Several years ago, I visited a friend of mine who showed me a unique gizmo. She was a government employee and needed access to a secure email account. The gizmo, the size of a pocket watch, was a password generator.
Every minute or so, the password generator displayed a new series of digits. My friend used those numbers to access a secure computer. Without it, her user name and password were invalid.
This type of security is known as two-factor authentication. It requires something known and something unknown for complete verification.
As an example of two-factor authentication, consider the typical ATM card. The card itself is one form of ID, but it’s useless without the other form: the PIN.
The gizmo my friend had was most likely an RSA SecurID key fob. It generates a multi-digit number that must be typed in addition to an account name and password. That number forms the second part of the two-factor authentication, which provides a higher level of security than the password itself.
This two-factor authentication is now available on many popular banking and other secure websites. All you need is an app or program that generates an acceptable form of ID. The service is called Verisign Identity Protection or VIP.
The other day I received an email from E*Trade, which is where I hoard my stocks. The email alerted me to the VIP service’s availability. I obtained a free VIP Access app from Symantec. Other online security firms offer a similar app. I believe one is also available from Kaspersky. Anyway.
I installed the VIP Access app on my phone. The app generates the random value you can use to add security to your online accounts, similar to the RSA SecurID I saw years ago.
In Figure 1, you see the Symantec VIP app in action. You use the serial number atop the screen to register the app with the online site. The other number is the passkey. It’s randomly generated and changes every 30 seconds. The circle around the number is the timer. As you can see in the figure, only about 22 seconds remain for 849025
Figure 1. The VIP Access app, showing the serial number and 30-second passkey.
After registering your VIP app with the online site, such as E*Trade or PayPal, you use the app and its passkey to sign-in; you can’t get access without it.
In these days of stolen passwords and pilfered online identities, I believe that using a tool like VIP Access is a must. Even if the Bad Guys steal my bank’s full database of account names and passwords, only with my phone and the VIP Access app can they get into my account. That’s hella-security!
Hmmm, a very good idea liable to problems…Bad guys steal phone, bad guys try massage of system (with enough head count possible) or the favorite DNS force you to enter a different way. Sounds interesting though…
Comment by glennp — August 13, 2015 @ 9:16 am
If the bad guys get your phone, and unlock it, with Chrome they can get into just about any website anyhow: Chrome memorizes passwords. It recalls them on the phone, but doesn’t store them (providing you’ve turned that option off). That’s a massive security risk, which is why for my online banking and such, I direct Chrome NOT to memorize the passwords.
This type of security is more to thwart online raids of account names and passwords.
Comment by admin — August 13, 2015 @ 9:22 am