I was already thinking about the topic of mandatory two factor authentication before Heartbleed. It was actually the story about Naoki Hiroshima and his post on Medium detailing the account hack at Go Daddy and Paypal, in order to gain access to the Twitter handle @N.
Minda Zetlin of Inc Magazine recently published an article, ” Heartbleed Proves the Password Is Dead. This Is What You Need Now”.
In the article Zetlin goes into the fact that no matter how good you think your password is, with advances in technology it can still be hacked.
From the article:
The Heartbleed bug has made plain what everyone in cybersecurity already knew, whether they admit it or not: Passwords are dying. All of them. Got one of those fancy pieces of software that invents a unique and un-rememberable password for every one of your accounts? It’s not enough. Do you make a new password for every service, based on a phrase so that you can remember it but the dictionary can’t find it? That’s certainly worth doing, but it may not help you.
The Heartbleed fiasco is just the latest in a series of events that demonstrate the password’s obsolescence. In the past year or so, Evernote, LivingSocial, and Drupal are just three of the high-profile online services where passwords were stolen despite having been encrypted.
Even if that weren’t true, it might not matter, as computers get fast enough, and algorithms sophisticated enough to guess the passwords of many or most users by brute force–even those smart enough not to use their kids’ names, birth dates, alma maters, or anything else a clever bit of software could sniff out. Anything from your bank to your social media account that you access simply by typing a password into a computer or mobile device is not as secure as it should be or could be–no matter how sophisticated that password may be.
Read the full article here
Then there was news on the Huffington Post that the U.S. government was advising members of the HealthCare.Gov website to change their password.
From the article:
WASHINGTON (AP) — People who have accounts on the enrollment website for President Barack Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed Internet security flaw.
Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page.
The Heartbleed programming flaw has caused major security concerns across the Internet and affected a widely used encryption technology that was designed to protect online accounts. Major Internet services have been working to insulate themselves against the problem and are also recommending that users change their website passwords.
Officials said the administration was prioritizing its analysis of websites with heavy traffic and the most sensitive user information. A message that will be posted on the health care website starting Saturday reads: “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”
Read the full article here
So has the time come for two word authentication to be mandatory ? Domains are a valuable asset for many, many domain investors and it certainly is nerve racking to have to go out and recover a stolen domain. It is also nerve racking for the registrar and usually brings some bad pr in the short term.
So maybe by making this a mandatory requirement, laid out in the terms of service, registrars can help registrants be more secure and provide a benefit to both in the long run.
Rubens Kuhl says
Our web interface has two-factor authentication, but even so we asked customers to change passwords after Heartbleed. We are glad that those with 2-factor took less risk than the others, but every n-factor authentication require all its factors to be secure to fulfil its promise.
But considering the complexity of 2-factor auth for the average user, we have no plans to make it mandatory. We encouraged Alexa Top-N domain administrators to move to 2-factor, even giving them hardware to run them, but I don’t see the average user ready for it.
Raymond Hackney says
Thank you Reubens for your input.
John Berryhill says
What do you mean by “mandatory”?
Surely, you don’t mean passing a law or regulation of some kind.
Raymond Hackney says
Hello John, always nice to hear from you, I mean that a registrar says when you open an account that you must use two factor authentication to protect your account.
I was only speaking for the domain industry and registrars.