In recent months, the recommendation of Loricca’s team of security experts has changed regarding extra authentication. Where we have always favored and recommended strong authentication, we now strongly urge clients to use a system such as a two factor authentication (TFA) process as it is the only effective way to securely verify users, especially remote users.
How Two Factor Authentication Works
Two factor authentication simply means that the user must verify twice that they are the registered user who is asking for access to the system. This is a second layer of identification beyond a password. Early TFA systems used a fob or small device to deliver an individual (often single-use) key code to be entered following the password to ensure that the login was being performed by the correct user.
Not Required by HIPAA Doesn’t Mean You’re Off the Hook
Our team has always informed clients that, even in a regulated industry like HIPAA, there is currently no requirement that you employ a two factor authentication system for employees and users accessing your network. This does not necessarily mean that regulators may not use the lack of a two factor process against a company in an audit or following a breach. It is important to understand the purposefully vague nature of HIPAA regulations. The rules are written to allow companies necessary flexibility but that also conveys a great deal of responsibility on the regulated organization to understand their unique threats and needs and to fashion their compliance strategy appropriately.
Not Required Doesn’t Mean Unnecessary
For various reasons, many companies and websites have resisted (or neglected) adopting two factor authentication. There has been a great deal of discussion about effective passwords and we have all focused a great deal on what makes a good password. Ultimately, the technology to crack passwords and the diligence of hackers to figure out passwords has far outpaced the general understanding of most people and their willingness to diligently maintain complicated, secure and unique passwords. We must all admit that more is needed. Another level of authentication is the only way to truly maintain secure access. Or is it?
Has Yahoo Killed the Password?
One possible reason that many have resisted two factor authentication is the hope that some better system or a more convenient alternative would arise. Last week, Yahoo may have shown us the obvious better alternative. Yahoo Mail rolled out the Yahoo Account Key system which essentially uses the concept of TFA but does away with the password. Ultimately, it was the second step, that unique, one-time key code that was the only secure step in the TFA process. So Yahoo did away with the need for a traditional password altogether. With an “on-demand password” from Yahoo Mail, once a user enters their user name, they will be sent a text message with a random, single use password to complete the sign in process. Here’s how to set up the new Yahoo Account Key on-demand password option:
Early two factor systems required users to possess a separate device, usually a small random number generator fob to be kept on their keychain. This worked great but was not practical for more than one or two systems and certainly not conducive to widespread adoption.
As smart phones have become ubiquitous, two factor expanded to simple SMS/text-based verification codes and this has gained steady popularity in recent years. Many users have failed to appreciate the value of the added security and chose not to be bothered by the extra step. It seems Yahoo may have eliminated the extra step. As it turns out, the traditional password was the extra step.