Financial Times Uses Varnish Software as a Multi-Factor Authentication Application


Varnish Software, a digital content delivery solutions provider, has supplied the Financial Times with Varnish Cache “to implement multi-factor email login for employees” in response to the increasing threat of phishing attacks. Varnish has also chosen to award the Varnish Award for Innovation to the FT in recognition of its use of Varnish Cache.

In May 2013, the Financial Times suffered a sophisticated email phishing attack which was hindered in part by their implementation of multi-factor authentication. In order to expand multi-factor authentication to all FT enterprise applications and combat future phishing attacks, the FT integrated Varnish with Google Apps two-factor authentication, allowing a Varnish Server to add a multi-factor authentication layer in front of any existing application.

The authentication layer proceeds in three broad steps:

  • Token-based access: Varnish refuses access to the web-server to any user without a valid, freshly issued token. Such tokens are only dispensed once a user has been verified by Google authentication and against the FT’s internal directory servers.
  • Verification: Executed in Varnish Configuration Language (VCL) and inline-C, the process checks the token against the regularly rotated public key.
  • Simple Replication: The entire process is wrapped into a Puppet module so that each FT development team can repeat this pattern for consistent identification, authorization and protection across key business applications.

“This innovative approach to multi-factor authentication, with Varnish Cache at its core, helps organizations ward off increasingly prevalent cyber attacks,” said Luke Blaney, software architect at the Financial Times. “Because of VCL, Varnish Cache is flexible and easy to configure. It was the ideal tool to make multi-factor authentication a reality for us.”

Varnish Cache is an open source HTTP accelerator used by more than 2.5 million websites, including The New York Times, The Guardian, The Hindu, Thomson Reuters, social media and content sites such as Wikipedia, Vimeo, and Tumblr. A sizeable 14% of the world’s top 10,000 websites use it.

Scroll to Top