Using Public Wi-Fi Responsibly

In this highly technical world we live in, filled with all sorts of gadgets and devices designed to keep us in touch with family, friends and business associates, the once upon a time convenience of access to the internet has become almost as necessary to some people as breathing.  The internet can be accessed from your phone while in a car, from your home for pleasure or business and of course from your place of business.  The access point to look out for though is accessing the internet from a public Wi-Fi hotspot.  These almost too convenient access points to the World Wide Web can be found just about anywhere.  Airports, dealerships, fast food restaurants and hotel rooms just to name a few.

The problem with public Wi-Fi is just that, it is public.  If you are able to access the internet with your device, someone else (with less than pure intentions) can make the same access as you and if they are smart enough, peek in on what you are doing and make off with personal data of yours that you don’t want in the wrong hands.  This article will discuss some of the steps and practices you can put in place to help protect yourself and your data from these internet Pirates.  Please refer to our March 15th article for more details on how “bad guys” steal information using the internet:

Data Encryption

Your data should always be transmitted over a connection that encrypts the data before sending it to the intended service.  Gmail has been providing this service since January of 2010.  You know your data is protected if the URL has the HTTPS acronym in the beginning.  The S stands for Secure Socket Layer and will ensure that your data is encrypted as it travels across the wires or through the air.

Many companies setup VPNs (Virtual Private Networks) for their employees to safely connect to the corporate network from home or while traveling.  VPNs automatically encrypt all the data being exchanged between your computer and other network machines.  You can also find open source VPNs available for use by individual users. If VPN is not an option for you and you must connect from a public Wi-Fi, use a Wi-Fi hotspot that charges for use and verify before paying that the connection will be secure.  If VPN or a paid hotspot are not options for you, but your daily routine requires that you use public Wi-Fi, you can consider purchasing and using a wireless card as it should cost less than $10/month.

Mobile Devices

If you access the internet from your mobile device, you may be in luck.  Many mobile devices have built in encryption that can easily be configured through the settings on your phone.  Another good idea is to keep up with the security updates for your mobile device.

Behavior Modification

And sometimes it’s the simplest measures that keep us the safest.  Just by changing your connection habits, you can save money and stay protected at the same time.  Never send credit card, bank account or other sensitive information through email.  If the data is not being transmitted, it cannot be compromised.  Don’t connect to public or unsecured networks.  Pace yourself and only perform the important transactions from home and never from a public network.

If you can learn to stay aware of what type of network you are connecting to and also have the discipline to conduct your sensitive transactions over a secure connection, you should be able to continue to enjoy the internet with little or no worries.


Knock Down the Barriers: What Does Two-factor Authentication Solution Need to Have?

At the recent RSA Conference 2013 in San Francisco, one of the resounding themes was the expansion of authentication solutions. The idea of replacing the old password as a login method is one that is feverishly being worked on by many vendors. However the main struggle for vendors is handling the tradeoff between usability and security.

Matt Honan identified this after explaining that security has two tradeoffs, convenience and privacy. For example, if you implement a password policy which is unusable, the security solution fails and is abandoned or circumvented. Privacy also limits what an organization can leverage for two-factor authentication. Many organizations are terrified of alienating their users and like the idea of offering a simple, private solution versus a secure one.

Overall there is a lack of confidence in the marketplace as some of the leading solutions have experienced major hacks leaving behind doubts about the authentication methods being secure.

There is no “holy grail” solution for people to feel good about purchasing. It is unfortunate to see many organizations take the “it will not happen to us” approach because there is no simple answer to two-factor authentication.

When the question was posed “What do YOU need out of two-factor authentication?”, the common themes were that a solution needs to be:

  • Secure
  • Simple to use to avoid resistance from users
  • Inexpensive
  • Seamlessly integrated with all systems
  • Able to solve the provisioning/enrollment problem of tokens
  • Without the requirement of massive infrastructure
  • Easy to deploy and manage
  • Combined with single sign-on (SSO) for increased usability
  • Reliable
  • Using tokens which are easy to create, deploy, revoke, and replace

Luckily there are options emerging on the market which are attempting to provide the following. It is important to take a look at the options and be careful with vendor selection. Are you ready to take the next step and evaluate the vendors on the market?


