The news of the Heartbleed bug struck fear into the hearts of millions. When the news broke in early April that a vulnerability in OpenSSL — a commonly used cryptographic library — could allow encrypted data to be stolen, a number of major retailers, social media networks and other websites scrambled to notify consumers that their passwords may have been compromised and that they need to change their credentials immediately.
However, some experts pointed out that while changing passwords was a valuable first step toward mitigating the potential damage that Heartbleed could cause, the vulnerability brought to light a much larger issue. Because Heartbleed revealed that vulnerabilities in the databases that store passwords could expose data just as easily as the behavior of the users themselves, there is a need for additional security measures. Many point to two-factor authentication token solutions as a logical next step toward better protecting sensitive data.
Understanding Heartbleed
Heartbleed has already been covered in extensive detail, but to review, it was one of the most significant vulnerabilities ever to be exposed. Essentially, what the bug does is allow a hacker with the ability to log in to servers using OpenSSL to see any of the data that is contained on that server in 64-bit chunks.
And what was on many of the compromised servers was data that was being encrypted and unencrypted using SSL/TLS channels, including usernames and passwords, SSL keys, session IDS and other private information. In some cases, that meant that hackers could potentially see passwords in real text. With the right resources and enough time, it would not be difficult for a hacker to pull together massive lists of usernames and passwords to steal data from some of the largest websites in the world.
Because some of the sites that were left open to this vulnerability don’t necessarily store user’s sensitive data, many people questioned what the real problem was. Some expected that maybe the biggest outcome would be an increase in spam as a result of Heartbleed. However, the problem was far greater than that for several reasons.
First, some of the sites that were vulnerable do contain sensitive information; some email services, for example had this vulnerability. That means that a hacker could gain access to private email accounts and steal information that leads them to a bigger payoff. It could also grant them access to contact lists, increasing the likelihood of phishing attacks.
Second, because many people continue to use the same username and password on multiple accounts, despite being warned against doing so, it is likely hackers would take the information gained via Heartbleed and attempt to use it elsewhere.
The Role of Two-Factor Authentication
Given that passwords were among the data made most vulnerable by Heartbleed, many experts are now calling for wider spread adoption of two-factor authentication.
By providing a token, a one-time use code or some other item or piece of information in addition to a username and password, you reduce the likelihood that someone can access your accounts even if they do manage to acquire your password. As some experts point out, while Heartbleed still would have been dangerous, if everyone used two-factor authentication, the information gathered would have been less useful, or even useless to the hackers.
The type of two-factor authentication employed can vary based on the sensitivity of the data being protected. For example, many online services, such as Twitter and most email services, use one time use codes to protect accounts. Users who opt for two-factor authentication are prompted to enter a unique PIN or code when they attempt to login from an unfamiliar device; the PIN is usually sent via text message.
In many cases, the one-time use code effectively protects accounts. There are limitations, of course, but overall, that form of two-factor authentication keeps accounts locked down. When protecting a corporate network, however, you may need to take it one step further. Many organizations are shifting to a security model that requires employees to provide a security token, usually in the form of a USB device, to gain access to the network. In some cases, the tokens are equipped with one-time PINs as well, meaning that the user must have the token, the access code and a password to gain access to the network. In this case, even if a hacker manages to access a password and the code, without the token that information is useless.
As hackers become more sophisticated, and discover the limitations of existing security measures, it’s becoming increasingly important to take extra steps to protect sensitive data. As the Heartbleed bug shows, even passwords aren’t always enough to keep data safe, so it is time to start adding extra layers of protection.