Password Pilfering: Amazon, Twitter, Evernote Take On The Identity Crisis


Amazon is the latest organization to introduce hardened account credential mechanisms, unveiling support for federated authentication this week.

Amazon rolled out the Login With Amazon service, enabling Amazon Web Services businesses that support it to allow their customers to access account information using Facebook, Google or Amazon.com credentials. The service supports websites and Android and iOS apps and uses the standard open authentication protocol.

"Web identity federation enables your users to sign in to your app using their Amazon.com, Facebook or Google identity and authorize them to seamlessly access AWS resources that are managed under your AWS account," wrote Jeff Wierer, principal product manager in the AWS Identity and Access Management team, in a blog post about the announcement. "If you are building a mobile or a client-based application, you can now integrate these three popular identity providers and authorize users without any server-side code and without distributing long-term credentials with the app."

[Related: 5 Ways To Avoid A Stolen Password Pitfall]

AWS users have had the ability to implement multifactor authentication for their environments. The service supports standard two-factor authentication, requiring users to confirm their identity with their mobile device or phone line as the second factor. The service also supports the use of temporary credentials for restricted access to resources. It can be programmed using the Amazon Security Token Service APIs.

A spate of password data breaches and security incidents have led to increased attention on ways to bolster account credential systems. Password use has gotten out of control, with people using the same weak passwords for multiple accounts, said George Waller, executive vice president and co-founder of Strikeforce Technologies, which sells an out-of-band, multifactor authentication technology. Cybercriminals also trick users into giving up their credentials through phishing scams or malware designed to steal usernames and passwords.

"People are seriously lacking with the way they create and maintain their passwords and this creates the need for businesses to do something about it," Waller told CRN. "It's been an ongoing problem that needs to be addressed."

LinkedIn, which suffered a massive password breach exposing 6 million user account passwords in 2012, announced Friday the launch of two-factor authentication.

Twitter, which addressed a password breach earlier this year as well as account hijacking against high-profile users, launched two-factor authentication last week. Twitter users who sign up for the service are prompted to verify their identity when logging into their Twitter account through a code texted to a registered mobile phone, according to Jim O'Leary, a member of Twitter's product security team. Twitter claims the login verification service can be turned on in one minute.

Evernote, which reset the passwords of 50 million users in March following a serious data breach of its systems, also implemented two-factor authentication Thursday. The verification service uses a six-digit verification code and a set of onetime backup codes for users, said Seth Hitchings, Evernote's development team leader, in the company's blog. The new feature is available to Evernote Premium and Evernote Business users and will be widely available to all users in the future, Hitchings wrote. Evernote also rolled out a feature so users can view the access history of their accounts. Also, a new revocation feature lets users reject access to a specific Evernote mobile app in the event of a lost or stolen tablet or smartphone.

The problem of finding ways to better authenticate users is an issue that extends beyond social networks and cloud platforms. Enterprises often botch their own authentication systems, said Chris Camejo, director of consulting and professional services at Integralis, a Bloomfield, Conn.-based security services provider. Businesses that need to provide authentication for customer websites or access to support forums and some corporate Web applications often leave holes for remote attackers, said Camejo, who leads a team of ethical hackers who conduct penetration tests on corporate networks.

"People are bad at implementing authentication systems," Camejo said. "They roll out their own and use programmers who have no training and experience in building strong authentication systems or addressing the underlying problems that increase risk."

PUBLISHED MAY 31, 2013

This story was updated on May 31, 2013, at 12:10 a.m. PST, to include LinkedIn's two-factor authentication announcement.