Qualys is now providing two-factor authentication technology to its vulnerability management service customers for free. The software-as-a-service offering is Symantec's VeriSign Identity Protection (VIP) Authentication Service. Symantec completed its acquisition of VeriSign in August. The VIP Authentication Service is software that is installed on a device, such as a desktop or laptop computer or a smartphone. The user enters a username and password, after which the software generates a six-digit code for the user to enter to provide access.
The extra level of security is akin to the procedure someone follows to use an automated teller machine where they have to both insert their ATM card and enter their passcode. Either one is useless without the other, explained Corey Bodzin, director of product management for Qualys. "Most authentication in the IT realm today is single-factor; it's something you know, like your username and password. Two-factor authentication is when you add something you have," Bodzin said.
The six-digit code generated by the VIP application changes every 30 seconds so that even if someone manages to obtain the username, password and the code, the code number will have changed by the time they try to use it. The VIP Authentication Service creates a software token as opposed to a hardware token, such as a key fob a user would carry around that would generate the code number, Bodzin said. Hardware solutions such as that can be more expensive and difficult to set up compared to the software solution.
Two-factor authentication provides an added layer of protection for enterprises that find that their employees' password protection is weak because passwords are easy to guess, according to a recent report from the Imperva Application Defense Center, a research firm.
The report collected data from a number of studies and showed that 30 percent of computer users create passwords of six or fewer characters, half of users use the same or similar password for multiple Web sites and that nearly 50 percent use common consecutive characters such as 123456 or QWERTY.