With more companies now reliant on cloud computing, service providers have been trying to figure out ways to invest in security to make the environment more safe and welcoming. John Mello wrote on Network World that the impetus for Microsoft to start improving its offerings came in fall of 2012 following the acquisition of PhoneFactor, a two-factor authentication system. Now, the company is starting to roll out the solution. Users that log into their Microsoft cloud account with a device that has not yet been "trusted" will have to enter in a security code either sent to their phone or randomly generated by an application that can be easily installed on a smartphone or tablet.
Liveside, a Microsoft news website, said by setting up the "two-step verification" when logging into Microsoft, users will likely be reminded of the similar utilities offered by Gmail and Dropbox. The authenticator app is already available on the company's website, but it is not yet up and running.
"One of the limitations of the two-step verification feature is that it will not work with linked accounts, as such users are required to unlink all their linked accounts before turning the feature on," Liveside said, as a drawback to the new data security feature. "In addition, some apps or devices that uses Microsoft account might not support two-step verification (such as the mail app on some phones), as such Microsoft also added a feature called 'app password"' When you have turned on two-step verification and signs in to an app or device that doesn't support the feature, simply generate an app password from the Microsoft account website, and enter that into the password field to sign in."
An increasingly popular tactic
While there are large networks that don't yet use two-step authentication, such as LinkedIn and Twitter, Rob Pegoraro wrote on USA Today that others, such as Google, Yahoo and Facebook have been using the system. Twitter and Evernote plan to do so soon, adding more security to some well-frequented websites.
These emerging two-factor authentication enthusiasts will all execute plans with subtle differences, however, Yahoo and Apple send codes via text messages, but others, like Google, provide apps that can easily provide the codes. Going via the phone is a good way to go, he said, as it is a detached and easy way to make sure no one else will be able to use the password for the service, as it will quickly expire.
"As long as you have phone service, this is a great option for logins from strange computers; an attacker can't get anywhere with the code because it expires once you use it," Pegoraro wrote. "But while we're in a paranoid, worst-case scenario, remember that this hypothetical adversary could still record your keystrokes once you log in; don't type anything too sensitive on a random machine."
Best practices for using one-time passwords
Like any other measure of data security, users have to take caution and be careful when using one-time authentication passcodes. Joel Dubin wrote on TechTarget that one time use passwords or tokens can be vulnerable to theft, so there needs to be a strong sense of physical security and smart implementation plans in place.
Some best practices for keeping these passcodes safe include:
– Only activate them once they are in the hands of the existing user
– Never put identifying marks that may sound off alarms to those who want to take them
– Put a time window in place on when they will expire to make them harder to replicate or steal
Data Security News from SimplySecurity.com by Trend Micro.