Security Web Apps

HTTPS and 2FA: striking back against account compromise and hijacking

Securing infrastructure and applications can be a challenge to even the most mature and security-conscious organisations but there are two simple things that almost every organisation and individual can do to reduce the risk of their applications or accounts being compromised and hijacked: implementing HTTPS and two-factor authentication (2FA, also known as strong authentication).

Many Internet giants such as Google, Microsoft, Facebook and LinkedIn already offer the option of requiring both HTTPS and 2FA when using their services and no doubt if you care about the security of your account you should enable them – however what is less widely known is that you can implement 2FA for your applications as well using some of the freely available resources.

Google Authenticator for example offers the same technology used by Google for use in your own applications and systems by providing mobile authenticator apps as well as a pluggable authentication module (PAM) that can be integrated with PAM-aware applications and systems. Tokenizer offers a similar product (both free standard and  commercial pro versions); Mobile-OTP project is another option.

If you have a limited budget for securing your Web app or systems, implementing HTTPS and 2FA may be one of the most cost-effective ways to improve their security.