Choosing the Right Authentication
On May 3, 2006, more than 26.5 million veterans' records, including names, birth dates and social security numbers, were stolen from a Department of Veteran Affairs (VA) computer.1 Consequently, the VA is conducting an inventory of personnel who have access to sensitive data, to be followed by new background reviews.
This and similar recent events:
- Confirm that identity theft has become one of the fastest-growing crimes.2
- Point to a more pervasive issue faced by many organizations: they are not prepared to guard access to sensitive information and customer data, nor are they able to safeguard against its download.
While the theft of the veterans' records is disconcerting, a more significant reason for concern will result if a criminal leverages this data for accessing victims' credit histories. Unfortunately, if this happens, criminals can commit fraud in many ways, including using that information to take advantage of credit card offers or to access online accounts.
Many financial institutions are aware of this threat and by the end of 2006, all depository institutions that provide Internet banking had to conduct a risk assessment to determine what safeguards they need to take to protect their customers' financial assets. While the Federal Financial Institutions Examination Council (FFIEC) does not endorse any specific authentication or risk assessment technology, it deems single-factor authentication inadequate for high-risk transactions that involve access to customer information or movement of funds to other parties. 3
Thus, a tech-savvy reader automatically might associate strong authentication with technologies that involve hardware tokens and one-time passwords, while a more traditional reader might think of leveraging more conventional, out-of-band methods. Given the plethora of authentication technologies, this paper addresses the technology choices available for multifactor authentication as a process of validating user access with more than one authentication criterion.
Because authentication technologies integrate with the applications they protect, this paper considers authentication methods not only from the security perspective, but also from the perspectives of implementation cost, portability and usability.
Security is the key concern for many institutions that provide online access to their users. Certainly, security was on the minds of regulators when they created the FFIEC guidelines about multifactor authentication for depository institutions.4 Online crime is a fast-growing trend driven mainly by "phishing," "man in the middle" and "brute force" attacks.
"Phishing" is a form of social engineering employed by an attacker who tricks the user into disclosing confidential authentication credentials, such as a user ID, password or social security number. Average monthly phishing attacks continue to rise and include mass e-mails sent to users, luring them to enter authentication credentials at a fake Web site.
For example, perpetrators set up a Web site that appears to be a legitimate online shopping site or banking institution. When unsuspecting victims enter their user IDs and passwords, the providers of the bogus Web site use this unauthorized access for their own shopping or bank transactions.
A "man in the middle" attack or "sniffing" attack involves someone spying on a user's online communications. Two common forms are network spying and Trojan horses installed on a user's computer or embedded in the browser.
Usually, spying software is installed on the end user's computer without him or her suspecting any illegal activity. The common distribution of such software is "malware," which is downloaded on the end user's computer through either unintentionally visiting a Web site that distributes this type of software in the background, or by downloading a "freeware" program that claims to entertain or provide some other functionality, but behind the scenes, collects sensitive information from the victim's computer.
Finally, a "brute force" attack consists of multiple attacks; the goal is to guess user credentials (e.g., user ID and password), using an automated system that generates multiple iterations of user ID and password combinations. Systems that do not implement account locking after a small number of incorrect password attempts are susceptible to this threat.
Intuitively, more costly systems should be more secure. However, cost is not only limited to the purchase of more hacker-proof applications; it also includes expenditures related to the investment required to architect, deploy and maintain the security solution. Conversely, if the highly secure system requires a high cost of implementation and also proves to be difficult to use, the online application might impose additional risks of unrealized benefits due to decreased user adoption.
We live in an age of rapid technological innovation. Within just the past five years, we have witnessed a move from desktop computers to laptops and other portable devices. As the edge of the corporate network becomes increasingly remote, online applications and their corresponding security will need to adjust accordingly to allow secure access to internal applications from mobile devices. That is why a good authentication method is not only a secure solution, but also one that supports all forms of application distributions. A scenario in which the same resources are accessible from a tightly secured Web interface, as well as from an unsecured handheld device, is unacceptable.
