This week Facebook announced the availability of new security features for its users. Two significant features of note are the always-on "HTTPS" secure sessions, as well as the availability of two-factor authentication (aka strong authentication).

The use of "HTTPS" by websites enables secure information transmission, which helps protect users when sharing or sending personal information online. Many popular websites have added the HTTPS (where the "S" at the end of HTTP stands for "secure") this year due in part to the availability of interception tools like Firesheep. The presence of an SSL (secure sockets layer) certificate is what makes the HTTP session secure [see example: VeriSign SSL]. The implementation of HTTPS by Facebook is currently an opt-in feature but it would be to the benefit of all Facebook users to make this a default setting.

Two-factor, also known as strong authentication, is another layer of protection that addresses the outdated model of the "username and password" for authenticating a user, a model that far too many websites still use today and provides little to no security. Two-factor authentication works by requiring a user to provide not just a username and password, but also a unique, one-time use security code generated by a user's authentication credential. The credential can sit within the user's web-accessing device of choice (ie: their laptop or iPad), or within a mobile phone or other form factor that generates a one-time code at the press of a button. [See example: Symantec's VeriSign Identity Protection (VIP) Authentication Service]

According to the Facebook blog post announcing their new security tools, their strong authentication is only required when a user logs on from a new device or computer for the first time. Although this is a step in the right direction, requiring users to authenticate every time they logon to Facebook with a one-time security code would be far more impactful by offering greater levels of security.

The adoption of these features by Facebook provides a much needed layer of security to its users and should be considered by the growing number of social networking websites that have quickly become a favorite target of fraudsters and identity thieves. We are excited to see these steps being made; now, it's a matter of educating users on why the opt-in security settings are important and how to turn the settings on.

The RSA Conference 2011 at the Moscone Center in San Francisco has officially kicked off and the VIP team is starting the week off strong. Our VeriSign Identity Protection (VIP) Authentication Service is part of several exciting announcements this week and below is a brief look at what's in the news.

Ping Identity Integrates VIP to Deliver Cloud-Based Authentication with Single Sign-On
Ping Identity announced that it has integrated VIP into its PingFederate identity federate suite. The PingFederate Integration kit for VIP creates a solution that enables enterprises to secure remote workers with strong authentication, while providing them a single online identity with single sign-on across both internal applications and almost every leading cloud application. The complete press release can be found here.

Yubico Integrates VIP to Strengthen Secure Online Login Options
Yubico announced that its YubiKey USB authentication key is now available with VIP strong authentication. VIP and Yubico have simplified the process of logging in with a one-time password (OTP). Instead of requiring a user to re-type OTPs from a display device or token, a YubiKey is inserted in the USB-port of any computer and the OTP is generated and automatically entered with a simple touch of a button on the YubiKey, and without the need of any client software or drivers. You can fine the complete press release here.

VIP Teams Up with MasterCard and NagraID Security to Provide New Payment Card Security
Symantec, MasterCard and NiagraID Security jointly announced today that strong authentication is now available to MasterCard users worldwide. Recently launched in Europe and Asia, the new MasterCard Display Card is leveraging VIP strong authentication and NagraID Security card technology to provider credit and debit card users with greater levels of security. With the combined security technologies built-in to the new MasterCard Display Cards, cardholders, issuers and merchants are further protected from online fraud and identity theft. For additional details, the compete press release can be found here.

OATH Announces Certification Compliance Program
The Initiative for Open AuTHentication announced it has started the OATH Certification Compliance Program (OCCP). The new OATH program will verify and certify vendor products, like VIP, for conformance with the criteria specified in OATH certification profiles. Symantec supports and is a member of OATH. You can find the complete press release here for more details.

If you're attending this year's RSA Conference, please be sure to stop by all of the Symantec booths, #1316, #1416 and #1426. Also be sure to follow us on Twitter @VeriSignAuth

Today Symantec announced that it has been selected by Intel to integrate our VeriSign Identity Protection (VIP) credential into the Intel Identity Protection Technology (IPT) platform, found in select 2nd generation Intel Core processors. You can find the complete press release here for full details.

The combination of VIP and Intel IPT creates a new class of strong authentication credential for PC users that is embedded into the Intel chipset. Now VIP and Intel IPT can help prevent unauthorized access of important information and person accounts. This new credential form factor provides a highly secure, easy to use and cost-effective way to implement strong authentication. This eliminates the need to purchase, replace or download authentication credentials and makes the implementation of strong authentication easier than ever before.