Lack of Confidence in Two-factor Industry

download self-service password resetWith recent research into how you and the general industry views two-factor authentication it is amazing to see the lack of confidence in one solution to stand above the rest. It seems that all the solutions in the market have one downside or another which is difficult for organizations to justify. This seems to be one of the main reasons keeping you from implementing it. In our related blog post “Are You for or Against Two-factor Authentication?” vendors and consultants weighed in on the subject with no clear answer being given. How are you supposed to invest in a solution which does not have 100% confidence behind it?

Well we’d like to at least take a look at what PortalGuard has to offer. The download we are offering allows you to try out the various methods PortalGuard has to offer allowing you to easily implement choices when it comes to how you will present two-factor authentication to your users. However, beyond the download PortalGuard’s PassiveKey solves the main problem two-factor has and becomes an excellent two-factor alternative which is 100% transparent to the user. For more information please download the demo and visit the website to see how it works:

Two-factor Download:

Two-factor Alternative:

What’s the Hold-up? Organizations are Facing Major Hurdles

There are numerous two-factor authentication discussions occurring in the blogosphere. After compiling comments from these conversations, it is clear there are major hurdles to implementing two-factor preventing a widespread adoption.

All too common today are TV advertisements for various medications where they definitely solve an ailment but have a laundry list of side effects. For example, the antidepressant Zoloft solves a severe problem many suffer from. However the side effects are extreme and potentially life threatening.  Although some patients may suffer from depression enough to risk the side effects, this will most likely deter those who are only mildly affected.

“Two-factor medication” can be seen in the same light. Some have taken it because they have been attacked, see themselves as potential targets for large hacking attacks, or are being forced to by regulatory compliance. However the rest of the market has decided the negative side effects of implementing two-factor outweigh the benefits.

Many organizations have an “it’s not going to happen to us” attitude and don’t feel the everyday threat which is present. IT security professionals are also reluctant to “rock the user boat” and do not have a 100% sure-fire way to solve their authentication challenges without having to overcome the major hurdles such as:

  • I can’t distribute tokens
  • I cannot justify the expense
  • My ACLs aren’t properly configured anyway
  • It’s too difficult for my users to use
  • I have no buy-in from management
  • My data isn’t sensitive enough

These hurdles come directly from the organizations evaluating whether to implement two-factor authentication. With such strong opinions, it is clear that there is a barrier keeping two-factor from being widely implemented.

As one commenter stated “I love the idea of two-factor but it is the least of my concerns. If you do not have security configured once you are authenticated – how hard it is to get there is of little consequence. Our organization is not the NSA so I do not have a huge potential for disaster vs. the complexity of implementing additional authentication. I just cannot justify the expense and would find it difficult to get buy-in from management”.

From the executive or business side of most organizations there is a lot of resistance unless they have experienced the direct effects of an attack or compliance audit. Many times the IT security team is saying “Yes” while the business side is saying “No”, citing the following factors:

  • Exorbitant costs for the tokens and support software
  • It is an infrastructure add-on so there is little skill in-house to implement and maintain it
  • Provisioning the tokens is seen as a nightmare
  • There are few examples of TRUSTED two-factor authentication solutions which organizations support and are not just vendors “tooting their own horns”

These barriers exist due to the lack of a solution the market can feel confident in. While recent news and reports are heavily advocating two-factor authentication, the “big guys” are having issues with implementation and security.

Facebook recently had a security hole found related to the storage of phone numbers used for two-factor “Login Approvals”. A hacker proved he could use readily available reverse look-up functionality to find the associated Facebook profiles; truly an invasion of privacy and open door for hackers.

