The Case for Securing Remote Access Protocols Through 2FA

SDO Marketing Staff | November 7, 2017

Most online businesses rely on one or more Internet-connected servers connected to store company data and host websites and services. And if you’re like most companies, you’ve configured your servers to be accessed remotely, so that you can configure and update their software, run maintenance tools and monitor their performance.

But how can you make sure that only you can access the critical functionality and information of your servers?

Remote access protocols such as Remote Desktop Protocol (RDP) and Secure Shell (SSH) are an essential part of running online servers. They improve the flexibility of maintaining servers by obviating the need for physical access to the machines. In the case of servers running on cloud platforms such as Amazon Web Services and Google Cloud, remote access protocols are your only gateway to your organization’s servers.

However, remote access protocols are a double-edged blade. By enabling any form of remote access to your servers, you’re also opening them to cybercriminals and other uninvited parties.

How do you prevent remote access protocols from being hacked?

There are traditionally two methods to shrink the attack surface of your servers and make it harder for hackers to break into your servers remotely:

  • Limiting access by IP address: Restricting the range of IP addresses that can communicate with a server through remote access protocols will make sure that hackers can’t break into your servers from any computer.
  • Using strong passwords: By using long and complex passwords, you’ll make it harder for hackers to brute-force their way into your server.

The effectiveness of these methods is limited. Limiting IP address ranges will also limit your own access to your servers, which can become problematic if you have a business model that is geographically distributed and dynamic. This can cause administration headaches that will eventually lead you to open up to many IP addresses and undermine the goal you were able to achieve in the first place.

As for complex passwords, they will put an extra strain on the administrators of your servers, who probably already have a plate full of complex passwords to deal with and are prone to making configuration mistakes. Moreover, no matter how complex a password is, it will be of no use of the operator using it falls victim to a phishing scam, where hackers trick the user into giving up the password to the server or other critical assets. Man-in-the-middle attacks, where a hacker breaks into your communication channels and eavesdrops on your network traffic, are another way even the most complex passwords might become compromised.

How two-factor authentication can secure remote access protocols

Two-factor authentication (2FA) adds a layer of security to your remote servers by requiring users to undergo an extra step when attempting to log in through remote access protocols. This second step usually involves inserting a USB key into their computer or typing in a one-time passcode sent to an associated mobile phone or generated by a mobile application.

2FA fills the gaps of the methods mentioned in the previous section. Without the second factor, hackers won’t be able to break into your servers, even if they manage to steal or brute-force its password, or if they gain access to a computer that has been given access to remote access protocols.

However, while 2FA has been around for a while, its implementation is often overlooked, because many users find the extra step annoying and excessive. They don’t like typing in an extra passcode every time, and they’re afraid to carry around a physical key that might become lost.

To this end, Secret Double Octopus has created a unique authentication method that fixes the flaws of traditional 2FA mechanisms. The Octopus Authenticator mobile app associates a remote server account with your smartphone. Whenever a login attempt is made to your account, an access request will be sent to your phone, which you can reject or accept with a swipe. No extra passcodes are required. Octopus Authenticator uses a proprietary multi-channel technology to make sure request attempts cannot be intercepted or reproduced on other devices. The app can be used as a second-factor authentication, or can replace passwords altogether and become the main way you log in to your remote servers.

This method combines the convenience of password-less authentication and the security of two-step verification, giving users a frictionless experience while protecting your remote servers from malicious hackers.