Qualys Adds Two-Factor Authentication To Service

Qualys is now providing two-factor authentication technology to its vulnerability management service customers for free. The software-as-a-service offering is Symantec's VeriSign Identity Protection (VIP) Authentication Service. Symantec completed its acquisition of VeriSign in August. The VIP Authentication Service is software that is installed on a device, such as a desktop or laptop computer or a smartphone. The user enters a username and password, after which the software generates a six-digit code for the user to enter to provide access.

The extra level of security is akin to the procedure someone follows to use an automated teller machine where they have to both insert their ATM card and enter their passcode. Either one is useless without the other, explained Corey Bodzin, director of product management for Qualys. "Most authentication in the IT realm today is single-factor; it's something you know, like your username and password. Two-factor authentication is when you add something you have," Bodzin said.

The six-digit code generated by the VIP application changes every 30 seconds so that even if someone manages to obtain the username, password and the code, the code number will have changed by the time they try to use it. The VIP Authentication Service creates a software token as opposed to a hardware token, such as a key fob a user would carry around that would generate the code number, Bodzin said. Hardware solutions such as that can be more expensive and difficult to set up compared to the software solution.

Two-factor authentication provides an added layer of protection for enterprises that find that their employees' password protection is weak because passwords are easy to guess, according to a recent report from the Imperva Application Defense Center, a research firm.

The report collected data from a number of studies and showed that 30 percent of computer users create passwords of six or fewer characters, half of users use the same or similar password for multiple Web sites and that nearly 50 percent use common consecutive characters such as 123456 or QWERTY.With weak passwords, hackers can use software that rapidly generates passwords to guess the right one. "The combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account every second or a mere 17 minutes to break into 1000 accounts," Imperva stated.

The report passed on security recommendations from the National Aeronautics and Space Administration (NASA): Passwords should contain at least eight characters; they should contain a mix of numbers, upper- and lower-case letters and special characters such as #%&*; and should not be a name, a slang expression or "any word in a dictionary."

Qualys announced the availability of the VIP Authentication Service to its QualysGuard enterprise customers at RSA Conference Europe 2010, a computer security convention held this week in London.