For those attending next week's RSA Conference in San Francisco, be sure to attend the panel discussion titled "Who Are You? When Security Hinges on Identity" moderated by Francis deSouza, senior vice president of the Enterprise Security Group at Symantec and includes George Thangadurai, general manager of PC client services at Intel. The panel will be taking place on Thursday, February 17 at 4:00 p.m. in Moscone North Hall D. To view a demo of the VIP and Intel IPT technologies, please visit Symantec booth #1426 at next week's RSA Conference.

According to a recent story in SearchSecurity.com UK, the EU Emissions Trading System was recently suspended by the European Union following what was described as "recurring security breaches in national registries over the last two months." The thefts involved $38 million worth of carbon credits.

Bloomberg reported that the latest breach occurred at Prague-based Electricity Market Operator (OTE), a government owned energy trading platform where over $7 million worth of carbon credits had been stolen and sold in the open market.

The Bloomberg story also reported that the OTE was due to introduce additional security measures on January 19th but the breaches occurred before they were able to do so.

The carbon credit market is poised for growth but with that will also come the growth of carbon credit fraud. Unfortunately, the carbon market looks to be a very lucrative market for hackers and cyber criminals. Without the implementation of additional layers of security, like strong authentication, more incidents like these are possible.

According to a recent Forrester report, commissioned by Symantec, only 30 percent of enterprises use strong authentication as the primary method for authenticating employees and contractors into a corporate network. The report helps shed light on the shortfalls of today's outdated network access policies and steps that can be taken to create a more secure enterprise. The full report and supporting information can be found here.

In the video below the Bay Area ABC affiliate interviews Atri Chatterjee, vice president of Symantec's User Authentication group, to provide commentary on this story and the security vulnerabilities that come with simple "username and password" type authentication.

The Forrester commissioned report is part of a new Symantec initiative called Strong Authentication for Enterprises (SAFE), developed to provide enterprises with third party research that looks at the activities "open" enterprises do every day by allowing access to company resources.

The Forrester report titled "Enhancing Authentication to Secure the Enterprise," looks at how enterprises can address their authentication and security practices as the adoption of cloud computing, collaboration tools and mobile device usage becomes more commonplace within the enterprise. In addition to the Forrester report, you can also read the Symantec action paper: 5 Essential Steps for Implementing Strong Authentication in the Enterprise here.

In addition to the Forrester report and our action paper, register here for our upcoming live webcast "Authenticating Your Open Enterprise: Common Myths and Critical Recommendations" on January 26 at 11:00 am PST / 2:00 pm EST with Jonathan Penn, vice president at Forrester. You can also listen to our podcast discussion with Jonathan Penn and Atri Chatterjee, vice president of User Authentication at Symantec, with an in-depth analysis of the findings of the report.

The recent Gawker database breach is yet another reminder of the weakness of the traditional "username and password" form of security. Previous database breaches, like this one, have shown that users do not realize how vulnerable they are making themselves and potentially their employers to identity and data theft by using weak passwords.

Steve Ragan of the Tech Herald wrote a story that includes a list of the top 250 passwords used by the Conficker Worm that you can read here. The list of passwords is truly impressive and includes many of the classics such as, "12345," "qwerty" and of course "password." It is surprising and concerning that these passwords continue to be used time and time again.

With the exposure of all of these passwords, we can't help but emphasize the value in providing strong (or two-factor) authentication with solutions like our cloud-based VeriSign Identity Protection (VIP) Authentication Service. Strong authentication can be especially critical to the enterprise where mobile employees, partners and customers are logging in and accessing sensitive data.

As these types of breaches continue, more and more enterprise and consumer users will be put at risk. The "username and password" system is an antiquated system that can't be relied on to protect sensitive information. Additional layers of security are needed to protect users, enterprises and sensitive data and that starts with adding strong authentication.

The challenges for banks to consider are all of the potential vulnerabilities in their implementation to better mitigate risks effectively while managing the delicate balance between extra layers of security vs. user experience.

Here are a few recommendations we suggest bank and financial institutions may want to consider:

- Deploy strong or two-factor authentication that goes beyond the traditional username and password. If username and password are compromised, the fraudster still needs the second factor to gain access to an account. With our VIP mobile SDK, banks can enable a silent user experience for a second factor of authentication allowing greater security without negative impact to usability.

- Implement fraud detection and transaction monitoring. If a hacker passes the front door, real-time fraud detection services can automatically detect novel attacks by recognizing abnormal behaviors in user behavior to help recognize an attack.

- Avoid storing sensitive personal information on mobile devices which can easily be retrieved. For any information that a bank may require users to store on their mobile devices, banks should leverage platform secure storage with various encrypted and obfuscated techniques.

