Many banks have been increasing the security of their
online services over the past year. By offering customers smartcard
readers or security tokens, they have been able to roll out a
second level of security.
The move highlights how businesses' faith in passwords is
declining - if they are not lost, they can be stolen, and if they
aren't stolen, they can be easily shared.
Two-factor authentication raises the security bar, introducing
another level of authentication for system access. Generally,
two-factor authentication uses something a user knows (a password
or Pin) along with something they have (a security token), making
impersonation more difficult.
It has been used to authenticate both employees and customers,
but it has limitations. With corporate governance regulations such
as Sarbanes-Oxley requiring stronger authentication as part of an
overall hardening of security, more large companies are likely to
investigate two-factor authentication, but small to mid-range
companies have a habit of lax security practice. Passwords are
regularly exchanged and written down.
Nevertheless, two-factor authentication is becoming easier to
integrate, according to Imprivata, which sells a hardware appliance
for authenticating users. Called Onesign, it integrates with
Microsoft Active Directory.
The firm originally focused on selling single sign-on systems
but found growing interest in implementing two-factor
authentication.
"Recently we separated the authentication component from the
single sign-on component because so many people were asking for
it," said director of product management, Gregg LaRoche.
On the client side, RSA's SecurID is one of several
authentication technologies available. It is the equivalent of a
one-time pad, changing the user's password every 60 seconds in
synchronisation with a remote server. Used mainly in an enterprise
context, one of its main competitors, the Vasco Digipass, also
generates one-time passwords and allows for optional Pin entry to
turn it into a two-factor authentication system.
One problem with these devices is their cost, said Mike Parker,
practice director for cards, security and channels at LogicaCMG.
They are expensive because they must contain an internal processor
to generate the passwords.
But there are other issues too. The Pin set-up and usage process
for a security token can be difficult for non-technical users, as
Martyn Lucking, computer services manager at Sanctuary Housing,
found.
The organisation wanted a two-factor authentication system to
secure remote workers accessing Citrix-based applications online.
It worked with consultancy Vistorm to put security tokens in
place.
"Sanctuary has managed to avoid directly connecting other
company networks via virtual private networks, instead granting
access to Citrix sessions only through a browser," said Lucking.
But complexity was an issue.
"Getting people used to setting up their Pin for the first time
was sometimes a problem. If the process was not completed
successfully, the token would need to be reset. Once they had
logged in, the solution was reliable."
An alternative is a smartcard (although some SecurID devices can
double as smartcards). These can hold multiple secrets, including
digital certificates and even photographs, which can be encrypted
for added protection. The downside is that companies must deploy
smartcard readers to clients, which adds to the cost.
This problem can be mitigated using a USB token with similar
smartcard functionality, as long as the IT department has not
turned off USB ports on client PCs to stop them being compromised
by USB keys containing executable files, for example.
"What you really want to do to solve the problem is to deploy
biometrics," said Parker. Biometrics on its own is not two-factor
authentication, but it is strong authentication, because it
requires something stronger than a password. A two-factor biometric
system would require users to enter a secret. However, companies
will again be faced with the problem of integrating a reader.
But how do you integrate such authentication with a Windows
client and Windows devices? It is difficult for suppliers of
biometric and other readers to produce a seamless process for
logging onto a client and accessing system resources.
They generally have to produce their own custom application for
reading the two-factor device, or in some cases rewrite the
graphical identification and authentication (Gina) interface, which
handles the Windows log-on process.
In an attempt to move enterprises beyond passwords, Microsoft's
Vista operating system will do away with the Gina interface,
replacing it with an extensible credentials system that will enable
providers of third-party devices to more readily write plug-in
support for their own devices into the operating system.
Microsoft hopes that this will encourage companies to create
event-driven two-factor authentication, where they are prompted for
their two-factor credentials when trying to access different
computing resources in the company. But whether cash-strapped IT
departments will rewrite corporate applications to authenticate
people using the system's new credentials user interface API has
yet to be seen.
One priority that companies sometimes forget when deploying
two-factor authentication is the human factor. "Organisations say
they have this fantastic technology to solve security problems, but
they do not think about the human issues," said Ken Munro, managing
director of penetration testing company SecureTest.
Generally, when technology locks down unauthorised access to
resources, intruders will look to human weaknesses for a way
in.
"Employees must understand why it is that the token is an
important thing and should not be kept in their laptop bag," said
Munro.
Even if all the employees in the company understand and remember
such rules, the chances are that at some point a token will be
lost. Munro said companies should consider token revocation
policies.
When a token is lost outside a club at 2am on Sunday morning, is
there a way of reporting that fact and having someone act on it? If
the loss is only discovered at Sunday lunchtime and the Pin was
with the token, can someone immediately check system access to see
if an intruder has used the token to log on?
If an employee loses their token while travelling abroad and
needs it to access the system urgently, is there a way of giving
them access? And if there is, how can you be sure you aren't giving
it to an imposter?
Things become even more complicated when trying to deploy
two-factor authentication in a business-to-consumer context. It has
been done successfully - a bank chip and Pin card is a form of
two-factor authentication, although only for on-site access via a
card reader - but using two-factor authentication for remote access
is harder.
Pin/Tan (transaction number) systems were an early form of
two-factor authentication for remote banking. Literally a one-time
pad, a Tan is a list of numbers. Customers enter the latest one,
plus their Pin, every time they conduct a new online transaction.
Pin/Tan carries a low administration cost if a customer loses a Tan
pad, the bank can simply send them another.
The use of secure hardware-based one-time pads, such as those
from Vasco, takes security to the next level by obfuscating the
pass codes. However, according to Bruce Schneier, security author
and chief technical officer at Counterpane Security, keyloggers and
man-in-the-middle attacks make two-factor authentication largely
irrelevant in a B2C context where the client access devices are not
controlled.
If the password cannot be read from the device, then attackers
could simply read it from the PC, or from the connection between
the PC and the bank.
"No form of authentication is a silver bullet to cure all known
types of fraud," said Andrew Moloney, senior product manager in the
consumer solutions division at RSA Security.
"You have to look at it in the context of layered security. We
talk about transaction monitoring, and monitoring the session of
the user all the way through."
Such layered security includes monitoring the IP address that a
user is accessing from, along with behavioural anomalies (do they
normally log in at 2am from a Lithuanian IP address?).
Certainly two-factor authentication is a step in the right
direction, linking identity to access, but it has to be accompanied
by a layered approach, extending into a company's technology
infrastructure and employee education. As with most security tools,
used in isolation its success will be limited.