In the 1980s and 90s, improving authentication entailed encouraging, then forcing people to choose better passwords. Next came multi-factor authentication (MFA). The theory is good; something you know, something you have, something you are, and your location. Two or more factors provide strong authentication.
Biometrics have not become mainstream due to high costs, perception, and technical challenges. Determine the location of a user can be helpful in some circumstances, but presents a challenge for authenticating mobile users. As a result, MFA is usually a static password and a one-time password generated by hardware or software.
Before smartphones were commonplace, hardware authentication devices were used. The more secure products were calculator-like devices into which a user entered a PIN and a challenge code provided by the server. The device produced a response code that the user entered into the computer to complete the authentication. Lower-security alternatives that simply produce a new one-time authentication code every 30 seconds, or when a button is pressed, became more popular due to ease of use.
RSA has sold tens of millions of SecurID devices that use a proprietary algorithm. Companies such as Gemalto offer hardware authentication devices that comply with the OATH standard favoured by Amazon Web Services. The free Google Authenticator app allows almost any smartphone to act as an authentication device. Some vendors also offer software implementations for Windows, Linux and OS X.
Apple has taken a different approach by sending the authentication code to the user’s iPhone, iPad or iPod. The user then types the resulting code into their web browser.
MFA decreases the likelihood of non-targeted password compromise. Widespread phishing attacks, for example, are usually designed to capture as many passwords as possible before the attacker is shut down. MFA also mitigates some risks related to re-using the same password for multiple web applications. However, most implementations suffer from a critical weakness. Authentication occurs over the same communication channel as the browser session and is vulnerable to man-in-the-middle (MITM) attacks.
Criminals rapidly adapt their techniques to defeat new security technologies. To the advanced adversary, the widespread adoption of one-time passwords requires conducting attacks in real-time. As MFA use increases, a variety of toolkits to defeat these systems will quickly become available in underground marketplaces.
To stop criminals in the decades to come, authentication systems must include MFA, strong mutual authentication, additional communication channels, and more intelligent risk-based approaches to authentication.
An emerging technology is the FIDO Alliance Universal 2nd Factor (U2F), originally created by Google and Yubico. U2F allows a hardware token to provide a second authentication factor.
When a user registers the U2F device with a new web service, the device creates a new key pair and gives the service the public key to associate with the user’s account. When the user logs in, in addition to username and password, the service can obtain a second authentication by verifying a signature created by the U2F device.
Unlike most hardware authentication, the same U2F device can be used across multiple web services. The U2F specification requires the hardware token not include a global identifier that can be accessed by the web services. This ensures that web services cannot determine if multiple U2F accounts are authenticated with the same device. In addition, U2F allows more than one device to be associated with an account. For example, a Google Apps user can register two U2F tokens and use either to authenticate.
USB U2F authentication devices are inexpensive, retailing for about $20. Chrome is currently the only web browser with U2F support. Microsoft and Mozilla are reporting working on U2F implementations.
U2F raises the bar, but is not perfect. Under certain circumstances it may be vulnerable to MITM attacks, but since it is integrated into the web browser those circumstances are limited and other compensating controls could be applied.
Authentication systems such as PhoneFactor (recently acquired by Microsoft) provide another useful approach. A separate communication channel, in this case a voice call or SMS, strengthens security. However, unless the system evolves to include a MITM countermeasure, perhaps by leveraging a certificate or session key fingerprint, it is still possible for a user’s session to be intercepted.
The browser certificate model requires improvement. A sophisticated adversary can easily obtain a fraudulent certificate or leverage malware to install a malicious Certification Authority certificate. Techniques such as third-party certificate validation and certificate pinning are required. Browser certificates could be issued once a user is strongly authenticated.
Authentication must become risk-based and more intelligent. There is no single approach that will adequately protect all applications; some require stronger security than current two-factor authentication systems provide. In these cases, multiple authentication systems should be layered to build a significantly stronger framework and users should be authenticated prior to establishing connectivity to the application.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…