If the goal of online applications and e-commerce is to automate and simplify manual processes, associated authentication methods should not become a burden that slows the adoption of online technology or stops it altogether; some of the most secure systems could become unusable by the general public of computer-agnostic users. Risks of slow adoption and client loss should not outweigh the benefits of introducing more secure authentication methods. A convenient authentication technology should be as seamless as possible. So, too, should be the distribution and maintenance of the authentication credentials.
Many professional publications classify authentication mechanisms according to the following three categories:
- Something the user knows. Passwords or pass-phrases qualify for this authentication category.
- Something the user is. This encompasses all forms of biometrics authentication including, but not limited to, fingerprinting, scanning of the user's retina, hand shape or facial recognition, as well as transaction anomaly detection (TAD) systems.
- Something the user has. This usually is related to token or smart card devices that the user must possess to authenticate to a secure system.
Multifactor authentication is a combination of two or more authentication solutions from any of the above categories, preferably with each "factor" chosen from a different authentication category.
Passwords are currently the most popular form of authentication. While password-based systems have been used for decades, they most likely will not be used in their current form for many applications in the future. Short, easy-to-crack passwords that never expire likely will be replaced by passwords that include special characters with a frequent expiration date. However, this shift increases risk in other areas. With the proliferation of complex passwords, users tend to reuse the same password for multiple applications, write them down, or make them more vulnerable to social engineering.
Pass-phrases offer a potential solution, as they are considered a more secure form of password authentication and generally are easier to remember. Nevertheless, in terms of security, both passwords and pass-phrases are susceptible to phishing and sniffing attacks, and frequently are targets of brute force attacks. In addition, the proliferation of password-based systems in today's enterprise can drive up password maintenance costs (e.g., forgotten passwords, reset, change, etc.) without a holistic identity management system.
Despite these challenges, passwords and pass-phrases offer many benefits in the domains of cost and portability. The deployment cost is fairly low, as this technology has been used for decades and is built into many application frameworks and enterprise systems. Furthermore, password authentication is very portable across multiple forms of devices, ranging from legacy systems and online Web applications to pervasive devices.
In addition, while passwords might be inconvenient when used across multiple systems deployed without a single sign-on solution, this form of authentication is well ingrained with the majority of users, and therefore, it is tolerated and generally accepted. In conclusion, while passwords are here to stay for the legacy systems, newly built systems are likely to leverage the other forms of authentication described in this paper.
With this method of authentication, users type their credentials into a virtual keyboard rendered by the applications, clicking on virtual keyboard symbols instead of typing them on the actual keys of the computer keyboard. The keyboard form and shape change from session to session, making it more difficult to spoof in a phishing attack. However, it is still fairly susceptible to a man in the middle attack.
Virtual keyboards are relatively easy to implement and integrate into the majority of online Web or desktop applications, but their popularity, at least in the United States, is fairly limited. In addition, their impracticality and cost of deployment on pervasive devices increase with each new device the virtual keyboard must support.
Applications leveraging grid cards, which also are known as "bingo cards," prompt users for a code displayed at the intersection of randomly selected horizontal and vertical coordinates requested by the applications. Grid cards can have multiple forms, including a computer-generated image delivered via e-mail, or printed and distributed via mail.
Because the code is requested randomly and grid cards can be regenerated frequently, this form of authentication provides improved security to online applications. While grid cards are still susceptible to all the forms of attacks discussed earlier, if each login requires a new code, they provide a particularly good defense against phishing attacks. However, because they represent the form of "something the user has" authentication, they are susceptible to physical theft.
Overall, across the other domains of cost, portability and usability, grid cards provide a viable authentication approach on a similar scale to password-based systems. The cost of deployment is only slightly higher than the cost of password-based systems. Further, as the code requested by grid card authentication systems is just another form of a password, these systems are almost as portable and only slightly more cumbersome to use than the password-based systems.
