Archives For Microsoft

Two Factors Authentication is a way to authenticate a user with an application. The name derives from the adoption of two of the three different types of authentication, that is with something you know (like a password), something you have (like a phone) or something you are (like your fingerprint or retina map).

In the old days, it was common to use only a protection based on passwords, but they have demonstrated to have multiple drawbacks: first of all, good passwords tend to be difficult to remember; typical passwords tend to be repeated for different services, therefore multiple services are compromised after the first compromission; finally, passwords tend to be related to culture, meaning that people that share the same culture will choose similar passwords. All those pitfalls are well known to hackers, who rely on them for performing massive attacks to passwords.

Nowadays, passwords are considered insecure and therefore they should not be used as the one and only authentication method, but for the least important services. Many Security Experts are declaring that passwords have lost most of not all their usefulness, and that should be replaced with something else, soon.

A better solution than using passwords alone, is to associate them to another authentication factor. The easiest and most common ones are based on something you have, and what is more common than the cellphones? That means at least SMSs: this is the reason why one of the first ways to do two factor authentication, have been by using SMSs.

Well, even that must be considered something of the past: very recently, the NIST (the U.S. National Institute of Standards and Technology), has declared SMSs to be insecure (see:

What to use, then? The various Tokens are mostly safe, even if some attacks have been registered in the past (see:–securid-customers-may-be-vulnerable.html). Another option is to use one of the various Apps that are so common nowadays, something like Google Authenticator or the Microsoft Account App: provided that they are implemented securely, that the phone is secure (that is, not rooted or jailbroken), that updates are installed regularly and that both the O.S. and the App are updated regularly by their developers or makers. On some platforms, not every device is treated the same: some receive updates fast and others would not receive them at all!

So, there are many factors that impact the security of an authentication solution, but really the most important factor you should consider is: how much risk you would accept? Even the worst authentication solution has its place for some very specific implementation, if who uses it accepts the risk knowingly.

For the moment, this is enough, but the analysis of the various authentication method could be a good topic for another article.


June 26, 2016 — Leave a comment

Life prepares you many surprises. You can plan your life as accurately as humanly possible, but you will eventually need to reconsider your plans.
It is not necessarily a bad thing, though. And in my case, I trust it has been for the better.
After I switched to Proactive Support from the Consulting organization within Microsoft, to focus 100% of my time to Security, I planned to improve all my initiatives, blog included. I discovered soon that I needed to dedicate all myself to cope with my deficiencies around Infrastructural Security and to meet the already challenging goals my new organization has defined for me, plus the goals I defined for myself, that is mostly doing whatever I can to expand the importance of Application Security within Microsoft.
This has meant much additional work for me, but also very important successes, like achieving the CSSLP certification (finally!) and recognitions like having been made WW Lead of the Security Development Lifecycle Community within Microsoft, side by side with my good friend Kiyoshi Watanabe, who is an Application Security expert from Japan.
New duties mean more things to do and less time for other things, as I discovered last year. This is the reason why I have written nothing since I switched: I had no juice left to think to anything but the most essential things.
Now it is different: my goals for the new year are set to be more projected toward the community of Application Security practicians inside and outside Microsoft, because I feel it to be critical for the world I live in and my own future.
Stay tuned for new content and (possibly) a very big surprise, soon. 🙂