Twitter is also one struggling to implement two-factor authentication with some controversy. Although recent hacks of Burger King and Jeep’s Twitter accounts show a need for stronger security, some reports are claiming that the data is not sensitive enough to protect and it would just hurt the user experience.

With reports in the news like this, it is difficult to know which direction to go in. However, if you had a solution which removed most of the hurdles and made it easier to implement two-factor authentication, would you? With such a solution available in the market, would two-factor authentication become the new bare minimum?



Is it Really a Problem when Connected to a Rogue Wireless Network?

Benefits of a Free Wi-Fi Hotspot.

“Oh boy!  They have free Wi-Fi here at McDonald’s.  Let’s bring in our laptops and catch up on our Facebook and Twitter accounts and maybe even pay some bills while we enjoy a satisfying lunch.”  Sounds like a great way to spend your lunch period or an afternoon, right?  Wrong.  As the old saying goes, “there’s no such thing as a free lunch” or in this case, “free Wi-Fi”.  The glamour and convenience of being able to access the internet from just about anywhere that you can sit down at a table (Airport, Laundromat, Café, Car Dealership, etc.) is very misleading.  Yes, you won’t have to use any of your cell phone data minutes and the ease of connecting without needing to enter credentials is enticing.  Not to mention that getting some of your “internet” errands completed while waiting for the laundry to dry will give you more free time for more exciting interests.  But what is really happening while you are enjoying this experience?  Could you be opening yourself up to identity theft and exposing all of your sensitive social data?  Let’s take a closer look.

Types of Wireless Networks

Wireless networks come in two varieties, ad-hoc or traditional.  The traditional Wi-Fi network is a router that many devices can connect to for internet access.  The ad-hoc network is simply two devices connected together.  Both types can be unsecure, but the ad-hoc Wi-Fi hotspot is the type most widely used by local “bad guys” looking to intercept your sensitive data.  Unsecure Wi-Fi networks usually don’t require a username and password, bill themselves as free and don’t encrypt any of the traffic.

Why is it unsafe on a public Wi-Fi network?

Once you have connected to an unsecure computer, pretending to be a legitimate router, the software on that computer can capture and save your sensitive data.  Account names, passwords, bank accounts and credit card numbers are like gold to the cyber-criminal.  Strangers can listen in on your emails and other private tasks performed over the web, including hijacking your Twitter account and broadcasting unhealthy tweets on your behalf.

How is it done?

A “Bad Guy”, disguised as a regular patron of your favorite coffee shop, calmly walks in, waits in line with everyone else and orders his usual latte and cruller.   As he settles in to his usual spot and waits for his coffee to cool, he enables his own router and software to setup a “rogue” Wi-Fi hotspot with the same name as the shop.  i.e. “Java Joe’s Free Wi-Fi”.   You walk in a few minutes later and as you start to enjoy your bagel and cream cheese, you open your laptop and discover that this fine establishment is nice enough to offer free Wi-Fi to its patrons.  You gladly connect to the hotspot and begin surfing the web.  It’s the end of the month and your car payment is overdue so  you login to your bank account with your credentials and make the payment with your credit card.  Relieved that you did not miss the deadline for the payment, you finish enjoying your bagel and hot chocolate.

What you don’t know is that directly over your shoulder, Mr. Bad Guy is watching and recording all of your internet activity.  Any emails, usernames, passwords or account numbers you supply to the internet are now his for the taking.  As part of his setup, he made a fake web site available that looks just like your bank, but since it is his web site, he is able to see all of your activity with what you think is your bank.

Legitimate hotspots that you may have already visited can be faked as well and your PC will automatically connect to the bad router without you even knowing that you connected.  It’s not enough to just make sure you don’t connect to any hotspots you don’t recognize.  The owners of these rouge hotspots can see everything you are doing because they are essentially the ISP.

Eric Butler developed Firesheep ( which is a utility that allows for the capture of “cookies” or internet tracking/history and data.  This Firesheep gathered info allows attackers to assume your identity and use your sessions to get your data.  Firesheep was developed to encourage social media sites to encrypt a user’s session and prevent these “man in the middle” attacks.

