Two-factor authentication; the easiest way to secure email access

Easy way to improve your organisation's security

As there are several levels and ways to secure the access to your email, we want to share our thoughts on easy-to-use and secure solutions. We often encounter the challenge of having too many passwords or easy passwords that are used too often.

Problem

The recent hacks at e.g. SONY, Nortel and LinkedIn has showed the risk of using passwords many times for several services. Once a service is hacked, the credentials can be used many times to get e.g. more data, more email addresses, more credit card details.

Options

To prevent the usage of too easy passwords for several services, one can think of using:

• secure passwords (thRpf-X%$§1o32 )
• One-Time Passwords (OTPs)
• secure password managers/repositories

Real secure passwords are painful to use because you would need such a password for every service on the internet. Preferably changed from time to time. The only way a normal person can manage this, is with a password repository. It sounds familiar to have an analog repository (notes on paper) but that doesn't fit in the 21st century and is NOT secure at all. Digital repositories on your mobile device or  service on the internet are more the nerdish way to do it these days.

Still, one very important security issue is not covered. The so called "man in the middle" and the possible infection of a device with a virus. When someone "captures" the connection from a device to a server or he gets access to the device itself he can simply record the user name and password.

One-Time Passwords

The answer is OTPs. These passwords are only used once and recording them will not help to hack a system. To use OTPs in a reliable way, you need a device to generate these passwords whenever you need them. These devices already are available for quite some years. Usually, these are attached to a proprietary service under the control of a company. So, you first have to buy a device and then pay a yearly fee for the service. Next to that, you have to trust that specific company and their "hidden" technology. The recent hack at RSA has impressively shown that proprietary technology and big companies fail very easily.

The ideal solution would be an unexpensive easy device that generates these OTPs combined with a service. Preferably this technology is open source to guarantee that many clever people can check if it is secure indeed and to ensure that several services can compete on easy usage and costs.

Solution

Well, a solution that covers all of this is the Yubikey. The YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard. With the command of an integrated touch button, the device can send a time-variant, secure login code as if it was typed in from a keyboard. And because USB keyboards are standard on all computers the YubiKey works on all platforms and browsers without the need for client software.

The Yubikey operation and output is configurable, but the basic OTP generation scheme can be conceptually described as:

1. The Yubikey is inserted into the USB port. The computer detects it as an external USB HID keyboard.
2. The user touches the Yubikey's OTP generation button
3. Internally, a bite string is formed by concatenation of various internally stored and calculated fields, including as a non-volatile counter, a timer and a random number.
4. The byte string is encrypted with a 128-bit AES key
5. The encrypted string is converted to a series of characters that are outputted as keystrokes via the keyboard port

Two-factor authentication integration

At Zarafa, we were curious to learn more about Yubikey's two-factor authentication (username and password plus OTP) and how it enables secure webmail access... Have a look at the Zarafa Yubikey authentication integration and feel free to test it yourself.

Good luck!

Useful links:

• Zarafa Yubikey authentication integration