Control of (identity) information is the main objective of all 2.0 well build applications. “Evil Guys” understood this well and those applications have now to deal with more and more cases of identity thief or unauthorized access to (confidential?) data. Think about various examples:
- n Famous twitter hacks in 2009: http://blog.twitter.com/2009/01/monday-morning-madness.html
- n 2008 Sarah Palin’s Yahoo Inbox hack: http://www.zdnet.com/blog/security/sarah-palins-yahoo-account-hijacked-e-mails-posted-online/1919
- n Etc.
How to secure the web and be sure to target everyone without investing in costly hardware or deploying complex solutions?
Till now, the security of these services relied mainly on the control of a mail address and the verification of the ownership by the user.
Today, mobile phones are in everyone pocket. They allow access from more and more places to evolved services like e-banking, e-commerce, electronic purse, transportation ticket, etc. In 2010:
- n There are 5.1 billion mobile phones used in the world,
- n The penetration rate in Europe is more than 157.5%.
- n In both Africa and Middle East, more than 50% persons are equipped with a mobile phone.
So for Web 2.0 services to secure their users’ connection, the best way is to rely on it. As a matter of fact, most famous 2.0 providers launched or are going to launch their multi-factor authentication solutions. Last days, we heard about:
- n Google and its Google Apps offer:
- Starting with Google Apps Premier, Education and Government and then wit Personal Edition, Google will allow more than 300 million of clients to use a two factor authentication method (something they know and something they have) for Gmail, Reader, Calendar, etc.
- See Three million businesses have gone Google: celebrating growth, innovation and security
- n Facebook:
- By collecting you mobile phone number (if it did not have it already), Facebook will send you an OTP by SMS to use as your current password. The session of Facebook will be reduced to a validity of 20 minutes in order to enforce security.
- This service will be available in U.S. first then worldwide.
- See Facebook announces one-time passwords and remote log-outs
- n Windows Live and Hotmail:
- Only available for the account recovery on the first hand, Microsoft enables two functionalities to protect their users. The first allows them to identity their trusted PC through a unique fingerprint. Sensitive operations could then only be done from the selected component.
- The second functionality allows users to fill the mobile phone to which to they want to to receive an OTP by SMS. This OTP can also validate sensitive operations.
- See Hotmail security updates protect you from account hijackers
On top of that, identity federation and consolidation is still active on the web. OATH implementations are still active like for Twitter, LinkedIn, etc..
As we see, mobile phone is going to become the pillar of web-centric services authentication process. As Gartner estimates worldwide sales for tablet-like products to 20 million in 2010, the next challenge of a secure web is already found: how to prevent data leaks on mobile thief or loss…
No comments:
Post a Comment