Connecting to an ad-hoc Wi-Fi network that has bad intentions does not only compromise your private data, but it can also lead to your PC being infected with a virus.  Bringing that PC into your company’s offices and connecting to the network can spread the virus over that network to other PCs.

Hopefully this article was able to illuminate some of the risks associated with internet activity.  Come back soon for an article on how to protect yourself from these risks.


CJIS and Advanced Authentication – Approaching Deadline

February was the month of the deadline for the new Advanced Authentication requirements being enforced by the CJIS, one of the largest divisions of the FBI, which has now been postponed to September of 2013 due to most local governments not being able to meet these requirements by this time. The requirements are now requiring that in order to access any sensitive data in the CJIS database requires Advanced Authentication (AA), also known as two-factor or multi-factor authentication. The requirement is being put in place to protect the data and require the user to really prove who he/she claims to be.

As defined in one of our previous posts (What is two-factor/multi-factor authentication?) the new AA implementations will need to require at least two out of the three authentication factors to prove a user’s identity. Here is the definition directly from the FBI standards:

“Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions. Advanced Authentication is also called Multi-Factor or Two-Factor authentication.”

Many times the existing authentication for building access, such as smart cards  will be able to be leveraged, but these are not as convenient for the mobile workforce the requirements are targeting. The penalties for not being compliant are severe including no access to the CJIS database. CJIS will not help you choose the best authentication solution but can help you determine if you are in compliance when using it.

The key to a good solution really will be the flexibility it offers. Due to the target users being mobile and usually working from a car or on the road the second factors you put in place need to not only be secure but usable. Many are leaning towards biometrics but with limited vendor options on the market which are proven it is difficult to feel secure with these solutions, not to mention the cost which can be incurred when purchasing these solutions. It is also important to choose a vendor who can provide various authentication methods so you are not forced to purchase disparate solutions to achieve one goal.

I’d suggest that you take a look at the following links to help you understand the guidelines as well as take a look at PortalGuard’s example of meeting CJIS compliance requirements:

CJIS Security Policy:[1].pdf

PortalGuard’s CJIS Guidelines:

PortalGuard’s Two-factor Authentication:

What is Two-factor/Multi-factor Authentication?

According to Wikipedia the high-level definition is an approach to authentication which requires the presentation of two or more of the three authentication factors:



  • A knowledge factor (something the user “knows”)
  • A possession factor (something the user “has”)
  • A inherence factor (something the user “is”)

The extra factors are implemented to make sure that the user is authorized and to prove their identity beyond a simple password. The definition states that to be two-factor authentication it must require the user to provide at least two of the three factors listed above. So for example, the user would be required to enter in their username, their password (something they know), and a hardware token generated one-time password (something they have). The use of two distinct authentication factors helps eliminate an organization’s security concerns around granting access based on a single, knowledge-based factor, the password.

A common example of authentication which is mistaken for two-factor authentication is knowledge-based authentication where the user is asked to provide their username, password, and answer to a knowledge question. This does not meet the definition because the password and answer are both factors the user knows.

Increasing in popularity the one-time password or OTP is becoming a preferred second factor as it is only valid for one login session or transaction. OTPs avoid the shortcomings with static passwords, including being unsusceptible to replay attacks. If a hacker records an OTP which was already used, they will not be able to reuse it since it is no longer valid. OTPs can be delivered via SMS, email, printed, hardware tokens, landline, or transparently using a browser plug-in.

Being one of the driving factors behind two-factor authentication regulatory compliance is forcing organizations to implement stronger authentication. Take for example the largest division of the FBI, the Criminal Justice Information System (CJIS) has an Advanced Authentication compliance requirement which is making law enforcement and local governments take action. Effective September 30, 2013 Advanced Authentication will be a requirement for all law enforcement personnel accessing NCIC criminal justice information outside of a secure location. Other regulatory compliance standards such as the FFIEC, PCI DSS, and HIPAA are also driving the market towards two-factor authentication.