To find out more about the solutions that can help protect your bank and customers, check out these resources:

Resources:
VeriSign Identity Protection (VIP) Authentication Service
Mobile SDK
Fraud Detection Service (FDS)

There is no silver bullet security solution or service that will protect everyone from everything. However, banks and other financial institutions should always consider a layered approach to protect themselves and their customers.

The finalists for the SC Magazine Awards 2011 were announced this week and we were pleased to see that the VeriSign Identity Protection (VIP) Authentication Service made the list for the "Best Multifactor Product" category. This is the second year in a row that VIP has been named a finalist within the multi-factor product category.

The SC Magazine Awards will be announced on February 15, 2011 in San Francisco during the week of the RSA Conference. A full list of categories and finalists can be found here.

The launch of Microsoft's Windows Phone 7 took place to a lot of positive buzz. The long awaited new mobile OS from Microsoft offers some great new features on new handsets from Dell, Samsung, LG and HTC just to name a few. New phones with a new Windows OS just in time for Christmas (only 2 months a few days of shopping time left incase you were wondering).

With the launch of Windows Phone 7, the VIP Team is very excited to make available the VIP Mobile SDK for Windows Phone 7. We have been working hard to support just about every mobile platform available including Android, iPhone and Java 2 Micro Edition (J2ME). The availability of our Windows Phone 7 SDK is great news for developers that want to add strong authentication to their mobile applications.

Whether it's for consumers or the enterprise, mobile application developers can now leverage our Windows Phone 7 SDK to embed the VIP Mobile credential into their mobile apps for a seamless strong authentication user experience.

To download our Windows Phone 7 SDK, or any of the VIP SKD's, click here for full details.

This week Facebook announced that they have begun rolling out one-time passwords (OTP) to their users as an added layer of security. Facebook is providing OTPs to help protect its users while on public computers like those at coffee shops, libraries, hotels and airports. For Facebook users looking to take advantage of this, they'll need to have a mobile phone number in their Facebook account and by texting "otp" to 32665 they will receive a one-time use password that last for 20 minutes.

For quite some time VeriSign, now part of Symantec, has been educating consumers and enterprises on the need and value of OTP. Our cloud-based VIP Authentication Service allows enterprises to secure online access and transactions and reduce fraud risk. Let's face it, a username and password provides absolutely no security but that's exactly what most people are currently using and relying on to protect their data.

A recent survey points to some interesting and somewhat scary password related statistics including:
• 4 in 10 survey respondents stated that they shared passwords with at least one person in the past year.
• Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised.
• 2 in 10 surveyed have used a significant date, such as a birth date, or a pet's name as a password - information that's often publicly visible on social networks.
• 14 percent never change their banking password.
• 30 percent remember their passwords by writing them down and hiding them.

One thing to consider is that the Facebook OTP offering only works with Facebook. What about the other websites you visit and login to everyday? One of our goals has been to eliminate the need for multiple OTP credentials by providing a unified strong authentication token that can be used across multiple services. Our VIP Network is a great example of how one OTP credential can be utilized across a number of websites. The VIP Network Members include eBay, PayPay and Geico just to name a few.

So what does it all mean? The Facebook OTP announcement is yet another proof point that strong or two-factor authentication is not only valuable but it has become a necessity to help protect anyone logging on to a website or network that contains personal or sensitive data. Cyber criminals are out there with the simple goal of stealing your personal and/or work related information and most people are currently making it a very easy and lucrative proposition for them. Thinking that the "username and password" system provides enough protection is like thinking that a screen door on a submarine will keep the water out. Neither of the two is very safe or secure.

To download a FREE VIP mobile OTP credential for your Android®, iPhone®, Windows Mobile®, BlackBerry® handsets or most of the devices using the Java 2 Micro Edition (J2ME) and BREW platforms, click here for more details.

At this week's RSA Conference in Europe, Qualys announced that it will now offer its customers strong authentication protection with our VIP Authentication Service. VIP will provide users of QualysGuard® a safer and more secure way to access and manage their accounts.

Qualys is the latest VIP customer to implement our leading cloud-based authentication service that allows enterprises to secure online access and transactions to obtain compliance and reduce fraud risk. As with VIP, QualysGuard is a SaaS service that requires no on-premises hardware to purchase and deploy. Both companies are continually striving to make the adoption of cloud computing safer and easier for organizations of all sizes.

To download a FREE VIP mobile credential for your Android®, iPhone®, Windows Mobile®, BlackBerry® handsets or most of the devices using the Java 2 Micro Edition (J2ME) and BREW platforms, click here for more details.