One-time passwords (OTPs) are usually numerical IDs generated in predetermined frequencies that are either manually entered into the applications or automatically populated through a USB device. Typically, the numerical ID is valid only for a short period of time (6-60 seconds), making it difficult to guess in a brute force attack.
If the applications leveraging OTPs request a new ID for each subsequent login, OTPs are impervious to sniffing attacks but still are prone to a man in the middle attack if the perpetrator hijacks the logon session. However, the distribution of token hardware usually is expensive. In addition, its portability is either limited to the type of connection (e.g., USB) required by the hardware manufacturer, or the user convenience is sacrificed by requiring that they type in a complex token ID. Thus, if OTPs are combined with a more traditional user ID and password authentication, the improved security does not outweigh the previously mentioned limitations.
Smart card technology was first introduced two decades ago by European telephone companies as a solution for reducing coin theft from pay phones. The deployment of smart cards continues to increase throughout the world, quadrupling in the number of deployments in 2003,5 with an adoption rate that continues to grow today. Smart cards' sophistication developed over the years to include a cryptographic coprocessor that supports complex encryption algorithms or a processing hardware for the previously mentioned OTP technology. Smart cards do not contain a battery and become active only when connected with a card reader.
Microsoft recently expanded its development around smart cards by enhancing and renaming its original product, from InfoCard to CardSpace.6 Microsoft's solution leverages not only the encapsulation of authentication credentials on the card, but also a sophisticated encryption and authentication assertion protocol. This allows other vendors to implement and store card information, unlike Microsoft's authentication precursor, Passport. Furthermore, CardSpace's encrypted credentials can be protected by a token, making this solution leverage two forms of authentication.
Smart cards represent a "something the user has" form of authentication, making them prone to physical theft, but when protected by a PIN or a password, they create a more secure combination of authentication credentials, satisfying the multifactor authentication requirements of the FFIEC guideline7 for certain types of transactions. However, considering that friends, neighbors and in-house employees commit almost 50 percent8 of identity thefts, this should be taken into account when deploying the technology for highly sensitive systems.
Furthermore, security around smart cards is not sufficient when authentication credentials are not handled securely by the protected application. For example, it is possible to boot up today's Windows system, which normally requires smart card authentication, in a safe mode with network support, and scan the system for passwords saved in the Internet Explorer browser.9
Smart cards also pose challenges in the cost domain; implementation is quite expensive and poses additional constraints on deployment engineers in the form of card distribution, reactivation and complex card life-cycle management. This technology requires card readers on PCs and entrance gates to buildings, as well as sophisticated server-side components for enforcing authorization.
Yet, in spite of these drawbacks, when combined with other forms of authentication, this technology improves application security and could be leveraged for e-mail encryption, electronic payment, VPN access and other tasks. For example, many companies leverage smart card technology for user authentication to their online systems (logical authentication) and access to buildings and parking lots (physical authentication), thus improving the user authentication experience. Therefore, if an investment is made in both physical and logical smart card authentication infrastructure, this technology is a good portable access control solution.
Another benefit of smart cards is that they are simple to use. Most users who are accustomed to ATM cards will have no problem using smart cards under normal authentication scenarios. However, it is worth noting that difficulties can be encountered once the card is lost or stolen, and a user requires an immediate replacement. The replacement of smart cards is more difficult than the replacement of other forms of authentication technologies, such as passwords or even OTP methods.
Out-of-band solutions leverage an operator confirming user identity via telephone or other communication device not being operated by the user conducting the transaction. Traditional forms of out-of-band verification of customer information, such as those conducted by a bank operator over the phone, are augmented by technology in the form of an OTP sent to the user via a Short Message Service (SMS) received on the customer's cell phone. Other forms of out-of-band authentication can leverage biometric voice recognition to accompany more simple user ID and password authentication.
