The following is a Q&A on security and Two-Factor Authentication (2FA) with Bill Stearns, Dyn’s Director of Security and Rick Phillips, Product Manager, Digital Business by Larry Concannon, Director of Product Marketing.
BS: My team is responsible for all aspects of security at Dyn, both online and at our facilities around the world. This ranges from the physical security at our 20 data centers to how our employees manage their passwords.
We are a SAAS company, why is security a concern for those that go to the cloud?
BS: When any organization decides to use a cloud service provider, they are entrusting them with their security as well as the main service that is provided. There are many dysfunctional and daunting aspects to cyberspace — phishing, spam, hacking, DDoS attacks, BGP hijacks, man-in-the-middle attacks, etc. When Dyn’s customers use our cloud-based solutions, they are trusting us and depending on us to shield them from the negative consequences of these malicious activities.
Recently there has been some press coverage connecting recent data breaches and privacy leaks with poor password policies. What is the problem with passwords?
BS: Passwords have long been used to provide access to systems such as websites, operating systems, applications, etc. There are a number of security problems with using the simple “username/password” method for access control. In order to be secure, passwords need to be long and/or complex, but this leads people to write them down or save them in text files. As passwords are long and complex, people use the same password on multiple web sites. An attacker may get a list of user accounts and passwords from a data breach on one site and then use them on other websites. Passwords can be stolen by watching the user type them, something we call “shoulder surfing”. Finally, passwords can be stolen by malware on the system itself; the program watches all the keys typed and sends what it sees to an attacker who can then log in as the user.
For those reasons, many companies, including Google, Facebook, Linkedin and Apple, have implemented another layer of security called Two-Factor Authentication, also known as “2FA”.
Is 2FA something that replaces passwords?
BS: No, 2FA improves the security of password base systems. Passwords are are a good start, but more is needed to validate the user. A password by itself is considered one-factor authentication; we provide a single object — the password — to identify ourselves. That single factor is described as “something you know”. A second factor is “something you have”. A good example is your debit card (something you have) and the PIN code (something you know). In the cloud security world a common use is your mobile phone (something you have) with a one-time code and your password (something you know).
Rick, tell me about your role here at Dyn.
RP: I’m part of the Product Group and am the Product Manager for Digital Business. I’m responsible for the way in which our customers conduct business with us. That includes all customer-facing portals for product access, billing, and service. It is my job to identify and work with the Development team to reduce any friction that is identified. We want to make doing business with Dyn a painless event by reducing any friction and manual steps it takes to interact with us.
Is 2FA the same as answering a secret question like your pet’s name?
RP: Not at all. Many password challenges ask you to answer a secret question along with your password but that is just more of what you know, not something you have. Two-Factor relies on something you have, like a mobile phone.
How has Dyn implemented 2FA?
RP: With 2FA for web services, the login credentials are what you know and your mobile phone is what you have. Typical implementations prompt you for a security code after you enter credentials. That code is obtained either from a short text message (SMS) that that service sent to your mobile phone or a time-based code (TOTP) from a mobile app such as Google Authenticator. You read this read the code and enter it into a box on the web page, a little bit like a second password.
There are a few differences, though. Unlike a password, the code sent to your mobile phone changes every time you log in. Even if an attacker could see the text message on the phone or see it being entered into the web page, it wouldn’t do them any good to try to use it as it only works once (it’s called a “one-time password”). It’s not possible to log into the account without both knowing the password and having the mobile phone for two-factor authentication.
What is “Sticky 2FA”?
RP: Usually, 2FA requires the user to enter a code from their mobile phone every time they require access. With “Sticky 2FA” there is an option to only require the code to be entered every 30 days. This is an option with 2FA on the Dyn Portal.
Is the 2FA required or optional?
RP: The use of 2FA is optional for each of our customers, but when the account administrator decides to use 2FA, all users from that account will be required to use 2FA. This ensures that security integrity maintained across all logins. Here at Dyn, the use of 2FA is required for all employees. We do not want our own employees to be a possible security weakness for our customers.