Three great alternatives to two-factor authentication via text-message

Asking customers or employees to pull out their phones and input a code every time they want to log onto your site is too much friction.

Toopher is an ambitious two-factor authentication tool.

Toopher is an ambitious two-factor authentication tool.

After a series of high-profile hackings, Twitter last week finally joined the likes of Google and Facebook and introduced two-factor authentication. Users opting to use the new security tool must now enter a code they receive via a text message sent to their cell phones each time they log into the microblogging service.

While Twitter's decision to provide account holders with two-factor authentication is good news--especially considering the string of news organizations and big brands such as Jeep and Burger King that have been hacked in recent months--some experts warn that it won't be enough to prevent the hijacking of high-profile accounts.

For one thing, the new security option isn't likely to help organizations that have many staff members posting to a single Twitter account. Obviously, they don't all use the same mobile phone. It also won't protect users from man-in-the-middle attacks through which a user is lured to a fake Twitter login page, enters his or her login credentials and the six-digit two-factor authentication password, thereby giving a bad guy entry to the account.

For brands, a hacked Twitter account can be disastrous. It's not only costly to shut down an account and extricate it from a hacker's control, but there are also customer relations and reputation management concerns to consider. Stock prices can even take a beating, as they did in April when the Associated Press's account was breached and hackers tweeted about explosions at the White House.

The good news is that SMS codes sent to mobile phones are far from the only way you can use two-factor authentication to protect your brand. Here are three other good options to consider.

Hardware Token: The YubiKey

The YubiKey, made by a Swedish-American company called Yubico, is a small piece of hardware that looks like a USB stick that your customers or employees plug into the computers' USB port. Each time a user logs onto your website or system, they must push a button on the YubiKey to generate a one-time password validating that the person is who they say they are. Yubico also makes a near-field communication (NFC) variant of the device called the YubiKey NEO, which enables contactless communication for securing NFC enabled mobile devices.

Scads of high-profile companies are equipping employees, users and customers with YubiKeys, including Google, Microsoft, the U.S. Department of Defense and the government of Turkey. Yubico is also partnering with several single-sign on services, including OneLogin and Clavid, so that the YubiKey can work across dozens of services including Adobe, Salesforce, LinkedIn, and more. It also works with password managers such as LastPass, PasswordSafe and Passpack. In fact, the company says more than one million users in 120 countries are using the hardware token.

"A service provider who wants to add YubiKey support could chose to use OATH, [the open authentication standard], our free open source server components, or our hosted service, the YubiCloud," says Yubico CEO Stina Ehrensvard. "With a simple web API, it takes approximately 20 minutes to integrate the YubiCloud, which works out-of-the-box with a YubiKey purchased on Yubico web store."

A enterprise with up to 5,000 users that use Yubico's hardware, software and services can expect to pay $13 per year, per YubiKey--that's somewhere around $318,000 for five years. For smaller businesses, Ehrensvard says that it's possible to purchase a tray of 50 YubiKeys from Yubico's web store. This is a one-time cost of $750 and it works with the free version of YubiCloud or free open source software.

Ehrensvard said her company is working with Google and other IT giants on a new open authentication standard: "This is expected to be launched in 2014, allowing our premium YubiKey, the YubiKey NEO, to work out-of-the box with Google services and a range of other cloud and financial services."

A User's Phone Location: Toopher

The Toopher two-factor authentication solution can be installed on a company's website with just a few lines of code, and it works through an app on a user's phone. When the person begins to log onto a site, the software verifies their identity by detecting which computer they're using and where their phone is physically located.

After installing the Toopher app, the user pairs it with your web service. The first time the person tries logging onto your site from a new location, he or she must give permission to do so through the app. After that first log-in from a particular location, a user can opt to have permissions given automatically so that the app runs in the background and operates invisibly. In this way, it's different from the SMS-based two-factor authentication used by Twitter, Google and Facebook, which require users to enter a code each time they want to log in.

Toopher CEO Josh Alexander maintains that hassle will keep adoption of Twitter's new two-factor authentication option low: "Having to pull your phone out of your pocket every single time you want to do something as arbitrary as logging in is too much friction."

Toopher is free for companies with 50 users or less. While pricing can be as high as $2.50 per user per month for internal deployments, it scales to pennies per month per user for sites and companies with thousands of users.

A Smart Complement to Two-Factor Solutions

Wile it isn't a two-factor authentication provider, Redwood City, California-based Impermium protects websites and individual users from account hijacking by using proprietary statistical and machine learning models to provide threat intelligence and risk-based authentication.

Started in 2010 by Mark Risher, who was formerly general manager of Yahoo Mail, the company has garnered around 500,000 companies as clients, including CNN, Pinterest, Typepad and Tumblr.

The draw? Because Impermium monitors how people are behaving on all those many sites, including how they're using social media, the company is able to know if someone trying to login to a site has a pattern of abuse or a pattern of good behavior. In that way is able to predict if an attempted attack is likely. Basically, it sniffs out deviations in user behavior across all those online territories, looking at what devices people are using, their network and physical locations as well as the social reputation of whomever is trying to login to a site.

Impermium offers two products: one for business users of software as a service platforms and another that protects companies' websites.

The former, called Accountability, is a new service that monitors Twitter, Salesforce, Box, Facebook, and Marketo accounts and sends email or text message alerts to users if it detects fishy activity. For now, the beta service is free.

Impermium's second product, called CloudSentry, helps web-hosted applications identify suspicious behavior.

"It integrates into the log-in flow of the site and performs analyses of the circumstances around someone trying to connect," Risher says. "So if you're logging in from [your usual city] from your regular iPad that you use all the time, that's a low-risk scenario and we'd identify it as such. If someone is logging in with your credentials from a cybercafé in Indonesia, that is a higher-risk scenario and so we would give that a higher risk rating and suggest that [a client] maybe suspend the account, give it some reduced privileges, or ask for a secondary authentication like Toopher."

Risher likens what Impermium offers to the alarm system that augments the locks on the front door of your house, and in that way is an important complement to two-factor authentication solutions.

"YubiKey and Toopher... are both well regarded products that strengthen the front door. But a site and an application needs intelligence, needs real-time risk analyses to be able to determine [whether] even if someone has the key, should we let them in or not?"

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecuritytwitterbusiness securityFacebook

More about Adobe SystemsBurger KingCNNFacebookGoogleMicrosoftNFCSmartYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christina DesMarais

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts