Content deleted Content added

Inline

Revision as of 21:55, 29 July 2009

An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.

Using more than one factor is sometimes called "strong authentication", however, "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication." Source: "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment", August 15, 2006

Summary

Authentication factors apply for a special procedure of authenticating a person as an individual with definitively granted access rights. There are different factor types for authentication:

Human factors are inherently bound to the individual, for example biometrics ("Something you are").
Personal factors are otherwise mentally or physically allocated to the individual as for example learned code numbers. ("Something you know")
Technical factors are bound to physical means as for example a pass, an ID card or a token. ("Something you have")

Each of the types may apply independently for demanding access according to given rules and procedures. The presenting of a factor proves compliance with access rules and therefore has to be effected in a specified procedure. In two factor authentication a minimum of two factors compliance is required. For details on authentication factors see authentication.

Two-factor Authentication Overview

Two-factor, or multi-factor authentication is exactly what it sounds like. Instead of using only one type of authentication factor, such as only things a user KNOWS (login IDs, passwords, secret images, shared secrets, solicited personal information, etc), two-factor authentication requires the addition of a second factor, the addition of something the user HAS or something the user IS.

Two-factor authentication is not a new concept. Two-factor authentication is used every time a bank customer visits their local ATM machine. One authentication factor is the physical ATM card the customer slides into the machine. The second factor is the PIN they enter. Without both, authentication cannot take place. This scenario illustrates the basic parts of most multi-factor authentication systems; the "something you have" + "something you know" concept.

Regulatory Definition

Federal regulators consistently recognize only three authentication factors:

"Existing authentication methodologies involve three basic “factors”:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods."  (FFIEC)

According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief access to their information. However, many T-FA approaches remain vulnerable to trojan and man-in-the-middle attacks.^[1]

Types of Two-factor Authentication

Tokens

The most common forms of the 'something you have' are smart cards and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area.

Virtual Tokens

Virtual tokens are a new concept in multi-factor authentication first introduced in 2005 by security company, Sestus. Virtual tokens reduce the costs normally associated with implementation and maintenance of multi-factor solutions by utilizing the user's existing internet device as the "something the user has" factor.

Biometrics

A human thumbprint - a common type of biometric data used in authentication.

Biometric authentication also satisfies the regulatory definition of true multi-factor authentication. Users may biometrically authenticate via their fingerprint, voiceprint, or iris scan using provided hardware and then enter a PIN or password in order to open the credential vault. However, while this type of authentication is suitable in limited applications, this solution may becomes unacceptably slow and comparatively expensive when a large number of users are involved. In addition, it is extremely vulnerable to a replay attack: once the biometric information is compromised, it may easily be replayed unless the reader is completely secure and guarded. Finally, there is great user resistant to biometric authentication. Users resist having their personal physical characteristics captured and recorded for authentication purposes.

For many biometric identifiers, the actual biometric information is rendered into string or mathematic information. The device scans the physical characteristic, extracts critical information, and then stores the result as a string of data. Comparison is therefore made between two data strings, and if there is sufficient commonality a pass is achieved. It may be appreciated that choice of how much data to match, and to what degree of accuracy, governs the accuracy/speed ratio of the biometric device. All biometric devices, therefore, do not provide unambiguous guarantees of identity, but rather probabilities, and all may provide false positive and negative outputs. If a biometric system is applied to a large number of users - perhaps all of the customers of a bank, the error rate may make the system impractical to use.

Threats to Biometric Authentication

Biometric information may be mechanically copied and they cannot be easily changed. This is perceived as a key disadvantage since, if discovered, the compromised data cannot be changed. A user can easily change his/her password. A user cannot easily change their fingerprint. A bio-identifier can also be faked: Apart from forcing a valid user to operate a reader, fingerprints can easily be captured on sticky tape and false gelatine copies made, or simple photos of eye retinas can be presented. More expensive biometrics sensors should be capable to distinguish between live original and dead replicas, but such devices are not practical for mass distribution. It is likely that, as biometric identifiers become widespread, more sophisticated compromise techniques will be developed.

History

Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability^{[citation needed]}. Other biometric methods such as retinal scans are promising, but have shown themselves to be easily spoofable in practice. Hybrid or two-tiered authentication methods offer a compelling solution, such as private keys encrypted by fingerprint inside of a USB device.

Magnetic Cards

Magnetic cards (credit cards, debit cards, ATM cards, gift cards, etc) combined with secure, encrypting card readers also provide a possible solution for two-factor/strong authentication. Each magnetic stripe card has unique characteristics much like the card's own fingerprint called a magnetic fingerprint. The advantage is that a magnetic fingerprint already exists on every magnetic stripe card because it is an intrinsic characteristic and no cards would need to be re-issued. It is also more reliable than biometric fingerprinting and cannot be "lifted." Each swipe of the card provides a correlative number called a dynamic digital identifier that can be scored and "matched" to the originating value to determine the cards authenticity. Since the number changes each time, it cannot be re-used as long as all processing is authenticated. It does require a special reader that can read the magnetic fingerprint value, but these readers can be swapped out incrementally as old readers wear down. So the actual investment could be incorporated as an incremental increase (due to licensing, increased equipment complexity, etc.) of current business cost expectations.

