For many years, I've highlighted the security problems and weaknesses of passwords. I've also written and spoken many times about the benefits and business cases for strong authentication methods, whereby at least two of the following three credentials are required to verify someone's identity:
- Something you know (e.g. a PIN)
- Something you have (e.g. a token)
- Something you are (e.g. a thumbprint)
In 2001, when the Federal Financial Institutions Examination Council (FFIEC) issued guidance entitled "Authentication in an Internet Banking Environment," I thought the move to implement strong authentication would gain momentum. The FFIEC document stated that single-factor authentication is not sufficient and that additional authentication is to be applied to online transactions. The guidance was followed up in 2004 by the Payment Card Industry Data Security Standard (PCI DSS), which explicitly required two-factor authentication for remote employees, administrators and third parties that access a merchant's network.
Yet if strong authentication methods are so much better than weak, password-driven authentication, then why haven't they become widespread enough to replace passwords completely? Surely strong authentication should help reduce identity theft and fraud because an attacker then needs more than a password to access a victim's system or information. So where's the rub?
The challenges of strong authentication implementation
The strong authentication drawbacks come in real-world implementation, namely cost and complexity. The costs of strong authentication deployments involving hardware token-based systems or biometric readers across a large user base can quickly mount up, often costing as much as $20 per user, and there can be significant support costs too. Deployment is often logistically challenging. Many products require users to deploy client software in order to make use of the token or smart card. These need to function across all browsers and often need regular updating. Many consumers find this annoying or challenging, and they have certainly shown a reluctance or inability to install client-side software certificates, making user acceptability a real issue.
There are a number of additional challenges that come with supporting a physical device. People can lose hardware tokens as quickly as they can forget passwords. Hardware can become physically damaged as well. Employees won't lose their fingerprints, sure, but they may lose fingerprint readers. Also, for each service a user needs to access, there is often a separate token or device. For example, when I'm traveling, I have to remember to pack and safeguard a fob to access my business account, as well as a card reader the size of a small calculator to access my personal accounts. Maybe I shouldn't complain; the convenience of being able to manage my affairs securely while travelling is great, but all this gear is a drawback.
When it comes to using strong authentication with remote users, there is also a danger of man-in-the-middle attacks. Modern malicious software, once installed on a victim's computer, can provide an attacker with access to do anything the user could do. To prevent hackers from this type of spying, look at out-of-band transaction authentication products, such as one-time pass codes or PINs sent via SMS. Again, this adds more complexity and cost. Using cell phones for the SMS-driven codes keeps employees from carrying any extra tokens, but what if a cell signal cannot be reached? Ultimately, if users can gain access to their accounts via their computer, so can a third party who installs malware on that computer, no matter what kind of gateway authentication is involved.
Strong authentication methods are certainly not a cure-all for the problems of authentication, but like locks that can be defeated by skilled burglars, the defense still has practical benefits. Malicious hackers look for easy "wins" and strong authentication certainly makes life more difficult for a would-be attacker. Authentication tokens can also be leveraged in other ways. By combining staff ID badges with smart cards, an enterprise can create a centralized means to establish and enforce access policies, using two-factor authentication for both physical and logical resources. Thankfully, vendor competition is pushing costs down, and products are becoming more and more user friendly.
I also believe that behavior -- like shopping patterns which define a personal characteristic -- will become the default second factor. In fact, it's already happening with fraud-detection technology used by banks and large online retailers to spot unusual or out of character purchases. As fraud-monitoring products become more sophisticated, they could provide enough authentication so that you won't need a token. Maybe it's time to update the business case for strong authentication.
Given these developments in strong authentication technology, the increasing sophistication of attackers and the business priority of verifying compliance with regulations like FFIEC and PCI DSS, enterprises would be wise to reconsider where and how strong authentication fits into their security and compliance programs.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.