AWS News Blog

Getting Secure *In* the Cloud: Hosted Two-factor Authentication

Ds3cloudas One of the aspects that attracted me to come work at AWS was my sense that the cloud is becoming a logical place in which to build security solutions. Now, two of my favorite notions — deploying security into the cloud and accelerating the adoption of multi-factor authentication — have come together with DS3 CloudAS, a two-factor authentication server from Data Security Systems Solutions built as a virtual appliance AMI.

To help you understand why I think this is so cool, a brief security lesson is in order. Three important principles are necessary to ensure that the right people are doing the right things in any information system:

  • Identification. This is how you assert who you are to your computer. Typically it’s your user name; it could also be the subject name on a digital certificate.
  • Authentication. This is how you prove your identity assertion. The computer won’t believe you until you can demonstrate knowledge of a secret that the computer can then verify. Typically it’s your password; it could also be the private key associated with a digital certificate. Authentication sequences never send the actual secrets over the wire; instead, the secrets are used to compute a difficult-to-reverse message. Since (presumably) only you know your secret, your claim is valid.
  • Authorization. This is what you’re allowed to do once the computer grants you access.

Unfortunately, humans aren’t very good at generating decent secrets and frequently fail at keeping them secret. Multi-factor authentication mitigates this carbon problem by requiring an additional burden of proof. Authentication factors come in many varieties:

  • Something you know. A password; a PIN; a response to a challenge.
  • Something you have. A token; a smartcard; a mobile phone; a passport; a wristband.
  • Something you are or do. A tamper- and theft-resistant biometric characteristic; the distinct pattern of the way you type on a keyboard; your gait. (Note: I disqualify fingerprints as authenticators because they aren’t secret: you leave yours everywhere you go and are easy to forge. Fingerprints are identifiers.)

Strong authentication combines at least two of these. My preference is for one from the “know” category and one from the “have” category because individually the elements are useless and because the combination is easy to deploy (you’d quickly tire of having to walk 100 paces in front of your computer each time you logged on!).

Several products in the “have” category compete for your attention. The DS3 CloudAS supports many common tokens so that you have a choice of whose to use. In some cases you might require using a dedicated hardware device that generates a random time-sequenced code. My favorite item in the “have” category is a mobile phone. Let me illustrate why.

Mobile phones provide out-of-band authentication. Phishing succeeds because bad guys get you to reveal your password and then log into your bank account and clear you out. Imagine that a bank’s website incorporates transaction authentication by sending a challenge to your pre-registered mobile phone and then waits for you to enter that challenge on the web page before it proceeds. This technique pretty much eliminates phishing as an attack vector — an attacker would need to know your ID, know your password, and steal your phone. Indeed, the idea isn’t really imaginary: it’s already in place in many banks around the world. (These are the smart banks who realize that two-factor authentication just for logon isn’t sufficient.)

Ds3oauthappThe DS3 CloudAS virtual appliance makes it easy to build strong authentication (logon and transaction) into your applications without having to invest in and maintain on-premise authentication hardware. It’s a DevPay AMI that provides a complete self-contained pay-as-you-go implementation of DS3’s Authentication Server. If this interests you, I encourage you to consider using mobile phones as the second authentication factor. They free your customers from having to purchase expensive and easy-to-lose hardware tokens — people jealously guard their phones and everyone knows how to use SMS. And yup, there’s even an app for that.

> Steve <