Apparently, Twitter had a lot of confidential documents stolen via unauthorized access to gmail and google docs (writing on BB, so no links). This brings the security of cloud computing / web apps very close to home, especially as we are contemplating moving all of USV to gmail and google docs. The threat of access by a third party increases exponentially with the move to the cloud, because the machines that now contain the documents and the links to those documents (as sent by email) are accessible to the Internet at large. With anybody with an Internet connection potentially being able to access, a simple Username/password scheme is clearly insufficient for authentication. This is especially true given password reset mechanisms based on “canned” questions with easily guessed answers. So here is a modest proposal. Give users the option to secure with a second factor. Two ideas come to mind (not novel - just saying now is the time to get serious about these). The first is SMS. Just enter your cell phone number during registration to enable the second factor. As you log in with username and password you receive an SMS with a code that you need to enter also. This will admittedly slow things down a bit and might be a total nuisance if you are on a plane, but it is a nearly universal solution. The second idea is simply a twist on the first one. Instead of SMS, use an app downloaded to the phone. The app would display the second factor on the phone to be entered along with the password. The app strategy might be a way to get back to what seemed like a promising idea from early web days: client side certificates. Instead of the cert being in the browser it would now be on the phone. To log into a web app you fire up your phone app, which talks to the server and gets you a secure one time password. I am hoping that nothing worse than the Twitter breach has to happen before providers such a Google and Microsoft will offer stronger authentication as an option.

Apparently, Twitter had a lot of confidential documents stolen via unauthorized access to gmail and google docs (writing on BB, so no links). This brings the security of cloud computing / web apps very close to home, especially as we are contemplating moving all of USV to gmail and google docs. The threat of access by a third party increases exponentially with the move to the cloud, because the machines that now contain the documents and the links to those documents (as sent by email) are accessible to the Internet at large. With anybody with an Internet connection potentially being able to access, a simple Username/password scheme is clearly insufficient for authentication. This is especially true given password reset mechanisms based on “canned” questions with easily guessed answers. So here is a modest proposal. Give users the option to secure with a second factor. Two ideas come to mind (not novel - just saying now is the time to get serious about these). The first is SMS. Just enter your cell phone number during registration to enable the second factor. As you log in with username and password you receive an SMS with a code that you need to enter also. This will admittedly slow things down a bit and might be a total nuisance if you are on a plane, but it is a nearly universal solution. The second idea is simply a twist on the first one. Instead of SMS, use an app downloaded to the phone. The app would display the second factor on the phone to be entered along with the password. The app strategy might be a way to get back to what seemed like a promising idea from early web days: client side certificates. Instead of the cert being in the browser it would now be on the phone. To log into a web app you fire up your phone app, which talks to the server and gets you a secure one time password. I am hoping that nothing worse than the Twitter breach has to happen before providers such a Google and Microsoft will offer stronger authentication as an option.