2-Factor Authentication

Monster.com Employee Passwords Compromised

2009-01-27T17:20:00.000-08:00

As described in this article: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1346018,00.html, Monster.com employee login credentials were recently stolen. Now that hackers have their passwords, Monster's systems are at risk until every last password is changed -- and those users who happen to use the same passwords all over the place are at even greater risk. The solution, of course, is 2-factor authentication. If your password is just 1/2 of the login equation, you're protected even if the password is compromised.

That's the foundation of the SafeTelework with Enterprise-in-a-Flash system, based on patented 2-factor authentication. Ours isn't the only way to do it, though we think it's the best. Even if you choose a different product, please be sure it has 2-factor authentication enforcement 100% of the time. Otherwise, you're just putting yourself at risk.

Phishing For Second Factors

2008-11-14T05:57:00.000-08:00

Just when you thought second-factor tokens from banks meant it was safe to go back in the (online) water, a new phishing spoof targets Citibank's two-factor token system.

http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html

This is something I've been nervous about since the very first of these random-number-rotation tokens came on the market. While certainly better than nothing, they remain vulnerable for the time that the current random number is valid. Even if that's only 60 seconds, it's still a viable window for attack.

The problem remains that it's just another password that is entered into a box and submitted across the wire to a server. That means it can be captured / stolen / spoofed, and during the 60-second window, it's the same as any other password.

The only solution is a device that has unique physical properties that are read and incorporated by the software directly into the authentication process in real time, rather than numbers that are transmitted across the connection.

This is the driving consideration behind the patented SecureChannel system at the core of the Enterprise-in-a-Flash secure remote access service.

Phones as second factors of authentication

2008-10-17T09:36:00.000-07:00

I've been noticing a trend in the market towards acceptance of phones, particularly cell phones, as a mechanism for enforcing multi-factor authentication. While I applaud the attempt to make multi-factor authentication more ubiquitous by tying it to an already-prevalent device, I am worried.

Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.

It seems to me that there are several opportunities for trouble here.

First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?

How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?

In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?

In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.

Implanted RFID Chip

2008-10-16T07:51:00.000-07:00

I came across this item recently, regarding implanted RFID chips acting as a 2nd factor of authentication.

http://connectid.blogspot.com/2008/10/is-this-2-factor-authentication.html

I don't think there's any doubt that this is a form of multifactor authentication, as disturbing as it may be... The interesting, though academic, question is this: is the RFID chip then something that you have or something that you are?

Passwords For All To See

2008-04-02T18:19:00.000-07:00

While doing some market research the other day, Google presented us with several documents containing login information for GoToMyPC and LogMeIn user accounts. Usernames, passwords, access codes - the works. Just posted to the web for anyone to find. Plus a bunch of people's logins for e-commerce, online banking, and travel sites, among other things. It's really quite amazing how much security-sensitive information is just floating around cyberspace. And of course, the easy availability of passwords speaks directly to the need for people to be using 2-factor authentication as much as they can, so they're not vulnerable to password theft or inadvertent disclosure.

Shameless plug - here's the marketing slick we put together to help our prospects understand why this is important:
http://www.enterpriseinaflash.com/security/Password Security Breach 4-2-08.pdf

More Action from TriCipher

2007-06-19T05:45:00.000-07:00

TriCipher's been in the news a lot lately, and that's good for them and for the whole multifactor movement. We like to see pickup on this technology, no matter whose it is.

http://internetcommunications.tmcnet.com/topics/broadband-mobile/articles/7666-tricipher-takes-identity-theft-prevention-mobile.htm

This article discussed the fact that they've released a USB-based solution, something near and dear to our hearts, because we also use a USB-driven system at Enterprise-in-a-Flash (http://www.enterpriseinaflash.com).

I'm concerned about the fact that they're allowing for customer self-provisioning. I'm not sure a bank would let you self-provision your ATM card onto any blank card you could get your hands on, and I'm not sure it makes sense to trust a user-provisioned authentication factor that they've put onto any unknown USB drive. But I'll have to see more about this before making a final judgment.

Another Great Example

2007-06-19T05:32:00.000-07:00

This blog entry by Dave Jevans presents another excellent example of a case where multi-factor authentication would have been valuable in preventing a costly security breach.

http://blog.ironkey.com/?p=136

Interestingly, the comment at the bottom of the page indicates that multi-factor authentication systems are vulnerable to Man In The Middle attacks. While that's true for the traditional One Time Password devices like RSA SecurID, it's not the case for more modern systems, including (shameless plug coming) the USB Flash Key based system offered by Enterprise-in-a-Flash (www.enterpriseinaflash.com), as well as numerous other innovative solutions on the market today. I'm hoping people start to learn more about the options and see that the market is responding to the requirements...

Alternative Authentication Methods

2007-06-05T05:05:00.000-07:00

This article is a great primer on non-hardware multifactor authentication - things like face identification rather than passwords, voice pattern recognition, typing pattern recognition, etc.

http://www.networkworld.com/research/2007/060407-multifactor-authentication.html?page=1

While these methods sound innovative and flexible, I remain somewhat skeptical - if someone tries hard enough, there must be a way to spoof a voice or typing pattern, for instance. I don't pretend to know how, but I've got to assume it exists.

