Are 'strong authentication' methods strong enough for compliance?

• Something you know (e.g. a PIN)
• Something you have (e.g. a token)
• Something you are (e.g. a thumbprint)

In 2001, when the Federal Financial Institutions Examination Council (FFIEC) issued guidance entitled "Authentication in an Internet Banking Environment," I thought the move to implement strong authentication would gain momentum. The FFIEC document stated that single-factor authentication is not sufficient and that additional authentication is to be applied to online transactions. The guidance was followed up in 2004 by the Payment Card Industry Data Security Standard (PCI DSS), which explicitly required two-factor authentication for remote employees, administrators and third parties that access a merchant's network.

Yet if strong authentication methods are so much better than weak, password-driven authentication, then why haven't they become widespread enough to replace passwords completely? Surely strong authentication should help reduce identity theft and fraud because an attacker then needs more than a password to access a victim's system or information. So where's the rub?

The challenges of strong authentication implementation
The strong authentication drawbacks come in real-world implementation, namely cost and complexity. The costs of strong authentication deployments involving hardware token-based systems or biometric read...

There are a number of additional challenges that come with supporting a physical device. People can lose hardware tokens as quickly as they can forget passwords. Hardware can become physically damaged as well. Employees won't lose their fingerprints, sure, but they may lose fingerprint readers. Also, for each service a user needs to access, there is often a separate token or device. For example, when I'm traveling, I have to remember to pack and safeguard a fob to access my business account, as well as a card reader the size of a small calculator to access my personal accounts. Maybe I shouldn't complain; the convenience of being able to manage my affairs securely while travelling is great, but all this gear is a drawback.

When it comes to using strong authentication with remote users, there is also a danger of man-in-the-middle attacks. Modern malicious software, once installed on a victim's computer, can provide an attacker with access to do anything the user could do. To prevent hackers from this type of spying, look at out-of-band transaction authentication products, such as one-time pass codes or PINs sent via SMS. Again, this adds more complexity and cost. Using cell phones for the SMS-driven codes keeps employees from carrying any extra tokens, but what if a cell signal cannot be reached? Ultimately, if users can gain access to their accounts via their computer, so can a third party who installs malware on that computer, no matter what kind of gateway authentication is involved.

Strong authentication methods are certainly not a cure-all for the problems of authentication, but like locks that can be defeated by skilled burglars, the defense still has practical benefits. Malicious hackers look for easy "wins" and strong authentication certainly makes life more difficult for a would-be attacker. Authentication tokens can also be leveraged in other ways. By combining staff ID badges with smart cards, an enterprise can create a centralized means to establish and enforce access policies, using two-factor authentication for both physical and logical resources. Thankfully, vendor competition is pushing costs down, and products are becoming more and more user friendly.

I also believe that behavior -- like shopping patterns which define a personal characteristic -- will become the default second factor. In fact, it's already happening with fraud-detection technology used by banks and large online retailers to spot unusual or out of character purchases. As fraud-monitoring products become more sophisticated, they could provide enough authentication so that you won't need a token. Maybe it's time to update the business case for strong authentication.

Given these developments in strong authentication technology, the increasing sophistication of attackers and the business priority of verifying compliance with regulations like FFIEC and PCI DSS, enterprises would be wise to reconsider where and how strong authentication fits into their security and compliance programs.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Two-Factor and Multifactor Authentication Strategies,   Enterprise Identity and Access Management,   User Authentication Services,   Security Token and Smart Card Technology,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management PCI DSS: The structure of a standard Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Apple iPhone app could boost two-factor Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks What should an enterprise look for in a password token and a vendor? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) Kerberos  (SearchSecurity.com) password hardening  (SearchSecurity.com) typeprint analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.