Five Questions With: Craig Lund
Providence Business News – Craig Lund, CEO of SecureAuth Corp., a California company with seven offices around the workld, including Boston, talks about the recent hacking of LastPass, a password management company, and tactics individuals and businesses can do to protect themselves from cyberattacks, such as multifactor authentication.
PBN: Can you tell me what multifactor authentication is?
LUND: Multifactor authentication (MFA) is an access control strategy that requires more than one method of authentication to verify the user’s identity prior to granting access. Multifactor authentication is typically achieved through a combination of two or more authentication “factors” one each from one of three categories: 1) something you know such as a user ID and password 2) something you have such as a one-time password (OTP) or an access card and 3) something you are – such as a fingerprint, retina scan or voice print. Multifactor can also be achieved by using two or more second factors (something you know). And multifactor authentication can also include adaptive authentication techniques that examine context and risk to determine if a user authentication request is valid. These techniques can include inspection of IP address reputation, device fingerprints, geo-location and more. Adaptive techniques enable authentication to be stronger and more secure without extra burden on the user.
PBN: How can it be used to protect the average home computer user?
LUND: The average home computer user can leverage two or multifactor authentication to protect themselves where it’s available. Popular consumer applications such as Apple iCloud, Facebook and most online banking applications offer the ability to enable second or multifactor authentication. And although it may seem like additional work to employ, adding security questions or other factors like PIN numbers to your accounts are the best way to protect your information from being compromised. Especially since the average user reuses passwords on many sites. You may not even remember all the sites where that password is used, but it takes just one compromise and your user ID or email in combination with your password now in the hands of cyber criminals who can easily find your other online accounts.
PBN: How can people protect their information being accessed in a time when cyber-attacks are all too common?
LUND: We’ve just discussed using second or multifactor authentication as well as adaptive authentication whenever possible. Other best practices include creating strong passwords that are not easily guessable and to not repeat your passwords across multiple accounts. And change your passwords frequently. You should also beware of email phishing schemes, which are the most common way passwords are compromised. When in doubt, do not provide your user ID and password to any requests that come via email.
PBN: How do hackers generally gain access?
LUND: Attackers commonly use a combination of social engineering and malware, often in the form of an email phishing attack. Specifically, they target users using information harvested via social engineering, social media and open source data, and then lure unsuspecting victims into downloading malware onto their computers or providing user ID and password information on bogus websites. Hackers can also brute force hack passwords and frequently achieve success in cases where passwords are weak and easily guessable like 12345 or password.
PBN: What kinds of companies/clients do you work with? How long have you been in operation?
LUND: SecureAuth has been in operation since 2005 and we have over 1,100 customers representing millions of end-users across many industries. With SecureAuth IdP, organizations can add award winning multifactor and adaptive authentication to their business applications, which adds an additional layer of security to protect their resources even if their passwords are stolen. In many cases, end users can use their smart phone as their second factor of authentication making it very convenient to implement strong access control.