The large number of hacks of celebrities’ email accounts reported by the media and widely discussed by the general public cause users to be greatly concerned about the safety of their data. So that’s what we are going to address in this article.
What is two-factor authentication and how can it help?
Two-factor authentication is a method of establishing identity using two different types of information. The first type is usually a user name and password, while the second type is provided in an SMS, smartphone app, OTP device or certificate.
There is a lot of information on the Internet on how two-factor authentication works via SMS.
In my opinion, if the potential monetization of hacking your account does not exceed $1000, this type of protection is acceptable. If you want to protect more valuable data, SMS is not quite the right approach. Your mobile phone could be stolen or your SIM card could be replaced. By the time you notice, the hacker will have already downloaded all your correspondence from the server. For example, the Gmail account of the Russian political activist Navalny was hacked and years of private email correspondence went public. His account was protected using SMS-based two-factor authentication. The recent attack on users of mobile banking clients also demonstrates the vulnerability of this method.
Significant disadvantages of this method include extreme inconvenience in protecting email, and problems for travelers and those frequently changing their SIM cards.
Authentication through a mobile application solves the problem of protecting the SIM card against copying or theft, and is more convenient for traveling. But the other problems remain.
OTP (One Time Password) devices probably provide the highest level of protection among all the methods. Devices that require you to enter a PIN code before use are particularly effective. No wonder every bank that cares about its reputation uses OTPs for clients’ financial transactions.
The main disadvantage is that they are not very convenient to use for email protection.
Protection with a certificate
This technology lets you restrict access to email using only user credentials on authorized devices by installing a special certificate on the device.
Unfortunately, this technology does not solve the protection problem that arises if a laptop or phone is stolen. However, disk encryption in combination with a fingerprint sensor completely solves the problem of protecting the laptop, and if an attacker manages to gain access to the email on a mobile phone, the damage is incomparably smaller than when all email is downloaded from servers. Of course, encrypting and protecting mobile devices can reduce the damage caused by this threat to zero.
The main advantage of this technology is its transparency for the user. After installing the certificate on the device, the user can work as usual without entering any codes. Even if the password is compromised, it can only be used on authorized devices.
Certificates can be either associated with a USB token (a popular solution among Russian banks) or a user device. In our opinion, this solution is more suitable for corporate users.
Of course, this technology only applies to corporate emails and introduces just one component to a system of data security measures.
We can protect mail on MS Exchange Server and clients using Exchange through ActiveSync and OWA. Unfortunately, the current version of MS Outlook does not support this solution.
In technical terms, two-factor authentication using a certificate is based on the corporate public key infrastructure (PKI). To grant access to a device, the system administrator installs a user certificate that contains a private key without the ability to export. The user can then use the Exchange Web Interface (OWA). By clicking on a corresponding link, the user receives a certificate request as the first authentication factor, and then enters his or her credentials in the web form as the second factor.
To use two-factor authentication, mobile devices must support ActiveSync version 12.0+. At present, it is supported by the following devices:
- Apple iPhone / iPad with iOS 6.x and higher;
- Smartphones and tablets with Android version 4.1.2 and higher;
- Devices with Windows Phone 7 and higher.
An enterprise IT administrator uses the iPhone Configuration Utility (iPCU) to install an Apple devices profile with all necessary account information, user certificates, and the certification authority.
On devices running Android and Windows Phone, the administrator installs the created certificate chains and configures the user account, indicating which certificate to use for login. For large organizations, the process can be automated using dedicated Mobile Device Management (MDM) software which manages devices on various platforms (for example, on BES 12).