Does multi-factor authentication hold the key?

Chris Harget believes the recent LinkedIn hack could easily have been prevented by using multiple security credentials

Most of us heard that LinkedIn, which boasts 161 million members, has just suffered a security breach where some 6.5 million passwords may have been compromised.

Online dating website eHarmony was hacked shortly thereafter.

Phishing associated with the compromised passwords began almost immediately.

Most of the users apparently had simple, easily guessed passwords – hundreds of thousands reportedly included the word LinkedIn.

In all likelihood, we'll find that a hacker compromised details of someone with access to LinkedIn, probably an employee, and then used those credentials to exploit the internal systems and poke around until they found the password files in question.

If this was the root cause of the hack, it could have been easily avoided – had LinkedIn been using an effective and secure authentication method to ensure that users are correctly identified.

Multi-layer authentication can protect sensitive information such as passwords. This means two out of three credentials are needed for a user to gain access. It works best at critical access layers, such as Windows log-in, VPNs, internal servers, or in front of cloud applications.

Even if one user is untrustworthy or one machine compromised, this method will still inhibit hacking.

The credentials may include:
• Something the user knows, such as a password or PIN
• Something the user has, such as a bank card, smartcard, or a one-time password
• Something that pertains to the user or that he or she can gain access to, such as a fingerprint, voice print, retina scan, or use of advanced behaviour analysis.

These types of breaches are becoming far too common. What sort of technologies do your customers have to prevent security breaches of this nature?

Chris Harget is senior product marketing manager at ActivIdentity