For my money, I'd look at these methods as 3rd factor authentication mechanisms, and stick with a solid hardware token - back to the "online ATM card" analogy - as my primary authentication credential.

Banks Still Don't Get It

2007-06-05T05:02:00.000-07:00

This article discusses the ongoing problems in the banking industry as they attempt to comply with guidance requiring multifactor authentication for their websites.

http://www.emediawire.com/releases/2007/6/emw530454.htm

Asking a bunch of questions, or even requiring users to type in One Time Password codes, simply doesn't get the job done. A true cooperative authentication process is the only way to accomplish the goal, using something the user has in his or her possession to anchor one end of the authentication protocol.

Example of a Man in the Middle attack on One Time Password systems

2007-05-15T11:30:00.000-07:00

Here's a great example of an attack focused on Citibank a few months ago, where a Man in the Middle exploit was used to defeat a One Time Password implementation of 2-factor authentication.

http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html

If it's just data that you type in, it can be stolen, spoofed, or passed through, leaving you no better off than before.

Paypal's getting the message

2007-05-15T09:06:00.000-07:00

Paypal recently rolled out a 2-factor authentication option:
https://www.paypal.com/securitykey

The trouble here - and with any One Time Password (OTP) device - is that these systems are quite vulnerable to Man in the Middle (MITM) attacks. If a thief can get in between your browser and the server, they can pass through your OTP along with your other credentials without your knowledge, and hijack your session at that point, once the server believes a valid session has been established.

What's really needed here is a second channel of authentication and security, relying on a physical hardware device (Something You Have) that can only be checked dynamically by the software system itself, and that is completely independent of the actual systems you're trying to access (i.e. banking website).

Wikipedia entry for our topic

2007-05-15T09:03:00.000-07:00

The Wikipedia entry for 2-factor authentication is not bad. We hope to participate in enhancing it further.

For reference, here's the URL:
http://en.wikipedia.org/wiki/Two_Factor_Authentication

Online Banking

2007-05-15T08:56:00.000-07:00

Similar to the previous post regarding online commerce, every time you log into your bank you're conducting a 1-factor authenticated transaction. Sure, Bank of America has "SiteKey" which asks you for additional knowledge-based credentials (Something You Know) but other than a clever image-oriented system to help you avoid entering those credentials into a fake version of their website, this system, and systems like it, don't help protect you. They help prevent your credentials from being stolen, sure, but as we saw in the Dateline piece, those credentials are fairly easy to obtain or guess - and once obtained, you're in big trouble.

What's needed is a true 2-factor authentication system to validate your identity before you log into the bank website.

The Financial Services Technology Consortium issued recommendations on this subject, available at the following URL:
http://www.fstc.org/projects/docs/Recommendations_and_Requirements_for_BMA_v1.0.pdf

We wholeheartedly agree with this document, especially their statement that “no authentication system should rely solely on passwords or other knowledge-based queries or shared secrets. If a password should be compromised, it must not be feasible for an impostor to defeat authentication with just knowledge of a password and an associated claim—e.g., userid, account number, name, SSN.”

Online Commerce

2007-05-15T08:49:00.000-07:00

http://www.msnbc.msn.com/id/17822386/

This Dateline piece makes it abundantly clear just how easily a thief can obtain credentials - like a credit card number, password, user ID, etc - and wreak havoc on a victim in a matter of minutes. Some scams are more elaborate than others, but the bottom line is always the same - if you can type in a few pieces of information, the computer on the other end of the line doesn't know the difference between you and the real owner of those credentials.

That's what 2-factor authentication is for. If the merchants in this story required a physical authentication device (Something You Have) in addition to the knowledge-based authentication (Something You Know) the thieves would have no way to use the data they've collected to do any damage.

Introduction

2007-05-02T18:26:00.000-07:00

This blog is dedicated to the discussion of 2-factor authentication. What is 2-factor authentication, you ask? Well, think of an ATM - to log in and get cash, you need to present your card and a PIN. The card is something you have - a physical token. The PIN is something you know - an information token. Each one is a "factor" of authentication, contributing to the ATM network's ability to verify your identity. This premise is critical to effective security in any online transaction - whether you're logging into your PC remotely, accessing your bank account, or working on a corporate application. Without true 2-factor authentication - a physical token and an information token - it's just too easy for an attacker to gain unauthorized access to private information. That's because passwords are so simple to steal, buy, or guess. The physical token, an item that only you have in your possession, is the crucial piece of the puzzle. In this blog, we'll endeavor to discuss the latest advances in 2-factor (and 3- or more factor) authentication, as well as talk about security incidents that could have been avoided by using 2-factor authentication to verify the identities of the individuals involved.

In the interests of full disclosure, my colleagues and I on this blog are also part of the team at Plethora Technology, producers of the 2-factor authenticated information access and sharing system Enterprise-in-a-Flash. More information at www.enterpriseinaflash.com. From time to time we may post about our own product, but in general, this blog is intended to foster discussion about 2-factor authentication as an important idea for security in today's world, no matter whose product is implementing it.