Exploring multiple-factor authentication in the consumer market

password authentication DXC Blogs

When Odysseus meets his family again after a decades-long journey, he must undergo many obstacles to prove himself the true ruler of Ithaca and legitimate husband of the queen, Penelope.

New suitors and imposters are striving to take possession of the throne and its assets. But Odysseus, the architect of the Trojan horse, is aware of the exceptional perspicacity of his wife. He knows that reconquering the throne will require both strength and wisdom in the form of a multiple-factor challenge.

The aged but yet-robust Odysseus starts by identifying himself to his son and his mentor. He speaks with knowledge that only the real king could have. Experiences and scars from his youth help sway allies to his side in the plot to regain the house. And the crucial verifying point is when, at a suitors’ contest, he shoots a bow spear through a row of axes – a unique skill only he can claim – empowering him to rightfully slay the traitors and access the throne as the returning ruler.

In this day and age, we no longer require battle scars and bow spears to prove our identity. But multiple-factor authentication is necessary — even more so — in the digital world, as the classic, single, static password method has become prone to attack. Multiple-factor authentication is expanding rapidly over the consumer market, especially in banking and financial services. The growth is in response to increased threats, as well as growing consumer concerns for personal privacy.

Creating vulnerabilities

Aspects such as identity chaos – when users choose the same password for professional and private accounts, also known as  password fatigue – combined with the transmission of credentials through insecure networks and systems expose vulnerabilities that attackers can easily exploit.

In a previous experience in security assessment, I learned how simple it is to read clear-text credentials of a subscriber within a public telecommunication network, something police can do lawfully during an investigation. The simplest fix is to employ robust “https” connections, although, in many cases, the service, hardware and software providers commit a number of mistakes in the public key infrastructure (PKI) development, or simply neglect encrypted communication. Other weaknesses, such as keylogging, the use of kiosk machines and other social engineering tactics, also expose end users to identity theft.

What’s the fix?

One lesson is to never trust a network you do not manage. Service providers need to continually undertake a defense-in-depth approach to protect customers and brand reputation.

One of the most cost-effective methods is multi-factor authentication — using an additional, parallel channel for one-time passwords that expire in a short time and supplement traditional passwords.

Multi-factor authentication is not new to the general public. We’ve all had to answer simple, static security questions (e.g., what’s the name of your first car or favorite band?) or deal with printed authentication numbers or lists for banking applications (usually called TAN).

More recently, the banking industry and private companies introduced hardware tokens for customers and employees to access financial services or the intranet. These methods enhance authentication for users, however some of them neglect the authentication of the transaction. Security technologist Bruce Schneier published an article on the mistake of focusing efforts on users alone, ignoring the need to authenticate the transaction.

Regardless of the purpose or nature of multiple-factor authentication, any approach should take into account the fact that security is only as strong as its weakest link. And one of those weak links is printed and on-display one-time passwords. While the malicious user may know the static password, the social engineering attacker may also have access to the office or the briefcase with the token of the victims. Thus, unauthorized access to their IT assets is a straightforward task.

Although more secure hardware mechanisms such as PIN-protected tokens exist, their deployment in a large consumer market can rapidly shoot up the price of the solution. A more cost-effective approach today is to leverage appropriate apps on smartphones.

One-time passwords (OTP) received by SMS on “dumb” phones had been a widely accepted approach in the recent past. But again, easy device passwords and non-PIN-protected SIM cards containing the mobile number leave the Pandora box open to intruders.

After the boom of both iOS and Android, and the reduction of phone hardware prices, it became easier to increase defenses via multi-factor authentication, but it has not yet been fully exploited by service providers in the pursuit of serious end-customer security.

Smartphones make biometric techniques, such as fingerprint, face, iris and voice recognition, possible. But several studies have concluded  that multi-factor authentication through biometrics still has a lot of flaws. Simple home-made experiments can easily prove that smartphones can be unlocked using a picture of the user or a recording of their voice.

A more interesting alternative uses the smartphone as a local or remote OTP (one true pairing) generator. When a company tries to deploy OTP through smartphones, the physical security of the device is always an issue. But, the device can be forced to follow enhanced policies in the network, application and OS layers (or all of the above), depending on the sensitivity of the information asset.

The SMS method for smartphones, even with 3G/4G mobile operator infrastructures, can be trusted if the device is obliged to obey robust SIM coupling and screen-locking policies. For the applications protection, the OS can be configured to remotely wipe the device if it has been rooted and delegate near-field communication bases or Bluetooth-supported multi-factor authentication to secure automatic applications. All of this can be done because of smartphones’ capability to be enrolled in a mobile device manager (MDM).  This feature can be associated with the security policy that the customer or the provider has chosen.

MDM’s are not exclusive to corporate use. Major smartphone manufacturers ship reduced versions of MDM software that enable end-customers to access high-end security features for their devices. Financial, insurance and e-commerce companies can access these same features through tailored MDM functions to fulfill the security requirements of their markets.

A cost-effective – and in terms of Chinese wall networking, a more secure alternative to an in-house MDM infrastructure –  is a cloud MDM that can provide an enhanced level of security by separating two domains of authentication infrastructure.

MDM mounted in the cloud preserves the security of the application and reduces the cost of owning the underlying infrastructure for customers. Cloud-based OTP infrastructure also minimizes the risk of a stand-alone multi-factor authentication (MFA) generator within the device. That risk is because any product that provides OTP offline, with or without using app containers, is prone to reverse engineering via virtual or physical cloning. A cloud-based MDM/OTP solution circumvents the risk of reverse engineering by delegating all OTP generation to the remote systems, while the device security is strengthened by the underlying MDM policies.

This chart shows several MFA technologies mentioned in this article, representing their security capability in terms of the reliability of authentication factor type (e.g. printed OTP, biometric data, remote OTP).

MFA Chart

Seven technologies are illustrated. The larger the bubble, the more valuable the core technology security.

The increasing governability spans from less- controllable methods, such as TAN lists and hard tokens, through technologies such as SMS, biometrics and soft token in OS container, that protect against more robust against attacks such as social engineering. In other solutions, such as security questions and MDM/OTP cloud infrastructure, the authentication system has complete control over the multi-factor process.

The cost axis illustrates the infrastructure expenditure, not taking into account the smartphone price, which is distributed among other enterprise objectives or can be dismissed in a bring-your-own-device model. Less costly solutions are characterized by security questions, approaches, biometrics, SMS and TAN lists. The top range is defined by soft token in OS container and MDM/OTP cloud infrastructure, while the most expensive solution is represented by hard tokens.

To sum up, several combinations are possible with the aim of providing several grades of MFA security. By characterizing user types, companies can integrate technologies based on the security needs. And with increasing deployment of cloud technologies, the virtualization of MDM and OTP servers permits a physical separation of MDM/OTP networks for different business divisions or subsidiaries. This approach also allows for the alignment of corporate security policies by replicating the base framework.

The combinations and possibilities are vast. The race for more end-customer security has begun, and the growing awareness of security challenges by the general public poses will drive the next-generation of secure, logical transactions for both corporate and public web services.


Roberto Vera is a Senior Security Architect, specialized in business continuity, corporate and information security management, as well as in several cyber consulting areas around risk management for DXC in Germany.

RELATED LINKS

Contextual authentication offers just the right amount of mobile security

Cool security tools your mobile workers just might use

Leaked U.S. cybersecurity order focuses on workforce development

Trackbacks

  1. […] Exploring multiple-factor authentication in the consumer market […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: