Two-factor authentication is a hot topic at the moment; while visiting the Infosecurity Europe show last week I noticed the huge number of companies trying to sell one two-factor solution or another. So what is two-factor authentication? Why would you want it? Is it really worth the effort and expense?
Authentication relies on at least one of three types of information: something you know, something you have, or something you are. Classic examples of something you know would be a password or pin code. Something you have could include a security token or mobile phone. Biometric data such as fingerprints would make up the last category of something you are.
A traditional system only uses one level of authentication -- the humble password. Two-factor authentication requires that two pieces of data be presented, each being from a different category. This (in theory) dramatically reduces the risk of a system being compromised because the chance of both authentication factors being broken or lost at the same time is minimal. Unfortunately each method of authentication has its weakness -- whether any of them can stop a determined criminal from gaining unauthorised access is questionable.
Passwords, PIN numbers and pass codes all come under the category of something you know. It may be your mother’s maiden name (used to verify your identity over the telephone), Internet Banking password or ATM/Credit Card PIN. The major problem with these when used alone is that people have a habit writing them down or even worse telling somebody else. Most people will forget a password if it’s too complex but a simple password can be cracked in minutes. With a little research on their victim or some social engineering an identity thief would easily be able to dig up pass codes such as a mother’s maiden name, the name of your first pet or the school you attended. Two-factor authentication generally uses some type of password or PIN; one of the most successful examples of this would be an ATM card that requires something you know (the PIN) and something you have (the card).
In a high security environment passwords may be dropped altogether.
Smartcards and USB tokens
Smatrcards and USB tokens are of course something you have. They would generally be used to hold some type of private key or certificate within a storage area. Another type of smartcard is a proximity tag; these are often used for building access, each card has a unique ID that is passed to the reader and access is granted or denied. As hardware is involved there are obvious costs to consider such as purchasing, deployment, replacement and management. Due to the small size of these devices they are frequently lost in which case the token must be revoked and a new one assigned. Up until a token is reported lost it can be used. Hardware tokens can be used in conjunction with biometric data or a password. I recently saw a USB token that requires a fingerprint to operate; three-factor anyone?
One Time Password
One time password (OTP) dongles like RSA’s SecurID are probably one of the most well recognised two-factor accessories. Each OTP dongle displays a pseudorandom numerical code that changes every 60 seconds (or once a button is pressed). To authenticate this random number is combined with a PIN code. Just like the hardware token a dongle is something you have and poses similar logistical challenges which can incur considerable recurring costs.
Biometrics uses a unique human characteristic for the purpose of verifying a person’s identity, e.g. something you are. Commonly the physical characteristics used for authentication are retinal scans and fingerprints. If a biometric challenge is performed under controlled circumstances (e.g. guarded) it may prove very difficult to spoof, but not impossible. Under ‘normal’ circumstances a well-equipped attacker may quite easily replicate certain types of biometric data such as fingerprints, retinal data or even facial features. Personal safety is an important issue raised by the use of biometric authentication, less sophisticated criminals may take drastic measures as one motorist in Malaysia found out. A ‘violent gang’ abducted the driver of an S-Class Mercedes and later cut off his index finger, required to bypass the cars immobiliser! Deployment of biometrics is potentially cheaper than OTP or token-based solutions (many laptops now come equipped with an embedded fingerprint reader) although collecting biometric data could prove to be a headache. There are questions raised by the storage of biometric samples and the potential security implications of a data leak.
Many companies are now considering using mobile phones as something you have. Most people already carry a mobile phone so using this as an access token means the user does not have to carry around yet another device and the cost of deployment is drastically reduced. Many banks in the Far East are adopting this solution to tackle rising levels of online transaction fraud. A user registers his/her mobile phone at an ATM machine using their bank card and PIN (which is already a two-factor system). Once registered an authorisation code that is required to complete an online transaction will be sent to the customers phone. The authorisation code is generally valid for a predetermined period meaning that multiple transactions can take place without re-authenticating. As with any other form of ID that falls under the something you have category a mobile phone can be lost or stolen. There are also questions as to whether SMS messaging is truly secure with some readers of this article pointing out that carriers don’t encrypt SMS traffic.
I think whichever authentication methods are available; the question of which one is right for a particular circumstance depends on the assessment of risk vs. cost. Does the risk posed by a breach justify the cost of implementing a two-factor system? Robert Lemos of CNET News.com looks at why two-factor authentication won’t solve the problem of identity theft. He quotes Bruce Schneier, a cryptographer and chief technology officer at network protection company Counterpane Internet Security. Schneier urges service providers to look for a more permanent solution: "Focus on the problem: fraudulent transactions," he said. "There are two strategies: you can make identities harder to steal, or you can make identities less useful. I think the first fails in the end."
Authentication, at least as we know it, can’t be completely secure. A determined criminal with the required time and resources will always be able to bypass a two-factor system. Whether that means collecting and spoofing biometric data, extracting pass codes via social engineering or stealing/swapping a physical device such as a cell phone or token—they are all perfectly possible. However, the two-factor system does make hijacking a users account and/or identity much more difficult, costly and time consuming. I therefore do believe that while two-factor authentication won’t eliminate fraud nor unauthorised data access; it can help to greatly reduce them.
What are your opinions? Do you currently use a two-factor authentication system? If not then why not? If so what were the deciding factors in choosing that particular implementation?