This month the world was made aware of the Heartbleed Bug, a vulnerability in OpenSSL that could allow unauthenticated attackers to discover and steal private keys, passwords, session details and data held in memory. Even though a solution was introduced about the same time as the public announcement, and even though many websites have moved quickly to resolve the issue, there was quite a bit of controversy surrounding the announcement and we learned that, ironically, the threat to online account holders was actually magnified during the period just after the public announcement was made. During this period, innocent online account users were often instructed to wait until their provider implemented the fix, all while the world’s would-be Internet attackers were basically shown how to exploit the vulnerability by using the same details about how to fix the issue and all the lists of websites where the vulnerability existed.
Just after the Heartbleed Bug was announced, experts began suggesting the use of an option called 2-step Verification (for example, in Venture Beat, Digital Trends, and Tom’s Guide). 2-Step Verification, also known as 2nd-Factor Authentication (or just 2FA), is a way for requiring an online user to present two separate passwords before being allowed to log in to an account. The first password is the user’s primary account password that doesn’t change unless the user changes it, and the second password is typically sent to a separate location as a unique, time-sensitive security token that expires in a very short period of time (e.g., 10 minutes). This second password is known in the industry as a One-Time Password (OTP), and is often sent via SMS to the user’s personal mobile device. When 2-Step Verification is on, then each time the user attempts to log in to their account for the first time from any device they are asked for both their primary password and their OTP.
The problem is that, although some online providers do offer 2-Step Verification to consumers today (e.g., Google and Facebook), a significant number of websites that handle our private or financial data still do not offer 2-Step Verification as an option. This is because, until recently, the focus of 2FA has been on the benefits to organisations, and consumers have not been demanding this technology from their online providers. 2FA has significant value to organisations that wish to protect their own sensitive data and one of the most common use cases of 2FA is for the protection of corporate intellectual property, in fact millions of workers worldwide today are required to log to their corporate accounts using 2FA. However, as the Heartbleed Bug demonstrated, any breach to consumer account security, especially when involving a consumer’s sensitive or private data, can result in significant costs and reputation damage for the company.
Yet, it seems to have taken a security breach the size of Heartbleed Bug to finally get more emphasis on the benefits of 2-Step Verification for online consumer account holders, not just for the organisations who might implement it. Online users are waking up in a post-Heartbleed world to learn that they should have already had 2-Step Verification on, and if they had it on then an attacker would have needed both their primary password as well as their temporary (time-sensitive) One-Time Password before it expired in order to gain access to their personal information. Having access to both passwords is far-less likely than an attacker gaining access to just one of them. Even if an attacker is able to figure out how to snoop in on their “secure” OpenSSL connection, the attacker cannot gain access to the account without that OTP too.
Bottom line, if your online account is used for private or financial information and you don’t already have 2-Step Verification turned on, you should turn it on … and if your online account provider doesn’t offer 2-Step Verification you should ask them to implement it for you. As consumer awareness of the value of 2-Step Verification grows, organisations will be pleased to know there are 2FA solutions on the market that can be deployed quickly, and at a very low cost when compared to the potential financial and reputation damages incurred during a security breach like the Heartbleed Bug.
