We are running the last regressions test on WebApp 2.0RC. This release is due next week, so stay tuned! #exciting
As there are several levels and ways to secure the access to your email, we want to share our thoughts on easy-to-use and secure solutions. We often encounter the challenge of having too many passwords or easy passwords that are used too often.
The recent hacks at e.g. SONY, Nortel and LinkedIn has showed the risk of using passwords many times for several services. Once a service is hacked, the credentials can be used many times to get e.g. more data, more email addresses, more credit card details.
To prevent the usage of too easy passwords for several services, one can think of using:
Real secure passwords are painful to use because you would need such a password for every service on the internet. Preferably changed from time to time. The only way a normal person can manage this, is with a password repository. It sounds familiar to have an analog repository (notes on paper) but that doesn't fit in the 21st century and is NOT secure at all. Digital repositories on your mobile device or service on the internet are more the nerdish way to do it these days.
Still, one very important security issue is not covered. The so called "man in the middle" and the possible infection of a device with a virus. When someone "captures" the connection from a device to a server or he gets access to the device itself he can simply record the user name and password.
The answer is OTPs. These passwords are only used once and recording them will not help to hack a system. To use OTPs in a reliable way, you need a device to generate these passwords whenever you need them. These devices already are available for quite some years. Usually, these are attached to a proprietary service under the control of a company. So, you first have to buy a device and then pay a yearly fee for the service. Next to that, you have to trust that specific company and their "hidden" technology. The recent hack at RSA has impressively shown that proprietary technology and big companies fail very easily.
The ideal solution would be an unexpensive easy device that generates these OTPs combined with a service. Preferably this technology is open source to guarantee that many clever people can check if it is secure indeed and to ensure that several services can compete on easy usage and costs.
Well, a solution that covers all of this is the Yubikey. The YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard. With the command of an integrated touch button, the device can send a time-variant, secure login code as if it was typed in from a keyboard. And because USB keyboards are standard on all computers the YubiKey works on all platforms and browsers without the need for client software.
The Yubikey operation and output is configurable, but the basic OTP generation scheme can be conceptually described as:
At Zarafa, we were curious to learn more about Yubikey's two-factor authentication (username and password plus OTP) and how it enables secure webmail access... Have a look at the Zarafa Yubikey authentication integration and feel free to test it yourself.