Few months back I was worrying about the readiness of SaaS vendors to protect users from password related attacks, either through phishing or key logging or any of the many different ways in which users’ passwords can be snatched.
When
thinking about how we use SaaS, I am worried about the risks associated with the
password reuse by most of the users. This is a major concern as we move into a
SaaS based world. Sooner than later, we are going to see multiple schemes to
grab the passwords of SaaS applications causing havoc on a scale that we haven’t
yet seen in this web era.
With more and more adoption of SaaS in the SME sector and, even, bigger enterprise players, the attempts to snatch the passwords are only going to increase big time. In my previous avatar as a System Admin, I have seen how users greatly help the attackers by keeping a very simple, easy to guess passwords and, also, how they keep the same password on all the services starting from email to even bank accounts. In my earlier post mentioned above, I was talking about a security vendor who might have a right solution for such problems. The only way to completely solve the password security problem is by not allowing system access to anyone including the admin. However, such a system is completely meaningless and, as an alternative, we can only try to minimize the impact of such attacks on the users’ passwords. SyferLock is one such vendor using an innovative way to reduce the impact of attacks on passwords drastically.
Traditionally, the approach to authentication ranges from reusable passwords on the one end of the spectrum to 2 factor authentication (2FA) with a one time password on the other end. The reusable passwords are convenient with less burden on users and lower TCO for service providers but they are very insecure and vulnerable to attacks. The 2FA approach is very secure but they are less convenient for the users adding layers of difficulty and, also, adds burden on the service providers by increasing the TCO. There are many different approaches to this problem, by taking a middle path of offering some convenience to the users while keeping the security up and tight. SyferLock’s approach is unique and it offers users the convenience of reusable passwords while giving the security of one time passwords.
SyferLock’s family of products are based on their Grid Data Security Solution, an unique methodology that offers a flexible and powerful solution to allow users to use their existing passwords by leveraging deviceless one time passwords to access their information securely. As I told in the previous statement, the users can use their existing passwords without any modifications and service providers can also keep their existing infrastructure for accounts management. They offer the one time passwords without the need of any additional devices and with zero footprint for the service provider’s client side either in the form of hardware or software. Their solution is integrated into the service providers existing web properties and communicates securely with the grid server to authenticate and then allow access to the provider’s web service(s).
Let me briefly explain how their technology works. At the time of login, the user is provided with a grid with each cell representing one character in the keyboard. The character in the cell is surrounded by four numbers, one at each of the four corners of the cell. When the user sets up the account, the userid and the corresponding password is stored in the secure grid server. The user also selects the corner he/she will use for generating the one time password. On the service provider’s website/application, the traditional login interface is replaced by SyferLock’s login grid. The user types the userid and the one time password corresponding to his/her actual password by picking the numbers at the right corner for the characters of their original password. The numbers on each cell of the grid is randomly generated using their powerful algorithm and the user will have a completely unique combination for the password at every login. The userid and the one time password are, then, sent to the secure grid server/appliance for authentication. Once the user is authenticated, the service provider’s webserver lets the user access their application/web service. You can see how it works by visiting this page.
Even though this approach cannot stop all the hacks, it completely eliminates or mitigates attacks such as keyloggers, shoulder surfing, brute force attacks, phishing, dictionary attacks, attacks on passwords stored in the browser, wifi or other network sniffing attacks, etc.. Their algorithm is designed in such a way that if the attacker sits in the middle and observes the patterns of the random numbers generated, he/she will not be able to obtain the passwords. It is also possible to set their grid to use two factor authentication with one password and one pin. This helps in further securing the authentication process for applications requiring higher levels of security. There are other options to tighten the security including the use of decoy digits in the one time password.
Even though their solution can fit into many different cases involving the authentication of users before they interact with mission-critical data and applications through Remote Authentication (SSL VPN), Intranets & extranets, E-mail, Microsoft Windows Desktops, etc., I am pretty much excited about the potential of SyferLock’s technology for SaaS vendors. As the SaaS applications mature and experience widespread adoption, the bad guys are definitely going to target the passwords of the SaaS users. By implementing a solution like SyferLock’s Grid Data Security Solution, SaaS vendors can eliminate many risks and, thereby, offering a higher level of security for users’ data. This is the kind of solution SaaS vendors should be considering in this Cloud based era. This becomes all the more important as SaaS vendors target enterprise players to adopt their applications.
Their technology is extremely cost effective and offers the following advantages to SaaS providers.
- Extremely flexible, highly scalable, very cost effective authentication solution
- Totally non intrusive approach to implement stronger levels of security
- Cost effectiveness implies a much lower TCO
- Higher level of customization ensures that their security solution can be implemented internationally across many languages
- A great alternative for federated identity model without any need to share database information or sync databases regularly
Syferlock’s solution addresses U.S. and international authentication regulations and guidelines such as PCI DDS, FFIEC, SOX, GLB, HIPAA, FISMA, PIPEDA, 21 CFR Part 11, Annex 11, BASEL II, European and Japanese Data Protection Directives. Any SaaS vendor who is serious about the security of their app should take a look at SyferLock’s technology and evaluate whether it can be cost effective compared to developing an inhouse enhanced security solutions.
During the recently concluded RSA conference at San Franscisco, Network World awarded Most Innovative Product Award and PC World awarded the Top 20 Hottest Product of the Year Award. Feel free to check out this video about their solutions. I have seen their demo and I am thoroughly convinced about its viability in the SaaS based world. It is time for SaaS vendors to take a look at their offerings too.