However, what if your organization does not have these regulatory compliance standards pushing you towards implementing two-factor? Do you still feel like your data is sensitive enough to protect with stronger authentication? Or do you take on an “it’s not going to happen to me” attitude?


The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

Subscribe to our newsletter:

A Recent Spike in Two-factor Authentication Interest

“In the space of one hour, my entire digital life was destroyed.” It’s August of 2012 when Matt Honan, editor at WIRED, reports on his recent attack where it took hackers a mere 60 minutes to hack into his Google account and from there proceed to wipeout his digital identity, all with the goal of gaining access to his sought after twitter account.1

An eye-opener, this hacking example created buzz around two-factor authentication and the need for it. Just looking at the Google Trend for “two-factor authentication” shows  a clear spike in August and new level of continuing interest ever since. Even the search term “two-factor authentication” is now being searched in Google on average 49,500 times per month.

Predictions about the global two-factor and multi-factor authentication markets are also showing substantial growth. In a recent report from TechNavio the global two-factor authentication market is expected to grow by 20.8% over 2011-2015, and being driven primarily by regulatory requirements2. The multi-factor authentication market is set to reach $5.45 billion by 2017 according to MarketsandMarkets research. 3

Why the push for two-factor? Beyond regulatory compliance, as shown in Verizon’s Data Breach Investigations Reportthere is an increase in corporate data breaches. In 2012 there were 855 incidents of corporate theft with 174 million records being compromised. 98% of those came from hackers using various hacking methods to break in. 4

Even Google has declared war on passwords with its recent implementation of two-step authentication, a recommended feature to implement for securing your Google account. Partnerships with hardware token vendors such as Yubico show that Google is looking for a way to avoid the spike in data breaches we have seen in 2012 5. Other major websites are following suit including Facebook, Twitter, Dropbox, PayPal, and more.

So with all of the evidence showing that there is an everyday threat to our digital identities and data…why is two-factor authentication not widely implemented? Why is it that every organization has passwords but has not taken the next step towards strengthening authentication? The following chapters take a look at the two sides to the argument, for and against two-factor authentication. Two-factor authentication or not? That is the question.







Why is Authentication Painful and How can Self-service Ease the Pain?

There is no getting around it… online resources are and will always be protected by one or more forms of authentication.  Given all of the savvy “bad people” out there that go to great lengths to try and compromise our valuable resources, authentication is here to stay.  But why does authentication cause the user so much pain and why can’t a few Ibuprofens help to alleviate the burden?  Well, for one thing, authentication pain is not physical.  Its effects are emotional and psychological in nature and can lead to unnecessary stress.  Self-Service Password Management (SSPM) has the “medicine” to help reduce the swelling caused by authentication.  SSPM is technology that puts mechanisms in place to help reduce the obstacles and frustration that can be caused by authentication gone wrong.

Let’s take a look at a possible real world scenario of how authentication can cause pain to both the user and IT staff and how SSPM can alleviate the suffering.

Curtis starts his first day of work after graduating from college and is given his first professional password but doesn’t have a lot of password experience.  At his first login on his very first day in the “real” world, he is forced to change it so he will be the only one that knows the password.  However, so the password can’t be easily guessed by a would-be intruder, company policy forces Curtis to come up with a complicated password with multiple alpha-numeric characters and special characters, including upper and lower case values.

It turns out that Curtis started on a Friday and after a weekend of celebrating with his friends he returns to his second day of work and much to his dismay, can’t remember his password.  Not knowing any better, he continues to try variations of what he thinks it is until his account is locked.  Now what does he do?  This real world is tough and especially on a Monday.  His supervisor, Kathy, sees him struggling and asks if she can help.  Curtis is relieved to learn that there is an IT help desk that he can call to get his password changed.  The call with the help desk is less than enjoyable.  First he ends up in a queue for what seems like 20 minutes.  His 2nd day of work and he has not been productive his first hour.  When he finally gets to speak with someone, they are short with him and not as helpful as he would have hoped.  He does finally get a new password and gets his account unlocked with some unnecessary scolding from the help desk.  Curtis thinks, “I am not going to have to go through this again” and writes his new password on a post it note, sticks it on his monitor and finally gets back to work.

