Alleged Romney Email Hack Underscores Need for Two-Factor Authentication

Amid allegations that the Hotmail account of GOP presidential candidate Mitt Romney has been hacked, discussions around ways to improve information security are focusing on increased adoption of two-factor authentication.

Romney’s email address was published on Tuesday as part of an article in the Wall Street Journal. A few hours later, the website, ’Gawker,’ reported that it has been contacted by an individual who had claimed to access that account, as well as Romney’s Dropbox account, by reporting a lost password and correctly guessing that Romney’s dog, ’Seamus,’ is his favorite pet, in response to a password challenge question.

Though the claim has not yet been verified, an investigation has been launched in an effort to avoid circumstances similar to the 2008 Yahoo mail hack against Sarah Palin, and the subsequent false messages that were sent as Election Day approached.

[Related: At Least 6.5 Million Passwords Possibly Compromised ]

The incident has renewed discussion on the importance of two-factor authentication in making sure that only the rightful owner gains access to the account, whether that account be an email address, a savings account or any other private file that may be accessed online.

’Hotmail and other email providers typically use an authentication system that is inherently insecure," said Scott Goldman, CEO, TextPower, Inc., an information security vendor based in San Juan Capistrano, California. ’They ask where you were born, the name of your spouse, your favorite pet and things of that nature. Any hacker worth his salt is going to be able to run a program that can do multiple guesses to break into that. That is exactly what happened to Mr. Romney.’

Goldman advocates a two-factor authentication process that uses the pervasive username/password format but then requires a follow-on token-based challenge dependent upon a device. RSA’s SecurID serves as an example of such a device.

NEXT: Another Solution

TextPower offers a variation on that same theme. But instead of using a standalone, pocket-sized device, the user’s mobile phone is used to carry the additional credential.

’If Hotmail used our TextKey product, after you clicked that you had lost your password, a code would come up on your screen. That code would need to be texted into the designated mobile phone. Each device carries a unique electronic identifier called a UDID (Unique Device Identifier). When you send a text message, that UDID gets included in the string of information that gets sent into the carrier system. If the carrier does not recognize that UDID, or sees it as a fraudulent, authentication is rejected. So in Romney’s case, the attacker would have needed Romney’s phone in his physical possession in order to access the account.’

Goldman added that two-factor authentication has seen limited uptake because of a lack of awareness. ’In the same way that many people do not backup their computers, most people do not have adequate security on their infrastructure because they just don't think it's going to happen to them,’ he said.

Goldman acknowledged that two-factor authentication can sometimes be complicated to set up and can be difficult to maintain. But as digital threats become increasingly pervasive, adoption of this technology becomes increasingly important.