in some high security environments, more frequently than that.

The basic issue with frequent password changes is that humans will create a system that makes it easy to remember the next iteration of the password.  This ...

Continue Reading →
0

Setting Up TFA Without Authenticator

tfaMaybe you like the idea of two-factor authentication, but the Google Authenticator smartphone app seems too cumbersome.  Or maybe you are not a smartphone owner, because you don’t like the idea of a phone that can track your location to within a few feet, and keeps sharing all your personal data with the apps on your phone.  So you own a flip phone with ...

Continue Reading →
0

Removing TFA from an Account in Authenticator

google-authenticatorGoogle Authenticator is my favorite go-to app for setting up two-factor authentication.  But what if you want to remove an account from Google Authenticator?

I set up two-factor authentication for Facebook and the Authenticator app did not work.  So I tried again, and ended up with two accounts on the Authenticator list, neither of which worked.  This pushed other working accounts down far enough that ...

Continue Reading →
0

Two Factor Authentication for WordPress

Hardening and securing WordPress websites is one of my specialties.  We have reported previously on three of the best WordPress security plugins, Sucuri, Bulletproof, and WordFence.  I can tell you that each of these plug-ins performed admirably against the continuous barrage of brute force and password reset attacks that my sites have endured.  Security appeared to be strong, but I wanted more.

I have been deploying two-factor authentication (TFA) everywhere I can, in order to overcome the inherent weakness of password ...

Continue Reading →
0

Smartphone and Tablet Security Solutions

smartphone-securityOn Wednesday we discussed the many, many ways your smartphone is vulnerable to attack.  Today we will look at solutions.  Smart mobile devices need to be secured just as you would a laptop or desktop computer  The small size and easy portability of smartphones and tablets make them easier to steal or lose.  Some of our recommendations:

  • Record the electronic serial number (ESN) of your phone or tablet. This is information you will ...
Continue Reading →
0

Inside the Perimeter

razor-wireAh, the good old days, when perimeter defenses and endpoint security software was all you needed to keep your network secure.  Was it ever really that simple? Probably not, but many business owners and IT professionals are still hoping that keeping the firewall and antivirus updated is enough.

Over 90% of exploits start as an email in somebody’s inbox.  According to NSS Labs, 97% of all breaches are enabled by ...

Continue Reading →
0

Adaptive Authentication To The Rescue

password1Keith Graham of SecureAuth was recently interviewed for a recent article on TechRepublic, and the subject of adaptive authentication came up.  He defined adaptive authentication this way:

“Adaptive authentication involves evaluating risk around the login process before the user even authenticates so that the system only steps up, or outright denies, the authentication when it deems a logon as a risk. Hence, it ...

Continue Reading →
0
Page 3 of 6 12345...»