Passwords are a security nightmare. Any system is only as secure as it’s weakest link and the human element inherent in passwords makes them insecure. Most MSPs and Solution Providers have a story of finding a password on a note taped to a monitor, or to the back of a phone, or written down on the desk by the keyboard.
The basic premise of a password, of course, is the idea that you are verifying your identity by providing a token of identity. In this case, it’s information you have, or “something you know.” Many things can be used to verify identity. Your driver’s license or passport proves your identity by using a photograph that has been verified next to your name. This is also known as “something you are”. Fingerprint identification is also a way of identifying an individual by something that they are.
Finally, you can verify identity by “something that you have.” Keys are based on this idea. By putting a key into a lock, you can verify that you are correctly allowed into a building because you have the proper key to the door. Like passwords, of course, keys can be given to someone else. Unlike passwords, they are more limited in their risk, due to the fact they physically exist.
All of these are the idea of “single factor authentication”. In order to move towards a more secure verification process, many systems have begun implementing “two factor authentication”. As might seem obvious, this layers security by requiring two of these criteria rather than just one. Computer systems started implementing this with electronic tokens more than fifteen years ago, where a small token was issued to an individual user, which generated a number every 60 seconds according to a known algorithm. When combined with a password, we could ensure the user was who they say they are by not only the password – something they know – but also by the code on the token – something they have.
With the rise of smartphones, it has become much easier to place a token generator into the hands of users. Instead of requiring a new piece of hardware for every user, a device they already carry can be augmented to provide a token generator, and then provide that token when needed. When combined with a password, this two factor authentication is dramatically more secure than a password alone.
This mechanism is so secure, many popular services have already implemented it. Microsoft, Google, Dropbox, Evernote, Yahoo, Facebook, Twitter, and many other have implemented this additional layer of security to help reduce compromised data and compromised accounts.
MAX, and our MAX RemoteManagement platform, have now launched two factor authentication into the dashboard. Because of the significant level of access that the MAX dashboard provides, allowing for complete remote administration of a MSP’s customer’s networks, this additional level of security can ensure an MSP is doing everything possible to protect the privacy of their customer’s data. In my professional opinion, every MSP should enforce this policy on every login they issue to the MAX dashboard.
Additionally, two factor authentication provides a level of opportunity for the MSP to deliver to their customer’s additional value. Implemented in the MSP’s own network and with their own systems, it can be used then as a demonstration of the power and ease of the security, and the MSP can then help implement two-factor authentication for the customer as well as part of a layered security solution.
Security is an ongoing investment. MSPs need to be ever-vigilant in helping their customers reduce risk, and implementing two-factor authentication is one more way that solution providers can add additional value to their customers, as well as protect their own organization from risk.