Next generation authentication sought to counter sophisticated hacks

June 17, 2015
Organizations face critical challenges of identity verification and tracking, plus credential management

With the explosion of mobile devices and the mass migration to the cloud, enabling remote access to business applications and data, the need for strong user authentication has never been greater. The threat of identity theft and security breaches has increased with astonishing speed and complexity. According to the 2014 Identity Fraud Study by Javelin Strategy & Research, 13.1 million people fell victim to fraud in 2013, amounting to a new fraud case every two seconds in the U.S. alone.

 “Pharming” and “phishing,” or a combination of the two, are some of the most widely-used types of attacks. Newer and more sophisticated methods of intercepting user interactions with online services have emerged in recent years. Advanced persistent threats (APTs) and hacking have compromised the more than thirty-year-old two-factor authentication token. It becomes evident that there is a clear case for a next-generation approach that delivers truly secure, real-time multifactor authentication. Yet many organizations are unaware that traditional tokens can be compromised, posing a significant security risk.

 A survey of more than 500 corporations by Ponemon Research recently revealed that 90 percent had been successfully hacked during the survey’s twelve-month period. This research demonstrates the need for enterprises to adopt stringent, effective security methods as a means to protect against breaches.

 So-So Security Options

In today’s evolving threat environment, organizations must constantly evaluate the right level of investment in protection for the business. To protect against identity theft schemes within budgetary constraints, organizations have sampled different technologies, including certificates, biometric scanning, identity cards and hard- and software tokens. Certificates are one option for connecting two devices with a secure identifiable connection. Major stakeholders will point to these certificates as proof of security, but issues abound. Distribution of certificates is challenging, especially with the Bring Your Own Device (BYOD) trend making certificate installment on all of a user’s devices difficult. Furthermore, the certificate authority could be compromised as well without the user knowing it.

 Biometric scanning has also enjoyed a certain measure of success, with many seeing it as a very secure alternative. However, the assumption that the end-user always has a functioning finger, or iris, scanner handy has proven impractical, and the resulting scan produces a digital file that can itself be compromised. Another alternative is the identity card, which often proves impractical in a world of BYOD, where users demand access from an ever-changing variety of devices.

 Hardware tokens were an early front-line authentication method that became quite popular. However, they have proven to be a cumbersome, inefficient method for a number of practical reasons, which will be explored below.

 Dependency Creates Delays

Imagine that your organization has introduced a solution that your system is dependent on in order to function. Then imagine that you have no way to control that dependency. The net result is a decrease in productivity if that solution does not work. In terms of authentication tokens, should a user somehow lose a token, the user cannot log on and perform his or her job, then the company is losing productivity. IT admins lose productivity as well, since they must manage the needs of those dependent on this system.

 Situations like this take up everyone’s time. A better option is to use mobile phones in the authentication process. The mobile phone is the number one thing that individuals remember. By using that device as a token login, you greatly increase productivity and, in turn, security. So, by using a token-based approach, even if it were free, you would be losing money because it would negatively impact your productivity. However, by integrating a token-free approach into your system, you increase your ROI and save money and time in a single move. This will reduce downtime and lead to productivity gains.

 Hidden Costs

Hidden fees and maintenance costs lurk behind what initially seems like the less-expensive hard token system. In addition to the license fee, there might also be a consultant fee. There are also staff costs to administrate the system. To determine the final TCO of an authentication solution, use a TCO calculator for an accurate assessment of how much your solution will actually cost.

 Calculate the time lost when an employee cannot work due to a forgotten, broken, lost or stolen token. Hardware tokens typically cost between $50-$300 just for the hardware. If you pay someone $30-$50 per hour, for example, and your employee on average loses one hour per month in lost productivity due to not being able to login because he/she forgets the hardware token or it gets out of sync – that’s $600 per year in lost productivity per employee. Your loss in productivity quickly becomes more expensive than the entire solution itself.

 Token-free, Mobile Authentication

There are two primary reasons behind the adoption of the new breed of multi-factor authentication: one, the need to deliver hardened security that anticipates novel threats; and two, the need to deploy this level of security easily and at a low cost. The device used in the authentication process also needs to be connected to the network in real-time and be unique to the user in question. To address today’s modern threats while meeting a user’s need for easier and more flexible solutions, many organizations have begun using multi-factor authentication based on mobile devices.

 Many IT admins have reported that their users never really adapted to tokens and that they often went unused, putting individual and organizational data at risk. This is primarily because physical tokens are cumbersome to use and easy to lose. In contrast, a token-free approach is much easier to use. People use their mobile phones’ texting capabilities every day, so the one-time password (OTP) received via users’ phones makes perfect sense and encourages security compliance. Look for a mobile-centered platform that supports a broad range of OTP methods, including text/SMS, voice call or  e-mail.

 A failover mechanism should automatically kick in if an OTP cannot be delivered via the primary delivery method, then delivering the OTP via a secondary method should be available. This increases efficiency and certainty that OTPs will be delivered in a timely manner and that users will be able to log in. Ideally, a token-free authentication solution should be able to automatically detect where the user is logging in from and dynamically choose the most appropriate OTP delivery method based on the user’s location. This approach is more convenient and easy to use for users and the IT department alike.

 Greater Security at Greater Speed

By using a challenge- and session-based approach to token-free authentication, remote employee logins become even more secure. A challenge- and session-based, real-time authentication solution only generates a code after the user session has been created. Not until the username and password are validated, will the solution generate the code. And by waiting until then to generate the code, the solution can know the session that the user is logging in from. This method offers visibility into which computer the login request is coming from. The solution then links the code to the computer/session so that the code—received via mobile phone—can only be used on the computer that the request was initiated from. That is in sharp contrast to hardware tokens, where the code is generated before the session is known hence cannot be linked to the session or computer. A challenge-based, session-based code helps protect against modern threats. Token-based authentication, by its very nature, cannot match this level of security.

 Another benefit of token-free authentication is ease and speed of set-up. A token-based approach can take over a year to implement in larger installations. Token-free authentication, however, can sometimes be implemented in less than a day. The huge difference in convenience between an entire year of integration versus a day is clear for many organizations.

 Authentication For a Safer Tomorrow

The surge in data breach activity costs organizations millions of dollars while making cyber criminals rich as they sell data on the black market or use it themselves to commit fraud. Authentication is clearly a business necessity, yet it is not a mere commodity; it must be thoroughly researched to understand what will best meet your organization’s needs. Hardware tokens present multiple disadvantages, including lack of compliance, high costs and reduced productivity. Other security options such as certificates and biometric scans have their logistical problems and risks as well. Protection against this new generation of threats calls for a next-generation multi-factor authentication solution. Consequently, modern mobile phone-based multifactor authentication is in high demand.

 New technologies today are more secure, more user-friendly and much cheaper to use and manage. In addition, these solutions can increase user productivity at the same time. IT professionals deserve to understand all their authentication options—with or without tokens—so that they can make the best decision for their organizations.

 About the Author:

David Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the award-winning SMS PASSCODE multi-factor authentication solutions. Prior to founding SMS PASSCODE A/S, he was a co-founder and CEO of Conecto A/S, a leading consulting company within the area of mobile- and security solutions with special emphasis on Citrix, Blackberry and other advanced mobile solutions. In Conecto A/S David has worked with strategic and tactic implementation in many large IT-projects. David has also been CTO in companies funded by Teknologisk Innovation and Vækstfonden. Prior to founding Conecto, he has worked as a software developer and project manager, and has headed up his own software consulting company. David has a technical background from the Computer Science Institute of Copenhagen University (DIKU).