At lunch, he is discussing his ordeal with some of his new coworkers and learns that the help desk personnel are like that because they are usually swamped the first day of the week with many users forgetting their passwords over the weekend.  Having to spend so much time on password issues first thing in the morning, puts them behind on their priorities for the rest of the week.  He also found out that company policy does not allow passwords to be written down.  Now he can’t get back to his desk fast enough to take down that sticky note.

Without being able to write down his password, he manages to forget it a few more times until he finally creates one that he can memorize.  Just when he thinks he has clear sailing with his password troubles, he comes into work and upon logon is instructed to change his password because it has expired.  What?!  Why is this so?  Again, Kathy is there to explain to Curtis that company policy requires passwords to be changed every 90 days just in case one gets compromised.  This is devastating news to Curtis because he believes he will go through the torment of not being able to remember his password again and decides to do some research on the matter to see if others are experiencing his pain.

Curtis uncovers that there is a world of hurt similar to his and other companies have been alleviating it with a technology referred to as “Self-Service Password Management” (SSPM).  In a nutshell, SSPM puts the power of resetting forgotten passwords or unlocking a locked account into the end user’s hands.  This excites Curtis and he digs in to learn more and puts together a proposal for his supervisor and their manager.

The proposal explains that when a user forgets their password or has a locked account, the user is able to “on their own” authenticate themselves by a means other than their password and reset the password.  Generally speaking, the user can answer challenge questions that they had previously answered during enrollment or they may submit a One Time Passcode (OTP) that they receive through email or a phone (voice or text).  Before the SSPM can be used, the first time a user logs in, they will be asked to answer a number of questions and/or register their phone number.  Should the occasion arise that they have locked their account or forgotten their password, they can navigate to the SSPM website on their own, enter their username and then request to reset their password and/or unlock their account.  The application will ask what type of alternate authentication method they would like to use, challenge answers, phone OTP or email OTP.  The user is then either presented with questions that they will know the answers to or be sent an OTP that they can enter at the website prompt.  The website authenticates the user with this alternate method and then allows the user to specify a new password and/or unlock the account.

Needless to say, this proposal quickly makes its way to upper management and within a few weeks Curtis and his fellow employees are enjoying Self-Service Password Management.

Now our hero enjoys his weekends because he knows if he forgets his password on Monday, he can visit the SSPM website, answer some questions and reset his own password within a matter of minutes and then get back to being a productive employee.

FIDO & DARPA Setting Multi-factor Authentication Standards

biometricsComing back from the RSA Conference 2013 this year gave us a renewed look on authentication and IT Security. One which was mentioned that I recently saw prior to the conference was on the Fast Identity Online Alliance (FIDO) and the Defense Advanced Research Project Agency (DARPA). Mentioned at our booth by a foreign government employee, it seems there are some initiatives to follow the FIDO’s initiative to eliminate passwords and improve online security with “a standard of interoperable authentication protocols”.

With a recent hot debate on whether passwords are enough these two organizations are working to implement stronger authentication in the form of two-factor and two-factor authentication alternatives, such as biometrics.

This initiative is picking up interest as DARPA and FIDO look for a seamless integration from a biometric application. The drive behind the biometric desire is to really be able to prove a user is who they say they are when making an authentication request.

As mentioned in the article however, and as I have seen in my two-factor market research there are major hurdles which are going to keep organizations from implementing stronger authentication especially biometrics. The article mentioned cost as a huge barrier as well as it not being an option for the larger audience of customers. Even with that though some are saying, “the pain is finally getting bad enough, the criminals are getting good enough and the public is no smarter, so in the next five and more likely 10 years we should see significant change.”

Read More…


The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

Subscribe to our newsletter: