GlobalSign Blog

04 Dec 2014

Bringing Two-factor Authentication to Code Signing with New EV Certificates

Single factors of authentication (e.g., username/passwords) have proven time and time again to be unreliable. Adding a second factor can significantly decrease the risk of breach (in the case of user authentication) or fraudulent use (in the case of digital signatures for documents and code).

Two-factor authentication has become increasingly popular for user authentication, and many companies are starting to build it directly into their applications and programs to encourage adoption (e.g.,MicrosoftTwitterGoogle), but we're excited to announce the best practice has finally made it to the developer community in the form of EV Code Signing certificates.

Note: If you're wondering about two-factor options for digitally signing documents, Adobe CDS-compliant certificates are always stored on a password-protected USB token.

EV Code Signing - Two-factor authentication by default

With standard code signing certificates, the private key is usually stored locally in your system's certificate store. As dictated by the CA/Browser Forum, EV Code Signing certificates have to be stored on a password-protected USB token. This is where the two-factor authentication comes in - you need both the token (something you have) and the password (something you know) before you can apply the signature, making it much more difficult for malicious parties to steal signing credentials from legitimate developers and use them to distribute malware.

Sure, there's nothing stopping you from putting your standard code signing certificate onto a USB for added protection, but how likely are you to actually do that? And would you go the extra step to password protect it? EV Code Signing takes the responsibility off the users' shoulders and builds it into the process from the get go. This is why we're so excited - it's not up to the users to determine if they should add a second layer of security; it's done for them from the beginning.

Other new features of EV Code Signing

While we're most excited about the 2FA aspect, we'd be remiss if we didn't mention the other security upgrades included with EV Code Signing.

Expanded Identity Verification

The application process for EV is more thorough than that for standard code signing certificates, and includes verifying additional information such as the developer's physical address and type of organization. The more information that needs to be verified, the more difficult it is for a malware distributor to impersonate and acquire a certificate in the name of a legitimate publisher.

Immediate Reputation with Microsoft SmartScreen

Introduced in Windows 8 and Internet Explorer 9.0, Microsoft SmartScreen uses information about an application's reputation to warn end users if it isn't well known and may be malicious. Signing an application with an EV Code Signing certificate establishes immediate reputation. This means users will not be presented with scary warnings when launching your application's installer.

EV Code Signing Resources

We've expanded our code signing support, which already includes information on SDKs, intermediate certificates, and step-by-step instructions for applying a digital signature depending on your developer platform to include materials for EV Code Signing.

Compared to standard code signing, the steps for using an EV Code Signing certificate are slightly different for Java and Windows 7 and 8. Check out our new EV-specific guides for help:

Windows 7 and 8 - https://support.globalsign.com/customer/portal/articles/1698751-ev-code-signing-for-windows-7-and-8

Java - https://support.globalsign.com/customer/portal/articles/1702232-ev-codesigning-in-java

For instructions for the other platforms, check out our support site - support.globalsign.com.

Share this Post

Subscribe to our Blog