Strong authentication methods: Are you behind the curve?

Strategic considerations

Start by understanding your use case. Is the user base small and focused on a small set of applications? A legal team within a large enterprise may have to deal with large volumes of confidential information stored in document management systems and e-discovery applications. A company may decide it wants to use, purchase and distribute a limited number of hardware devices for generating one-time passwords (OTPs). A small number of users dealing with highly valuable data may justify more costly approaches than other scenarios.

Alternatively, companies that provide software as a service (SaaS) or have a large number of employees using strong authentication methods may not find it practical to use specialized hardware and will opt for mobile device apps instead.

Consider how strong authentication will function with your existing authentication and identity management infrastructure. For example, if your enterprise has Active Directory Federation Services in Windows Server 2012, you can use certificate authentication or a third-party service, such as RSA SecurID Authentication Agent for Microsoft Active Directory Federation Services or Symantec Validation and ID Protection Service (VIP).

Cloud providers, such as Amazon Web Services and Microsoft Azure, are increasingly important components of enterprise infrastructure. Ideally, a strong authentication mechanism will work across on-premises and cloud platforms. Watch out for the need to support several MFA apps, such as Symantec's VIP for on-premises computer systems and Google Authenticator for AWS Multi-Factor Authentication.

Single sign-on (SSO) services, such as Okta and OneLogin, provide the benefits of SSO in cloud and SaaS environments. Consider how MFA will integrate with an SSO if you are using one. Does your SSO provider support your chosen MFA system? Do you want to deploy your MFA through the SSO provider if only a single application warrants MFA? This question can be especially important to ask if only a small number of users need access to sensitive applications and data that warrant MFA.

It is a well-understood practice in security to avoid proprietary algorithms related to encryption. Favor methods that are based on public standards, which have been subject to rigorous review. Proprietary algorithms may harbor unforeseen vulnerabilities.

Multifactor authentication will be to many users who have become accustomed to working with usernames and passwords. They may be unfamiliar with MFA apps and devices, so support desks should be prepared for calls for assistance. Well-developed guides and tutorials on a self-service portal can help reduce the potential for a spike in support center calls.

An MFA strategy complements passwords, it does not replace them. It is still important to enforce strong password policies. These policies should include limiting the lifetime of passwords, minimum length and character variety, limits on reuse and so on.

Strong authentication should be part of a broad set of information security practices that include separating and rotating duties, monitoring and logging events in identity management systems and performing routine audits.

Authentication technology

Strong authentication methods typically involve dynamically generated OTPs or certificate- and context-based authentication.

The OTP employs a security device in the user's possession and a back-end server. The security device may be hardware-based, such as a tamper-resistant key fob, or software-based, such as a mobile phone app. One-time passwords may also be delivered to mobile phones using SMS. Both types of user device share a secret with the authentication back-end server. The secret is used to generate a time-limited OTP. Software-based devices have the advantage of easier distribution. Users simply need to download an app, and enterprises do not have the overhead of managing the physical inventory of key fobs.

There are two common approaches to OTP generation: time based and algorithm based. Time-based algorithms use the time, along with a shared secret or token, to generate a password. The Time-Based One-Time Password Algorithm is an IETF standard for generating short-lived, one-time passwords. Non-time-based algorithms start with a seed value and hash function to generate passwords. After the initial password is generated, the prior password is used as input to generate the next password. Other OTP standards include the S/KEY One-Time Password System (RFC 1760), One-Time Password System (RFC 2289) and the HMAC-Based One-Time Password Algorithm.

Certificate-based authentication employs public key cryptography to generate public and private keys. Private keys may be stored on a portable device, such as a USB drive, or stored safely on a user's computer. Using a USB-based device mitigates the risk that a user will improperly secure a private key file, but adds the overhead of managing another physical device.

Context-based authentication uses information about a user, such as geographical location, to authenticate them. Context-based authentication is generally used in conjunction with other authentication methods. For highly secure environments, for example, a user may be required to provide a username, password, OTP and pass a verification on the geographical location of the device initiating the session. Other techniques include device registration or fingerprinting, source IP address reputation and behavioral analysis.

Pitfalls to avoid

Authentication technology does not exist in a vacuum. Regardless of the mathematical rigor behind an authentication method, once it is deployed -- and is operating in the complex mix of users, applications and infrastructures -- vulnerabilities will be . For example, Trend Micro documented the case of attacks on European bank customers who were lured into downloading a malicious app purportedly designed to generate OTPs for their online banking accounts.

End-user education is essential and extends from instructing users on how to install an OTP app to avoiding entering an OTP into a suspicious website.

As with any IT investment, strong authentication methods should be justified based on the benefits outweighing the costs. Applications that manage publicly available information may not present a strong case for investing in strong authentication technology. Financial systems, healthcare databases and other applications managing private and protected information are better candidates for the initial rollout of MFA.

The cost of MFA systems has been a barrier to adoption. However, the push toward consumerization of strong authentication methods may change the cost structure. The National Cybersecurity Alliance is working with consumer service providers such as Google, Dropbox, Microsoft and Facebook to promote better practices for securing online accounts.

Multifactor authentication is a well-established security practice. Although there are challenges to implementing and maintaining MFA systems, they provide significant benefits over password-only authentication mechanisms. As consumer services from major internet and financial services companies push for the use of MFA, the cost of the authentication technology may drop. At the same time, end-user awareness about the need for strong authentication and an understanding of how to use it will increase. The balance of cost and benefits is clearly in favor of strong authentication methods for many enterprise use cases.

About the author:
Dan Sullivan is an author, systems architect and consultant with over 20 years of IT experience with engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He holds a master's degree in computer science and has written extensively about topics ranging from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.