However, out-of-band authentication's strength is limited to its authentication method. For example, if the user's confidential information is compromised, as in the case of the VA, the telephone operator can be spoofed into granting permission to access sensitive information to unauthorized individuals. This form of attack is called "pretexting."
Furthermore, voice biometrics can be recorded, and a cell phone receiving the SMS can be subject to physical theft. Out-of-band authentication is, however, immune to phishing attacks, but not to a man in the middle attack or a sniffing attack during the logon session.
Finally, the cost of deployment varies and depends on the out-of-band authentication method, but introducing automation in the form of voice recognition or SMS messaging could reduce the cost. Portability and usability also are satisfactory for end users when implemented correctly.
Biometrics is no longer a technology of the future, as it was once hailed. It is now becoming a convenient form of authentication for laptops and data centers. Biometric solutions range from fingerprinting and retina scanning to voice, face and hand shape recognition. Facial recognition can be proximity-based, providing an automatic login when the user approaches the scanner and logout when he/she steps away. While most users have been introduced to the fingerprinting and facial/voice recognition biometric systems, biorhythm systems are a novelty, at least in the American market. Biorhythm systems leverage the fact that the speed of typing a password by a hacker, including a brute force hacker, varies from the speed of typing the same password by the real user.
Biometric technology belongs to the category of "something the user is" authentication and is therefore immune to the majority of physical thefts. Biometric technology also is immune to most of today's phishing attacks, but still is a potential target for a man in the middle attack or browser sniffing. To protect against these threats, transport layer encryption (e.g., http encryption using SSL certificates) should be leveraged.
However, when encountering a very sophisticated intruder, biometric solutions could present significant security risks. Imagine a fingerprinting authentication system. An intruder has an infinite number of opportunities to collect fingerprints from a targeted victim. Then, digitally stored biometric information in a central database could be searched and cross-referenced with other databases to make it easier to gain significant information about an individual beyond what is necessary for authentication into an online application.
This compromising of the centralized database of user biometric information could have a potentially disastrous impact on multiple forms of seemingly unrelated institutions, including police and immigration identification systems. While names and IDs can be changed, biometric data stays. Consequently, this is one of civil liberties groups' main arguments against the wide adoption of biometric technology.10
The difficulty of substituting biometric data poses another problem, as humans have only one set of biometric identifiers throughout their lives. The updating of this information in the case of a system reset or a user departing a company is difficult, as well. Portability and cost are often issues when implementing heterogeneous systems, as biometric readers need to be installed on front-end systems.
At the same time, when properly implemented, biometric readers provide a convenient form of user authentication. However, implementers should be careful not to sacrifice this convenience in combination with other, less convenient (e.g., password) forms of authentication when deployed in multifactor authentication situations.
Transaction Anomaly Detection
Already common in the credit card industry, these systems are now gaining more interest from the banking industry. Transaction Anomaly Detection (TAD) systems track customer usage to create a customer profile that is perpetually enhanced over time. Once a transaction falls out of the profile, an out-of-band authentication is invoked to verify the validity of the transaction with the user. TAD systems leverage either neural networks, self-learning modeling solutions that require a large set of habitual user information, or Bayesian algorithms, which can work with sufficient accuracy with a smaller set of training data. These systems are usually expensive to deploy, but do not require any training from the end user perspective, as they work at the back-end, supplementing more traditional front-end forms of authentication.
Some of the common profile patterns are not only related to the financial information around customer transactions, but also to the type of browser, common network configurations and geographical location of the initial request. TAD systems' ability to detect fraudulent transactions depends on the false positive ratio, which compares falsely identified transactions against truly fraudulent transactions. The higher the ratio, the better the systems are at identifying fraud. Overall, these are secure systems because they are deployed at the back-end and are immune to man in the middle attacks.
The cost varies greatly, based on the vendor implementation. In general, portability is well supported with most of the end user systems due to the server-side deployment. They also are very convenient for most users who fall well into the allocated stereotype, but could be quite inconvenient for users who suddenly fall outside of their profile, due to increased traveling or a change in their spending habits.