As a plus, there are USB readers available that can be used in the home for online banking and eCommerce by the consumer. The disadvantages are that people would have to carry a small card reader and web sites would need to have a program established to relay the encrypted card data to perform authentication. The advantages are that people already carry their cards with them, they are a low cost solution and no re-issue of credentials would need to occur, consumer behavior would not need to change for most applications and people would not need to read from a small screen and type in a generated pass code before it times out.

Phones

A new category of T-FA tools transforms the PC user's mobile phone into a token device using SMS messaging or an interactive telephone call. Since the user now communicates over two channels, the mobile phone becomes a two-factor, two-channel authentication mechanism. The verification process starts when a user either registers (or updates) their contact information on a website. During this time the user is also asked to enter his or her regularly used telephone numbers (home, mobile, work, etc). The next time the user logs in to the website, they must enter their username and password; if they enter the correct information, the user then chooses the phone number at which they can be contacted immediately from their previously registered phone numbers. The user will be instantly called or receive an SMS text message with a unique, temporary PIN code. The user then enters this code into the website to prove their identity, and if the PIN code entered is correct, the user will be granted access to their account. This process provides an extra layer of online security beyond merely a username and password. These solutions can be used with any telephone, not just mobile devices.

While such a method can simplify deployment, reduce logistical costs and remove the need for a separate hardware token devices, there are trade-offs. Users may incur fees for text/data services or cellular calling minutes. In addition, there is a latency involved with SMS services especially during peak SMS usage periods like the holidays. There is a newer method of using the mobile phone as the processor and having the Security Token reside on the mobile as a Java ME client. This method does not include data latency or incur hidden costs for the end user.

One universal problem associated with relying exclusively on telephones for authentication is the fact that not every user may have access to a telephone when they wish to authenticate. The user may have registered their work phone number, for example, but are attempting to authenticate from home. In addition, given the fact that the telephone is physically disconnected from the authenticating website, the process is inherently vulnerable to man-in-the-middle attacks, where a fraudster is actually interacting with the website, and the user is unwittingly passing the fraudster information received over their phone, or pushing a button on their phone when prompted, thus allowing the fraudster to proceed.

Smart cards

Smart cards are about the same size as a credit card. Some vendors offer smart cards that perform both the function of a proximity card and network authentication. Users can authenticate into the building via proximity detection and then insert the card into their PC to produce network logon credentials. They can also serve as ID badges. The downside is that the smart card is a bigger device, the card reader is an extra expense.

Additionally, many banks and financial institutions are implementing Chip Authentication Program technology which pairs a banking smart card with an independent, unconnected card reader. Using the card, reader and ATM PIN as factors, a one-time password is generated that can then be used in place of passwords. The technology offers support against man-in-the-middle attacks by facilitating Transaction Data Signing, where information from the transaction is included in the calculation of the one-time password - this is proving to be strong protection when making bank transfers or other financial transactions.^{[citation needed]} During 2008, this method of two-factor authentication will be made available in the e-commerce environment through the 3D Secure architectures managed by MasterCard (SecureCode) and VISA (Verified by Visa) although the cardholder is often required to pay an extra fee for the enhanced card.

Universal Serial Bus

A USB token has different form factor; it can't fit in a wallet, but can easily be attached to a key ring. A USB port is standard equipment on today's computers, and USB tokens generally have a much larger storage capacity for logon credentials than smart cards.

Digital Certificates

Digital Client certificates are an PKI solution for enabling the enhanced user identification and access controls needed to protect sensitive online information. Digital certificates can also be stored and transported on smart cards or USB tokens for use when traveling. Each certificate can only be used to authenticate one particular user because only that user’s computer has the corresponding and unique private key needed to complete the authentication process. Client certificates are delivered electronically, however, deployment and support of digital certificates have proven problematic. In a 2008 study published by the Credit Union Journal, digital certificates were noted as averaging very high support costs and very low rates of user acceptance due to difficult technical implementation requirements.

Other types of factors

File:EntrustToken1.jpg

Entrust IdentityGuard OTP Token

Some manufacturers also offer a One Time Password (OTP) token. These have an LCD screen which displays a pseudo-random number consisting of 6 or more alphanumeric characters (sometimes numbers, sometimes combinations of letters and numbers, depending upon vendor and model). This pseudo-random number changes at pre-determined intervals, usually every 60 seconds, but they can also change at other time intervals or after a user event, such as the user pushing a button on the token. Tokens that change after a pre-determined time are called time-based, and tokens that require a user event are referred to as sequence-based (since the interval value is the current sequence number of the user events, i.e. 1, 2, 3, 4, etc.). When this pseudo-random number is combined with a PIN or password, the resulting passcode is considered two factors of authentication (something you know with the PIN/password, and something you have from the OTP token). There are also hybrid-tokens that provide a combination of the capabilities of smartcards, USB tokens, and OTP tokens.

