Multi-factor Authentication and the Cloud

High profile security breaches into cloud-based applications like GMail and Google Apps serve to remind us that when people and companies stores all their information "out there" then security measures are of critical importance.
In most cases the security breaches are "front door" attacks where a hacker has exploited a weak password or the password recovery process. "Security Breach" has many connotations: an insecure applications, unpatched servers, back-doors or inside jobs. But where a hacker exploits a weak password or a user's use of a favourite password across multiple sites, who is to blame? Perhaps the only failing in such circumstances is that the application allowed a weak password, or rather that it used single-factor authentication.
The strength of an authentication mechanism can be judged on how many things it depends on. These factors can be grouped into:
  • Things a user knows... username, email address, PIN and password.
  • Things a user possesses... inbox, credit card, mobile phone, security token.
  • Things only a user has... finger prints, voice, retina, face.
The number of groups involved in an authentication mechanism gives us the number of factors required to authenticate. For example, a passport relies on two factors: possession of the passport and that the person holiding the passport looks like the photograph in it (except a little older and fatter.)
The all too familiar combination of username and password is a single-factor authentication mechanism. It relies on only one group of things; things that a user knows. If I know your username and password, this is all I would need to authenticate myself as you. Banks and some other companies often use additional fields for authentication like PIN or address. Whilst these do make it more difficult to authenticate, this is still single-factor authentication.

Password Recovery

Most online services provide some form of self-service password reset or recovery function. The behavior we have come to expect is that a temporary password gets emailed to our inbox, or an email is sent that contains a link to a web page where we can enter a new password. Some low-security systems will email your actual password in clear text! In all cases, this makes the inbox central to accessing all our online identities. Own the inbox, and you most likely own all the accounts linked to it.
In the case of the Twitter Attack in July 2009, the attacker's main point of entry was the password recovery process. Once the GMail account was compromised other services could be targeted. The other exploit relied on the user habit of reusing passwords across other sites.

Market Leaders

Two of the heavy weight cloud players have multi-factor authentication offerings. Amazon EC2 supports Multi-Factor Authentication using a time-based security token key-fobs supplied byGemalto.

More Here