You’ve heard about the security issues at a number of organizations in the last few weeks.  Thankfully, there haven’t been any breaches at software companies who serve professional accountants (except maybe for Evernote – although I don’t know that I would put HIPAA or taxpayer data in that service).  One of the important things that is coming out of this is that major software vendors like Evernote and Google are planning to implement a security approach called “Two Factor Authentication”.  While I won’t go into much detail on how it works (although there’s a good Wikipedia article here), the basics are as follows:

Security tokens, like the RSA SecurID above, have a formula which generates a new six digit code every minute that is used as a one time password.

There are three basic ways to validate someone’s identity

• Something they know (username, password, PIN, etc.)
• Something they have (cell phone, RSA token, USB key, etc.)
• Something they are (biometric identification like fingerprinting, face identification, or iris scans).

Historically, we’ve used only one factor of authentication – a username and password – to access most online systems.  While this is adequate for some information types, the sophistication of phishing attacks and other techniques used by the “bad guys” requires a more sophisticated approach to security.  Two factor authentication normally requires users to validate their credentials to two servers – one which controls the username and password, and a second which validates that they have a particular device or item through a one time password.

I’ve used a number of two factor authentication devices in my career, including:

• Tokens, like the one shown above or those used by Scorpion Software’s AuthAnvil for Windows Server.
• SMS validation from online services, where a code is sent to my cell phone (another solution is Microsoft’s PhoneFactor)
• A USB device called a Yubikey from a company called Yubico which has been on a security podcast I listen to weekly which inputs a one time password into a computer.
• SmartCards, along with the readers built into my HP Enterprise laptops.
• Fingerprint scanners on laptops

All of the devices worked well, and I still use some of them to authenticate to many services.

One important point is that the use of factors other than passwords (something you know) is not a panacea.  Use of any of the items listed above in lieu of a password doesn’t accomplish anything.  The real benefit comes from using these tools in ADDITION to a username and a password.  Even if a person with bad intent knew your username and password, they would be screened out by the second factor, whether it is biometrics (fingerprint, iris, or face) or a device you have (token, cell phone, smart card, USB key).  Just like high security installations have more than one layer of security, you want the same layers of security verifying that you are really you online.

The ugly reality of the accounting profession is that a significant breach would undermine the confidence that others have in the profession, and could send us back to the ‘90s with some technologies used in business today.  It’s hard enough to be a small business in our economy without having to deal with concerns about security of data.

It’s time for two factor authentication with online services, people.  Ask your vendors about their support for it, and look for opportunities to protect your data with these types of authentication regimes.  It’s time for this technology – we can’t wait for some practitioner to lose their house over an online information breach to deal with this significant issue.