- Security TWENTY
- Women in Security Awards
Recent news of breaches, such as iCloud, eBay etc has brought into focus the matter of user authentication for online services, writes Toyin Adelakun, pictured, VP of products for Sestus.
Unfortunately, the majority of hacking attempts happen by targeting the authentication schemes, and username-and-password pairs are used by most Internet resources – and easiest to crack. Therefore, effective, durable solutions, like two-factor authentication (2FA) are required.
Essentially, 2FA systems use two independent forms of identification to authenticate users. Most use a knowledge factor (what the user knows) and possession (what the user has). For an authentication system to be classed as ‘two-factor’, proof of each form must be presented. This makes it inherently more robust than simply using passwords as a means of protection.
Password vulnerabilities can be exploited by all manner of threats. Firstly, passwords can (still) be found – written down or by ‘shoulder-surfing’. Secondly, attackers can use ‘social engineering’ to fool users into revealing passwords. Thirdly, via large scale ‘dictionary attacks’, hackers can guess. Finally, attackers can obtain passwords by breaching poorly-protected databases, sniffing end-user traffic at public Wi-Fi stations, or using Trojan-horse malware on user devices.
CyberVor’s recent billion-password heist suggests a mix of various manual and automated methods. It seems the attackers bought a list of compromised e-mail addresses to which they then sent the malware, as well as to the devices of the email addresses in the address books of the compromised machines and accounts. Whenever users of all these compromised devices went online, the malware activated, testing visited sites for password management vulnerabilities. Upon discovering vulnerabilities they could exploit, the malware sent back details of the site. This occurred on a large scale, tracking users over 420,000 sites over several months. The attackers subsequently harvested the password databases from the sites. With such a precise strategy, it’s shocking that only 1.2 billion username-password pairs were obtained.
This case illustrates just how sole reliance upon the humble password is no longer suitable.
In computing systems, we identify via a single piece of evidence – a password. But as online resources have become increasingly valuable, it has become essential to protect them from mounting risks by demanding more than one form of identification.
2FA systems hold great promise for preventing compromise of systems because 2FA embodies the defend-in-depth security principle at both the micro level – in that the two factors present more than one hurdle for an attacker – and at the macro level – in that 2FA can be used with, say, encryption or other defensive measures. It’s key that the factors are independent of one another. To implement knowledge, 2FA systems need the user to present something they know, like a password. To implement possession, they must present something they have, like a token.
The most common misconception is usually knowledge; some online administrators and service providers believe that demanding two e-mail addresses amounts to 2FA – however, it does not. Similarly, asking for a password and then a PIN doesn’t amount to 2FA – because the two pieces of information represent knowledge factors.
These examples do amount to what is commonly called ‘strong authentication’ – as distinguished from 2FA by the likes of the United States’ FFIEC and FDIC. Unfortunately, the European Central Bank insists on referring to 2FA as ‘strong customer authentication’, refusing last year to amend its terminology. This has the potential to fuel further confusion.
However, there is good news; the best 2FA is seamless and almost invisible. And yes, it exists – we carry it about in our wallets and handbags: the humble bank-card. When you present yourself to the ATM and demand cash, you identify yourself by presenting something you have, the card, and something you know, the PIN.
The mobile phone presents yet another example of 2FA in action. In attempting to gain access to the mobile phone carrier’s network, you present not just the handset and SIM within it, but also a PIN (’something that you know’).
Properly implemented, 2FA systems hold great promise for preventing compromise of online systems. However, it is essential that multiple factors are indeed used for authentication, before handing users onto the authorisation systems that enforce policy and grant or deny access to valuable resources. Only then can we uphold the security principle of defend-in-depth and focus the minds of executives and administrators to the point where true 2FA systems become the norm.