Challenges

Cost effectiveness

There are drawbacks to two-factor authentication that are keeping many approaches from becoming widespread. Some consumers have difficulty keeping track of a hardware token or USB plug. Many consumers do not have the technical skills needed to install a client-side software certificate.

As a result, adding a second factor to the authentication process typically leads to increase in costs for implementation and maintenance. Most hardware token-based systems are proprietary and charge an annual fee per user in the $50–100 USD range. Deployment of hardware tokens is logistically challenging. Hardware tokens may get damaged or lost and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed.

In addition to deployment costs, two-factor authentication often carries significant additional support costs. A 2008 survey of over 120 U.S. credit unions by the Credit Union Journal reported on the support costs associated with two-factor authentication. In their report, software certificates and software toolbar approaches were reported to have the highest support costs. Virtual tokens and geo-locations were reported to have the lowest support costs.

Market acceptance

As a result of challenges with integration and user acceptance, true two-factor authentication is not yet widespread. Faced with regulatory two-factor authentication guidelines in 2005, numerous U.S. financial institutions instead deployed additional knowledge-based authentication methods, such as shared secrets or challenge questions, only to discover later that such methods do not satisfy the regulatory definition of "true multifactor authentication". Supplemental regulatory guidelines and stricter enforcement are now beginning to force the abandonment of knowledge-based methods in favor of "true multifactor authentication".

A 2007 study published by the Credit Union Journal and co-sponsored by BearingPoint reported 94% of the authentication solutions implemented by U.S. financial institutions failed to meet the regulatory definition of true multi-factor authentication.

An increasing count of recent undesired disclosure of governmentally protected data [1] [2] or private data [3] [4] is likely to contribute to new TF-A requirements, especially in the European Union.

Product proliferation

Many TF-A products require users to to deploy client software to make T-FA systems work. Some vendors have created separate installation packages for network login, Web access credentials and VPN connection credentials. For such products, there may be four or five different software packages to push down to the client PC in order to make use of the token or smart card. This translates to four or five packages on which version control has to be performed, and four or five packages to check for conflicts with business applications. If access can be operated using web pages, it is possible to limit the overheads outlined above to a single application. With other TF-A solutions, such as virtual tokens and some hardware token products, no software must be installed by end users.

User password management

Users have natural problems retaining a single authentication factor like a password. It is not uncommon for users to be expected to remember dozens of unique passwords. T-FA where one factor is a password or PIN code, does not eliminate this problem. One possible solution is to have the second factor be a biometric or a virtual token number that the user does not need to remember, instead of an entity that the user needs to memorize.

Interoperability of authentication mechanisms

Two-factor authentication is not standardized. There are various implementations of it. Therefore, interoperability is an issue.

Password security

Another concern is the security of the T-FA tools and their systems. Several products store passwords in plain text for either the token or smart card software or its associated management server.

There is a further argument that purports that there is nothing to stop a user (or intruder) from manually providing logon credentials that are stored on a token or smart card. For example to show all passwords stored in Internet Explorer, all an intruder has to do is to boot the Microsoft Windows OS into safe mode (with network support) and to scan the hard drive (using certain freely available utilities). However, making it necessary for the physical token to be in place at all times during a session can negate this.

Software security

Another concern when deploying smart cards, USB tokens, or other T-FA systems is the security of the software loaded on to users' computers. A token may store a user's credentials securely, but the potential for breaking the system is then shifted to the software interface between the hardware token and the OS, potentially rendering the added security of the T-FA system useless.

MITM Vulnerabilities

Traditional hardware tokens are also vulnerable to a type of attack known as the man-in-the-middle, or MITM attack. In a MITM attack, the fraudster does not need to be in physical possession of the hardware token to compromise the victim's account. The fraudster simply needs to convince the victim to divulge their hardware token value to them, and then pass this disclosed value on to the genuine website within the specified expiration time frame. A major U.S. bank made headline news in 2006 when its hardware token-equipped business customers were targeted by just such an attack from fraudsters based in the Ukraine.

Market segments

Market segments in regards to two-factor authentication are:

Enterprise
- Secure remote access
- Enterprise authentication
- B2B transactions
Consumer
Government
- Common authentication
- Biometrics

Related technologies

Two-factor authentication solutions sometimes includes technologies to generate one-time passwords, a few solutions also include single sign-on (SSO) technology.

@@ Line 1: / Line 1: @@
 An [[authentication factor]] is a piece of [[information]] and process used to authenticate or verify the [[Personal identity (philosophy)|identity]] of a person or other entity requesting access under [[security]] constraints. '''Two-factor authentication (T-FA)''' is a system wherein two different factors are used in conjunction to authenticate.  Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.
-Using more than one factor is sometimes called "strong authentication", however, "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The [[FFIEC]] issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."{{Citation needed|date=July 2009}}
+Using more than one factor is sometimes called "strong authentication", however, "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The [[FFIEC]] issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication." Source: "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment", August 15, 2006
 == Summary ==

Two-factor authentication: Difference between revisions