Hi! My name is Corey, I have a dog named Sparky, and I really like chocolate. You now have everything you need to guess my password.
This isn’t a surprise, of course. Over the last several years research has shown that passwords are often easily compromised:
- An analysis of breached password information showed that most passwords were easily guessable (like "sparky")
- In 2007 64% of people polled handed over their passwords for a “bar of chocolate and a smile”
- The Stuxnet worm takes advantage of well-known, hard-coded, and unchangeable passwords in Siemen’s SCADA software
- Even when users accept the burden of creating and maintaining strong passwords they still remain vulnerable to common attacks such as phishing and keylogging
One good solution to these password issues is to use two-factor authentication, where a user is required to both know something (i.e. your username and password) and have something (such as a generated code from a key fob). Your debit card is a good example of this: You need to both know your PIN code and have the physical card in order to access the bank account it protects. Two-factor authentication has become more readily available over the last few years, and is now a capability that many security-oriented companies are actively pursuing.
Consequently, I’m thrilled to announce that Qualys is now making VeriSign Identity Protection (VIP) two-factor authentication available to all QualysGuard users at no charge, providing an additional layer of protection to keep your data secure.
Subscription Managers can require VIP for all accounts, or individuals can opt-in as desired. Enabling it for an account is simple with just three steps:
- Obtain a credential from VeriSign. Like QualysGuard, VeriSign VIP is a software-as-a-service offering with no server software to deploy or hardware to manage. I prefer using their phone-based credential, but their toolbar is also a good choice (as are key fobs for those who like having a physical token); see the complete list of supported devices.
- Login to QualysGuard and edit your user settings. Click “Advanced” and you’ll see the following under the “Options” tab:
- Click “Register Credential” and provide the codes requested.
You’re now ready to use VIP Authentication for logging in to QualysGuard. You’ll still use your username and password (what you know) but will be prompted to provide the code from your credential (what you have) to complete the login process:
Don’t worry if you can’t access your token (who hasn’t left their phone on the kitchen table?); you can request a one-time password that will grant access within the next hour.
We’re excited to help lead the effort to replace passwords with better authentication methods, and look forward to hearing from you on how we can continue to improve our service. In the meantime, feel free to take that chocolate bar without any guilt!