Who Are You?

Oct. 27, 2008
You just can’t trust a username/password combo to verify user identity. It’s time for two-factor.

In any transaction—purchase of goods, exchange of information, transfer of funds—it is valuable to verify the identity of the party with whom you are conducting business. In face-to-face transactions, a photo ID is used to verify the identity of a party cashing a check or purchasing a product with a credit card. Obviously there is some risk in this, since photo IDs can be readily counterfeited, but a photo ID combined with the security features on checks and credit cards helps to ensure the security of the transaction. Identity authentication provides a greater level of trust in conducting business.

Why Username/Password Doesn’t Work
We generally use a simple form of authentication—a username combined with either a password or a PIN—to log into our computers or corporate networks. This form of authentication is extremely weak. Users regularly share accounts and passwords; they use simple, generic words as their passwords; and if they use complex passwords they forget them, or worse yet, write them down.

In addition, the numerous effective password cracking tools have made passwords nearly obsolete. Keystroke capture programs and devices, which are easy to use and readily available, will capture any username/password combination entered into a computer. Because of this, many businesses, especially those that offer online financial services or e-commerce solutions, are looking for more robust authentication.

The username/password combination is called single-factor authentication and is only useful for keeping honest people honest. Businesses are now trying to evaluate the effectiveness of using an additional layer of authentication. Such two-factor authentication often combines something a user knows (username/password) with something he or she has, such as a token, smart card or personal asset (biometric).

Authenticators and More
There are numerous two-factor authentication options. Arguably one of the best known is RSA Security’s SecureID. This device, or authenticator, uses a time synchronization technology whereby the authenticator displays a one-time code that changes every 60 seconds. It requires a user to simply enter a unique PIN along with the code displayed on the authenticator. If a back-end system verifies that the code is correct, the user is authenticated. The attraction of this system is that it does not require the installation of hardware or software on the user’s system.

Challenge/response tokens work slightly differently. When a user attempts to log in, the system provides a character string that the user then enters into a hardware or software token. The token creates a response that the user then enters into the system. If the response is correct, the user is authenticated and granted access to the network.

Another popular option is the A-Key® by Authenex. This USB-enabled device offers secure digital certificate storage, one-time passwords and challenge/response capabilities. The attraction of this product is its flexibility.

The devices and methodologies mentioned above are all excellent and robust solutions for two-factor authentication in the enterprise. Mechanisms can be put in place to cost-effectively manage these devices and the back-end equipment that supports them. However, as with all security implementations, there are hangups to consider. Perhaps one of the greatest issues is that some of these devices are small and can easily be lost or misplaced. Many two-factor authentication options also provide the opportunity for user error, such as mistyping a one-time code or response.

The Biometric Be-All
Biometrics, the option that was believed to be the be-all and end-all of two-factor authentication, has not been widely embraced for several reasons. User acceptance has been lukewarm at best due to privacy concerns. This point is driven home by a June 28, 2005 posting by Nick Owen on his Thinking WiKID Thoughts blog: “As people now are starting to realize that hardly anyone can be trusted with an unchangeable identifier such as a social security number, why do they want to give them their fingerprint?”

The cost of implementation and management has also prevented the widespread use of biometrics for online authentication, as has the potential for user error. Biometric devices can reject valid users if the personal asset—finger, hand, retina—is not properly aligned on the biometric scanner.

Multi-Channel Authentication
A newer method of two-factor authentication called multi-channel authentication uses two separate communication channels for authentication. To log in, a user enters the standard username and password combination. The system then sends a one-time password to a mobile device using the Short Message Service (SMS), to a predetermined email address, or to a predetermined phone number. By sending the additional password via another communication method, multi-channel authentication bypasses all of the automated mechanisms commonly used to capture usernames and passwords, thus providing a higher-security login process.

Users Want to Take It Easy
All current two-factor technologies require extra effort of the user. Computer and network users want to access the system and begin working as quickly and effectively as possible, and two-factor authentication slows them down.

This is especially true in e-commerce and online transactions. If anything impedes the login process, the customer will get frustrated, terminate the transaction, and look for a more user-friendly solution elsewhere. For example, in researching this article I went to the Web site of a bank that has reportedly implemented an effective two-factor authentication solution for its customers. After some diligent surfing and half a dozen clicks, I found a menu item listing a demo of their online services. I thought I might be able to see their login process, so I clicked on the menu item. After staring at the “demo loading” screen for an inordinate amount of time, I received a message that my browser was not supported. Interruption number one.

