Twitter 1-and-a-half Factor Authentication

   As you may have read, and hopefully enabled, Twitter added a 2-factor authentication capability last week.

   If you haven't yet turned this on, here's how.  Log in to Twitter; select Settings; select Mobile; add and activate your phone.  Here are the detailed instructions for adding your phone number. To enable 2-factor authentication, select Account, then check the box labeled: Account security Require a verification code when I sign in.

   Here's the good news... as I've discussed in the past, I am a fan of using some kind of 2-factor auth for website authentication.  I also like the use of a smartphone for delivering that one-time-use PIN or code.  While we still have a digital divide in the US, most people do have a cell phone, and most of those have a smartphone.

   But there are some issues.

The Business (not Blind) Side

   A Doctor, Lawyer, Salesperson and Systems Adminstrator walk into a bar...

   As I mentioned last week, the Secure360 conference was in town.  And as always, it was a great show.  I was pretty busy and had 3 different talks.  The first was a 4 hour pre-conference session on BYOD. (slides here)

   After talking about the history of portable devices and framing the issues with which organizations struggle, we did something a bit different.

One Size Does Not Fit All

   The annual Secure360 conference kicked off yesterday in St. Paul with pre-conference sessions. 
Secure360 is the major upper Midwest security conference and has become a US national event, now in its 11th year (I think!).

   I'll be pretty busy at this year's conference.  I've actually spoken at every Secure360, but this year I did a half-day seminar yesterday on BYOD, and tomorrow I've got back-to-back talks - one on the Insider Threat I call "The Accidental Insider" (blog post), and one on authentication "3 Factors of Fail" (blog series starts here).  Slides for all are on my slideshare site.

   I've got a wide variety of topics to cover!

   And that's what is so cool, and critical, about conferences.

So Long and Thanks for All the Passwords!

   If you've been following any online news lately you read about the recent Living Social breach.  They reported "unauthorized access" of their systems resulting in a download of customer data including name, email address and encrypted passwords.

   We have heard of many similar instances over the past few years.  I've written about this in previous posts and will be giving a talk at Secure360 in St. Paul, MN in a couple of weeks talking about authentication and passwords.

   In their defense, Living Social did do a couple of things well.  First of all, fortunately, they did store only encrypted passwords.  Unfortunately many organizations don't.  Unfortunately they used an older, weaker encryption algorithm.  And, of course, unfortunately they got breached and had the file downloaded.