Other Forms of Authentication
The above forms of authentication represent those that are most common today. Other forms of authentication are gaining popularity, especially from traditional security vendors such as VeriSign11 or Microsoft, in the form of high-assurance SSL certificates or secure networks. For instance, Microsoft's Internet Explorer (IE) 7.0 graphically identifies trusted and untrusted Web sites. Furthermore, Bank of America has deployed image recognition authentication technology for its Web applications that identifies itself to the user by displaying an image the user has preselected during the registration process. Similar to the Microsoft IE 7.0 approach, Bank of America has deployed a Web-based toolbar to facilitate the identification of phishing Web sites to the end user.12
While most of these technologies are not traditional forms of user authentication, they can present significant enhancements when combined with more traditional user authentication methods.
Table 1 compares multiple authentication technologies with respect to four evaluation criteria: security, cost, portability and usability. As previously stated, increased security comes at an increased cost; therefore, more secure authentication methods tend to be more expensive to deploy and maintain. Given this relationship between cost and security, the combining of two inexpensive solutions to form a multifactor authentication system could mitigate the security concerns of less expensive systems. The results also indicate that more secure solutions are less portable, with the exception of out-of-band and TAD systems, which are back-end systems that do not require changes on the application front-end. Increased usability comes at a cost as well, with the exception of password-based systems. While none of the evaluated authentication solutions are secure, portable and usable at an affordable cost, there is an optimal choice for specific requirements of each enterprise. This choice is usually not trivial and requires either consultation with vendor-agnostic experts or careful internal research before choosing to evaluate vendor solutions.
Table 1 Evaluation summary of authentication methods derived from discussions with Gartner analysts, their accompanying research, and the author's industry expertise
Authentication Method Security Cost Portability Usability Password & Pass-phrase 2 10 9 6 Virtual Keyboard 4 8 5 5 Grid Card 5 9 8 5 One-Time Password (OTP) 10 4 4 5 Smart Card 8 4 4 4 Out-of-Band 6 3 7 6 Biometrics 6 3 4 9 Transaction Anomaly Detection (TAD) 8 4 10 10 Scoring: 10 Best, 1 Worst Safe Affordable Portable Usable
Summary of Findings
The authentication strength provided by multifactor authentication should not be considered in isolation of the authentication systems. As indicated in the discussion about smart cards, strong authentication methods require the safe handling of authentication credentials. If the passwords are stored in plain text, for example, an intruder can compromise the online application with relative ease. While OTP solutions do not fix these issues of underlying operating systems, they are safer to use, especially if a new password is required for each subsequent login.
Furthermore, although biometric solutions are very convenient, they require information that can be collected easily in public places, such as fingerprints, facial scans and voice recognition. While this information can be collected easily from a few individuals, it is unlikely that a perpetrator will be able to collect millions of data points, as is possible in the identity theft of today's password-based systems. However, while the password-based systems are relatively easy to correct when the password is compromised, biometric systems pose substantial challenges in these situations. The majority of today's biometric technology providers have not resolved these challenges.
Authentication technology alone will not guarantee a successful deployment, unless considered as part of a complete identity management process. In this environment, the total cost of ownership inevitably will be higher than the implementation and integration of a particular authentication technology to the existing systems. This cost is high even for today's simple password-based systems, and will only increase if a new set of devices and accompanied readers need to be rolled out.
The proliferation of pervasive devices opens additional opportunities for malicious use. Therefore, a good authentication solution provides an identical level of security to all entrances to protected systems. From this perspective, the back-end systems, such as TAD, score more favorably than the front-end authentication solutions.
If reducing the risk of an online application is a key concern for the selection of an authentication method, choosing a more straightforward authentication method to minimize the risk of losing customers should be a primary concern for business owners. Biometric solutions are, from this perspective, very user-friendly, as they do not require remembering passwords or carrying special cards or one-time password devices. However, because of the lack of standards around the interpretation of digitalized biometric information, civil liberties issues around collecting this information, and significant difficulties in replacing the biometric information when it has been compromised, most likely will impede a more rapid adaptation of this technology in the near future.
