Security Watch

Keeping Track of patches and hacks in the IT security world.

Windows Azure Cloud Platform Gets Two-Factor Authentication--Big Time

NEWS ANALYSIS: At long last, Microsoft's Windows Azure multifactor authentication system lets users set up real security to protect cloud account access.


Whenever anyone asks me if the cloud is secure, I typically have a very simple answer: The cloud is no more and no less secure than the controls that enterprises, users and cloud providers put in place.

Until this week, I did not consider the Microsoft Azure cloud to be particularly secure. That's not because I think Microsoft is doing a bad job with security, but rather because I believe that users are always the weak link. More often than not in my experience, a single username and password is exploited and can lead to a breach affecting millions of users.

That's why two-factor authentication is a must-have, and it is now something that Microsoft's Azure cloud does have in a very robust way.

With two-factor authentication, instead of relying on a single username and password to secure access, a second factor is employed to authenticate a user. So even if a user has a weak password that is cracked, or even if a password database is lost or stolen, an attacker still will not have access.

Microsoft, which announced general availability for Windows Azure multifactor authentication on Sept. 26, has made three options available as part of its multi-factor authentication system. One option is the use of a separate application that generates the second-factor. Another available option is the use of a text message (SMS) sent to the user's mobile phone that includes the second factor. The third option is an automated voice call that provides the user with the required second-factor authentication.

What all those methods aim to provide is also a degree of randomness, which I have long argued is the key to security as well. So instead of just having a single static password and then perhaps a second static password as the second factor, the second factor is random. By being random, it dramatically increases the complexity of the password pair and makes it significantly harder for any would-be attacker to gain unauthorized access.

Multiple vendors in the consumer space, including Google, Facebook, Twitter and even Apple have all implemented various forms of two-factor authentication to help secure uses.

Microsoft's approach on Azure is somewhat different than what the consumer services are currently offering. With the Windows Azure multifactor authentication system, a cloud administrator can now enable two-factor authentication across cloud applications hosted on Azure. That's right, it's not just about access to Azure; it's also about the applications you host on Azure, too.

This isn't a free service. Microsoft is now offering Windows Azure multifactor authentication on a number of different price plans, starting with a $2 per month per user option.

For users who want to roll their own two-factor authentication system in the cloud, there are lots of options that I've experimented with, including the open-source LinTOP project. But I suspect that when it comes to Azure and the types of users who prefer to use Windows, Microsoft's new security service will be an easy service to adopt that will help to quickly improve cloud security.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.