I then switched browsers and attempted to access the demo again. Again I made it to the “demo loading” screen, but this time instead of the requested demo I got a message telling me to disable my Java Plugin. Interruption number two. Although this is not a complex task, I gave up and went searching elsewhere for information. This “two strikes and you’re out” policy applies for many users of online services.

Had I been trying to access my account to pay a bill or transfer funds, the bank could very well have lost a customer.

Risk-Based Authentication
The most recent development in authentication—risk-based authentication—evaluates each login attempt based on numerous factors and then gives it a risk score. If a login attempt is designated low risk, the user is authenticated and logged into the system with just the username and password. If the login attempt is rated high risk, however, the user is required to respond to additional authentication requests.

One popular implementation of risk-based authentication is eSphinx from Cyota. eSphinx is designed for online banking and uses several different data sets to evaluate the risk factor of an online transaction. One of its data sets comprises information on user behavior during previous online transactions. For example, if the user logs in around noon for nearly every transaction, a login attempt at 3:00 a.m. would receive a higher risk rating.

eSphinx also considers a data set of device information, such as the IP address, browser, and location of the log-in attempt. (This can also be considered device-based authentication, which can be implemented in many two-factor authentication options). If a user consistently logs in from an IP address block associated with California and uses Internet Explorer, a login attempt from an IP address block associated with North Korea using FireFox would significantly raise the risk level.

The last data set examined is something Cyota refers to as its eFraud Network™, a database of fraud activity provided by all its clients. The IP address and other technical information of a login attempt is compared to information in this database. If it matches, the session can be terminated. What makes this intriguing is that the information is collected from different banks located in different parts of the world.

All of these risk evaluation activities are invisible to the user 99% of the time, according to Amir Orad, executive vice president of marketing for Cyota. The company conducted a survey among end users that showed security was always their prime concern regarding online banking, but “no one is willing to move an inch” to implement more robust security mechanisms, Orad said. For the one percent of logins that surpass the threshold for a high-risk transaction, additional authentication mechanisms are implemented. These can include a series of challenge/response questions that are initially generated by the user.

These questions are not the typical requests for mother’s maiden name or other easily researchable information. Orad stated that while more obscure challenge/response questions are harder to crack, they can cause their own problems. Users may forget the answers, or even change them depending on their current mood or tastes. A question like, “What is your favorite cheese?” could generate a response of “Jarlsberg” on one day and “Gouda” on another. This can present login issues for the user.

Instead of challenge/response, the user could receive a phone call that requires his or her interaction prior to authentication. Other online banking solutions include PassMark Security, whose product, SiteKey, has been implemented by Bank of America. To gain a better understanding of two-factor authentication, you may want to view the excellent online demos provided by PassMark. These can be accessed at www.passmarksecurity.com/demos.jsp. Other products include Fraud Analyst from Digital Envoy (www.digitalenvoy.net) and WiKID Systems Inc.’s Strong Authentication System (www.wikidsystems.com).

Authenticating on Both Ends
The outbreak of phishing scams means that online transactions now require not only authentication of the user or customer, but also of the entity offering the service. One concept that consistently appeared during my research for this article is site validation, which allows users to verify that they are actually logging in to the site they intended, and not a phishing site. This is extremely helpful for online banking situations.

When registering for an online account, a user is prompted to select an image from a provided list or to upload an image of their own. This image appears whenever a user attempts to log in. During the login process, the user provides his login name only. At this point, his pre-selected image should appear. If it does, the user can confidently provide his password. If it does not appear, the user should not proceed, because he is more than likely at a phishing site.

Any communications from the user’s bank also include this pre-selected image. If an official-looking e-mail does not contain the pre-selected image, the user will know to ignore it, or at least not to act on any of the directives provided in the e-mail.

As hackers, fraudsters and other evildoers learn new skills, older security mechanisms quickly become insufficient. This is true for the username/password combination. Fortunately, there are many other robust and field-tested authentication options that can provide businesses with the level of security they need.

John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at [email protected].