Deployment experts need to consider not only the strength of a particular authentication technology, but also the complete process associated with issuing the authentication device to the user, reducing its authorization rights, or issuing a new or temporary device. Imagine a frustrated user calling his home office in New York from San Francisco demanding access to his online system protected by a smart card a few minutes before he needs to deliver a business-critical client presentation. None of the smart card providers can address this scenario today. Thus, the back-end TAD systems, seamless to the customer, will most likely remain the most user-friendly authentication solutions.
Above all, the authentication type should correspond to the risks inherent in the online transaction the user credentials should protect. These risks are related to the potential loss of data, high deployment and continuous maintenance costs, and the loss of customers frustrated with the complexities of the new systems. Therefore, the best authentication technology is secure and easy to use. And if this technology is to become unambiguous, it requires the cooperation of multiple industry vendors, which often have competing market share interests.
Notes1. Keizer, Gregg. "Thief Steals 26.5 Million Veterans' Identities." TechWeb. 22 May 2006. http://www.techweb.com/wire/security/188101069.
2. "How to Protect Your Good Name from Identity Theft." Federal Bureau of Investigation. 20 October 2004. http://www.fbi.gov/page2/oct04/preventidt102104.htm.
3. "FFIEC Guidance: Authentication in an Internet Banking Environment." Federal Financial Institutions Examination Council. 12 October 2005. http://www.ffiec.gov/pdf/authentication_guidance.pdf.
4. Litan, Avivah. "Regulators Tell U.S. Banks to Adopt Stronger Risk-Based Authentication." Gartner. 27 October 2005. Report ID Number: G00134367.
5. McKay, Niall. "Top 10 Don'ts for Smart Card Deployment." SearchSecurity. 15 March 2004. http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci955174,00.html?track=identity.
6. Chapell, David. "Introducing Windows CardSpace." MSDN Library. April 2006. http://msdn2.microsoft.com/en-us/library/aa480189.aspx.
7. "FFIEC Guidance: Authentication in an Internet Banking Environment." Federal Financial Institutions Examination Council. 12 October 2005. http://www.ffiec.gov/pdf/authentication_guidance.pdf.
8. "New Research Shows Identity Fraud Growth Is Contained and Consumers Have More Control Than They Think." Better Business Bureau Online. 31 January 2006. http://www.bbbonline.org/IDTheft/safetyQuiz.asp.
9. Bowers, Tom. "The Insecurity of Two-Factor Authentication." SearchSecurity. 6 July 2004. http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci968784,00.html?track=identity.
10. "An Open Letter to the ICAO." Privacy International. 30 March 2004. http://www.privacyinternational.org/issues/terrorism/rpt/icaoletter.pdf#search=%22biometric%20and%20civil%20liberty%22.
11. "SSL Security and High Assurance: Get the Green Address Bar." VeriSign. http://www.verisign.com/ssl/ssl-information-center/ie7-ssl-security/index.html.
12. "Bank of America Toolbar Powered by EarthLink." Bank of America. http://www.bankofamerica.com/privacy/index.cfm?template=bac_toolbar.
About the Author
Juraj Siska is an Associate Director with Protiviti, a leading provider of independent risk consulting and internal audit services. Protiviti provides consulting and advisory services to help clients identify, assess, measure and manage financial, operational and technology-related risks encountered in their industries, and assist in the implementation of the processes and controls to enable their continued monitoring. We also offer a full spectrum of internal audit services to assist management and directors with their internal audit functions, including full outsourcing, co-sourcing, technology and tool implementation, and quality assessment and readiness reviews. Protiviti, which has more than 50 locations in the Americas, Asia-Pacific and Europe, is a wholly owned subsidiary of Robert Half International, Inc.
© Copyright 2007-2015 Protiviti, Inc.