Skip to main content

Article in [IN]Secure magazine: Adding two-factor to Google apps

You can download the latest [In]Secure Magazine Issue 34 in pdf format here:

The article is a proof-of-concept of how to add two-factor authentication to Google Apps for your Domain using our open-source Community Strong Authentication server and our PoC HTML5 token.  This particular PoC was chosen to highlight  the growing focus on cloud-based services, the need for corporate control and the trade-offs between security and usability.

I think everyone understands the growth of cloud-based services.  What I think is less-appreciated is the growing impact that Identity Management has in the cloud world.  I am reminded of how the move from Ipsec VPNs to SSL-based VPNs highlighted the need for stronger authentication.  The move to cloud is similar, but even more so. 

Google Authenticator is an admirable solution for stronger authentication, but it doesn't provide Enterprises with the necessary control or support capabilities.  Google strongly advises users to download a list of codes to use in case of an emergency.  It's a good idea, but hardly a corporate support solution.  I have locked myself out of a Google account and the support was a bit slow, to say the least (luckily it was just a test account).

Finally, we like to talk about usability and security.  Security geeks love to poke holes in things. It's what they are paid and trained to do.  But we all recognize that security is about trade-offs.  I often hear "I want biometrically secured smart-cards on TPM-based hardware so I know my users are who they say they are and attacks are limited to active sessions that I monitor".  Well fine, but: 1. Can you afford it?  and 2. Will your users accept it?  Or will they go around it?

Our HTML5 software token is a step in the opposite direction.  It is free and open-source.  It's arguably less secure than, say, our locked token or a token on a separate device like our iPhone/Android/Win7 mobile tokens.  But think about the number of times a static password is used.  What percentage of them require some level of security?  Would you implement two-factor authentication if it were easier for the user than static passwords?

It is not ok just to say HTML5 is not secure. You have to compare it to other technologies.  And you have to consider usability and expense too.


Current rating: 1

Recent Posts







RSS / Atom