Grant Le Brun, Head of Engineering and Research Labs at Signify weighs up the pros and cons of tokens and smartphones
What is 2FA?
Two Factor Authentication (2FA) is where a user’s credentials are made up of two independent factors such as:
- Something you know (PIN, simple password, alpha-numeric password, alpha-numeric password with special characters, secret questions, passphrase);
- Something you have (Keyfob token, key, debit card, smartcard, mobile phone);
- Something you are (Biometric such as fingerprint, retina, iris, face, veins, DNA, voiceprint, hand, typical usage patterns)
The hardware token
The tried and tested combination used by countless organisations is the hardware keyfob token – ‘something you have’ and a secret PIN – ‘something you know’.
One type is the One Time Password (OTP) keyfob, which is typically carried on your key ring and displays a pseudo-random number that changes periodically. The keyfob itself contains an algorithm, a clock or a counter and a ‘seed record’ used to calculate the pseudo-random number. The user enters this number to prove that they have the token. The server that is authenticating the user must also have a copy of each keyfob’s seed record, the algorithm used and the correct time.
This technology is widely used to secure remote access to corporate networks and data and is nothing new; we’ve been carrying hardware tokens around in our pockets for at least the last 25 years. Back in 1986, mobile phones were the size of briefcases and anything but smart. But technology has moved on, so isn’t it about time to kill off the hardware token?
In recent years, authentication vendors have been looking for alternatives; sometimes in response to increasing pressure on costs, but also to increase convenience for the end users of the token devices. As most business users of 2FA have a smartphone – it would seem to make sense to try and exploit it as one of the factors.
“Since we first published our 2009 report on the market for mobile device-based authentication, we have seen a steady rise in the adoption of mobile devices as two-factor authenticators,” said Alan Goode, Goode Intelligence. “We estimate that today it probably accounts for over 20 per cent of total 2FA sales.”
Are software tokens the answer?
A software version of the OTP keyfob for smartphones has been available for nearly as long as the concept of the smartphone – remember the Ericsson R380 released in 2000? Me neither, but you could setup an RSA Security Software token on it to generate an OTP).
This is exactly the same technology as the hardware version, but instead of carrying around an extra piece of hardware it uses the smartphone to calculate the OTP from the ‘seed record’ along with the smartphone’s clock and the algorithm contained in software installed on the smartphone, usually in the form of an App.
Despite the fact that software tokens have been available for over a decade, it’s only in recent years that we’ve seen organisations starting to replace traditional hardware tokens with the software versions due to the fact that now most people have a smartphone in their pocket capable of running apps.
It does have some significant advantages over the hardware token for both organisations and end users. For example, you can’t lose it, feed it to the dog or put it through the wash. OK, perhaps you can still do all these things with your smartphone, but then it’s just a case of re-provisioning the App. Also, for geographically disperse organisations the tokens can be sent electronically- no waiting for shipping or battling with reams of customs paperwork just to get that token to the other side of the world.
There’s an App for that!
The explosion in Apps for business use presents a problem when using a token App on the same device for authentication. If you’re using Apps on your smartphone to get access to corporate data and relying on another App on the same smartphone to be the ‘something you have’ – is that really two factor authentication?
What if you’ve left your smartphone on the plane having removed the password so you could watch a movie? You’re now down to just a single factor to gain access to confidential data and probably regretting setting the other factor- the ‘something you know’- to 1234 so you could type it easily.
Technology could be the answer. Rather than just porting last century’s technology: the token to the smartphone, we need to find new solutions that don’t rely on ‘something you have’, but can still utilise the smartphone.
“Our research tells us technology vendors are embracing the smartphone to develop new innovative ways to leverage its characteristics for authentication purposes,” said Alan Goode. “Some of these technologies are at an emerging stage and we don’t expect them to be deployed in large numbers in the short term, but they give us an indication of the direction the authentication market will go - smart, agile, flexible solutions that will create strong authentication services that can be embraced by the many, not the privileged.”
What are the alternatives to ‘something you have’ on the smartphone?
One evolving area is the use of biometrics on smartphones to authenticate the user based on physical attributes or behaviours. This moves the second factor to ‘something you are’ or ‘something about your behaviour’ .
Biometrics on smartphones is still in its infancy, but there are some vendors coming up with potential solutions.
When we think of biometrics, most people think of fingerprints. Most smartphones don’t come with a built-in fingerprint reader, but there are companies producing clever iPhone cases that incorporate fingerprint readers, such as the Tactivo iPhone Case. But until these are built into the phones they are unlikely to take off due to cost and the added inconvenience of using/ managing the extra hardware involved.
One biometric that has the potential to work across all types of smartphones is voice – using the device’s microphone to capture biometric information. Everyone has a voiceprint that allows them to be uniquely identified. The simplicity of using just the characteristics of your voice to authenticate is very appealing. Vendors, such as Nuance, the technical brains behind iPhone’s Siri voice recognition, are beginning to offer toolkits, such as DragonID for App vendors to allow them to incorporate this technology into applications.
All about Risk
What about a technology that could authenticate you silently, in the background, and provide a similar level of assurance that you are who you say you are?
This is where risk, or contextual-based authentication comes in. This technology observes user behaviour, how often they authenticate, from where in the world and from what device to calculate a risk score each time. This combination of multiple factors is very powerful in assessing a user’s identity and the smartphone is the perfect device to capture the information required. Most have a GPS receiver built in so they know where you are at all times.
“The context of a user’s access request is important when considering risk-based analysis,” said Bob Tarzey, Analyst and Director, Quocirca Ltd. “Using advanced security intelligence correlations, an access request can be checked against what is going on elsewhere or has gone on recently. A risk score is given based on how much deviation from a normal authentication session there is.”
If the score that is generated when a user tries to gain access to their information is within the acceptable level, then the user will be allowed to authenticate with the standard username and password. However, if a user who normally logs in from home each evening in London is suddenly asking to log-in from China on a Sunday evening, then they will generate a higher score. This higher score would either deny the user access or trigger some other method of authentication, such as an OTP sent to the user’s phone.
Securing the App
There are significant barriers to the adoption of both biometrics and risk based authentication technologies on smartphones. Both require that the Apps or the smartphones being secured have these technologies integrated with them. This can work when vendors produce integration kits for App developers and the App developers see the business case for a higher level of security; but this is going to seriously limit the Apps that you can allow your users to run.
Do you want to be the one that tells the CEO he can’t use the amazing new mind mapping Apps he’s been showing off to everyone because it doesn’t support your authentication technology? No, me neither. The age of Bring Your Own Apps is here – and it’s going to be even more difficult to avoid than Bring Your Own Device.
The token is dead – long live the token!
There’s no doubt that the use of two factor authentication is rising and that we rely on smartphones as business tools to get access to sensitive data. While the increased convenience and decreased cost of using the smartphone as the replacement for the hardware token is valid, unless we move away from the traditional ’something you have’ factor, we’re increasing the risk of the confidentially of our data being compromised.
Less security and a cheaper solution might be the right thing for some organisations or user groups and that’s fine as long as we acknowledge that’s what we’re doing.
However, having explored some of the alternatives that vendors are proposing, including software tokens, biometrics and risk based authentication, there is no clear winner for exploiting the smartphone as a factor in the authentication experience.
Maybe that’s why the hardware token is still going strong. It doesn’t require App developers to rewrite their Apps from scratch to work and provides us with the level of security assurance we want and need.
We’ve been carrying tokens around for 25 years, I wonder if they’ll make 50?
No comments:
Post a Comment