SUMMARY
The past few months have shown a near constant report of security breaches which have brought into focused attention the subject of user authentication for online services. As a result of continually searching for an effective solution, two-factor authentication (2FA) is escalating to the top as a potential answer; inevitably rendering a few misconceptions in the process. The point to remember is that true 2FA systems use two independent forms of identification to authenticate users. Most 2FA systems use what the user knows and what they have (knowledge and possession) as “authentication factors”. It’s important to note that for an authentication system to be considered as “two-factor”, evidence of at least one of each factor is needed.
BACKGROUND
The sudden increase of social, government, and commercial applications emerging on the Internet corresponds to the rise in data which is of value and interest to a rising number of groups. Though the data doesn’t hold a genuine interest for all those parties involved, it doesn’t prevent certain groups from attempting to illegally access the data.
As the majority of Internet resources and Web pages use the typical username-and-password combination as a means to identify users, it is inevitable that the majority of hackings begin with attacks upon the authentication schemes that are in place to protect data that attackers may wish to obtain, modify or prevent access to.
ISSUE
There’s an immensely varied range of threats that can exploit all manner of vulnerabilities when it comes to the handling of passwords. Opportunistic hackers are aware that passwords can still be found – perhaps on Post-It notes or simply by “shoulder-surfing” (watching a user type in their PIN or password). Certain “social engineering” tactics are also used by hackers to scam users into divulging their passwords. By conducting large scale “dictionary attacks” and other password-cracking methods, hackers can also guess at passwords. And last but not least, passwords can be obtained merely as a result of theft -- by hacking into poorly-protected databases, sniffing end-user traffic at public Wi-Fi stations, or installing keylogger or other Trojan-horse malware on user devices.
If the recent billion-password heist which was announced on the eve of BlackHat 2014 is to be taken at face value, it would be presumed to be a high quality mixture of various manual and automated methods. It appears that initially, the CyberVor hackers purchased a list consisting of compromised e-mail addresses, which served as the initial target for the heist. Following this, they then sent malware to the compromised computers, and other devices whose users’ e-mail addresses appeared in the address books of the compromised accounts. Whenever individuals using these compromised computers used the Internet, the malware was activated, testing the visited sites for any current vulnerability in password management. Once having found exploitable vulnerabilities, the malware sent back details of the vulnerable site. This breach was carried out on a large scale, and tracked the movements of numerous users across 420,000 sites over several months. Subsequently the weakly-protected password databases were yielded from the vulnerable sites via both manual and automated methods. With such a methodical modus operandi, it is entirely surprising that just 1.2 billion unique individual username-password combinations were harvested.
Even if not all the claims surrounding the CyberVor attack can be relied upon, this attack should at least be a considerable wake-up call for organisations and administrators. The CyberVor group may have figuratively found the keys to many mansions, but they hadn’t reached the point of fully exploiting the commercial value of the attack. This story might yet conclude as the “bad guys” having unintentionally conducted a large-scale audit of the Web for the “good guys”. But executives and administrators must react quickly and with efficiency for that to be the case. There is no doubt that the exclusive reliance upon the simple password as means of user authentication is no longer adequate in today’s world.
IMPLICATIONS
Identity is still quite a primitive notion in regards to computer systems; we purely require evidence in the form of pieces of information to assure the identity of a given user.
For decades, a single such piece of evidence proved sufficient. But with a multitude of online resources increasing in value, it has become a priority to protect them from escalating risks by insisting on more than one piece of evidence as to the identity of the user.
One of the elusive solutions developed to respond to this need is Multi-factor authentication. A factor is an independent feature that can be used to confirm someone’s identity. Inherence (“something only the user is”) is another common factor, along with the knowledge and possession elements. There are other factors such as geographical and behavioural which are not as widespread. Traditionally, 2FA systems make use of the knowledge and possession factors.
In the wake of the recent large-scale breaches, there has been increased debate of 2FA systems as a means of preventative solutions. Though, a degree of misunderstanding of the concept still remains.
NEED
With correct implementation, there is a monumental potential for 2FA thwarting the compromise of systems. 2FA demonstrates the defend-in-depth security principle at both the micro level and macro level – as two factors cause more than one hurdle for an attacker and 2FA can be used along with other defensive measures.
The factors are independent of each other; they have no correlation, origin, implication or redundancy relations with one another. For the knowledge factor, 2FA systems need the user to present for instance a username, password, PIN, passphrase. To execute the possession factor, 2FA systems require the user to present something they have, like a key-fob, smartcard, or another token. To practice the inherence factor, 2FA systems require the user to present something that is innate to them, such as their voice, fingerprint, or eye (for a retinal scan) or any other physiological item. No item linked with one factor can be derived from an item linked with another; and no item from one factor can substitute an item from another, etc. This is the independence requirement as it defines 2FA systems.
INSIGHT
Usually the most frequent misconception is knowledge; possibly accustomed by the real-world practice of asking applicants to provide for example two utility bills sent to them at the specified address, some online administrators and service providers incorrectly believe that asking two e-mail addresses equates to 2FA - but, it doesn’t.
Similarly, asking for both a PIN and a password doesn’t amount to 2FA – as both the pieces of information represent knowledge factors.
The previous examples are an indication of what is generally called “strong authentication” – as distinguished from 2FA by the United States’ FFIEC and FDIC. Unfortunately the European Central Bank still insists on referring to 2FA as “strong customer authentication” - they even refused to modify its terminology last year. This only serves to be a source of further confusion on the matter.
Though differing from 2FA, dual controls are common in the operational risk context - they ask for two things which are of the same type; for example the signatures of two individuals.
Here is good news however; the perfect 2FA is practically invisible as well as seamless. And yes, it really exists - we carry it about on our person: the humble bank-card. In order to get cash from an ATM, you identify yourself by presenting your card, a token you have, and entering your PIN, something you know.
Another demonstration of 2FA in real-life application is your mobile phone. In order to have access to the mobile phone carrier’s network, you need the handset as well as the subscriber identity module (SIM) within it, but you also require the PIN (a “knowledge factor”).
Though it is ironic that we then use our phones and other computers to access services which themselves are, in the main, not protected with two-factor authentication. This fact invalidates the security principle of defend-in-depth, so it must be hoped that all the recent breaches focus the minds of relevant executives and administrators to the degree where true 2FA systems become the norm.
And truly the issue goes further than authentication. Authorisation is the next feature of access control, which addresses both the rights and privileges of users within the system to which they are being authenticated. In the real world, this is shown by user experiences such as the following: just because you can prove that you are indeed yourself doesn’t mean you can make a phone call (“Sorry: you have no credit”) or withdraw money (“Sorry: you have no cash”). It’s vital to get authorisation right, because not only does it validate what legitimate users can do, but also what attackers can accomplish upon breaching defences.
CONCLUSION
With accurate implementation, two-factor authentication systems hold incredible potential for preventing the compromise of online systems.
It is crucial, nonetheless, that several factors are used as means of authentication, before passing users onto the authorisation systems that implement policy and either grant or deny access to valuable resources.