Two-factor authentication

From Wikipedia, the free encyclopedia

Jump to: navigation, search

An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.

Using more than one factor is sometimes called strong authentication. However, strength is always bound to secrecy under which the factors are kept and protected against any third party challenge.


[edit] Summary

Authentication factors apply for a special procedure of authenticating a person as an individual with definitively granted access rights. There are different factor types for authentication:

  • Human factors are inherently bound to the individual, for example biometrics ("Something you are").
  • Personal factors are otherwise mentally or physically allocated to the individual as for example learned code numbers. ("Something you know")
  • Technical factors are bound to physical means as for example a pass, an ID card or a token. ("Something you have")

Each of the types may apply independently for demanding access according to given rules and procedures. The presenting of a factor proves compliance with access rules and therefore has to be effected in a specified procedure. In two factor authentication a minimum of two factors compliance is required. For details on authentication factors see authentication.

[edit] Two-factor authentication methods

Often a combination of methods is used, e.g., a bankcard and a PIN, in which case the term two-factor authentication (or multi-factor authentication) is used. In 2006, several scientists at RSA Laboratories published a paper exploring social networking as a fourth factor of human authentication. In principle, extension to more than two factors to create a multi-factor authentication would increase security and should thus be desirable, but the consequent additional complexity has been found to affect users' comfort, and is therefore not currently recommended in place of simply manual operation and routine access controls.

It should be remembered, however, that strong authentication and multi-factor authentication are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The FFIEC has issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."

According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief access to their information. However, T-FA is still vulnerable to trojan and man-in-the-middle attacks.[1]

Deployment of T-FA tools such as smart cards and USB tokens appears to be increasing. More organizations are adding a layer of security to the desktop that requires users to physically possess a token, and have knowledge of a PIN or password in order to access company data. However, there are still some drawbacks to two-factor authentication that are keeping the technology from widespread deployment. Some consumers have difficulty keeping track of one more object in their life. Also, many two-factor authentication solutions are proprietary and protected by patents. The result is a substantial annual fee per person protected and a lack of interoperability.

[edit] Cost effectiveness

Adding a second factor in the authentication mechanism will lead to increase in costs for implementation and maintenance. Most systems are proprietary and charge an annual fee per user in the $50-100 USD range. Deployment of hardware tokens is logistically challenging. Hardware tokens may get damaged or lost and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed. Note: Virtual tokens typically cost considerably less ($0.50 to $1.50 USD) and have no loss or damage costs.

[edit] Market acceptance

Despite the security advantages of strong authentication its adoption is not yet widespread. An increasing count of recent undesired disclosure of governmentally protected data [1] [2] or private data [3] [4] will change this image in concordance with new legal requirements, especially in the European Union.

A 2007 study by Celent reports that the year 2006 was dismal in terms of getting multifactor authentication (MFA) solutions out the door. Only 50% of banks were up and running for retail online banking, 40% for small business, and 60% for corporate banking. In 2007, 90% of banks are expected to be up and running for retail and small business online banking and 95% live for corporate banking, with nearly all banks deploying solutions by year end 2008. [2]

There are several factors that contribute to this lack of pervasiveness.

[edit] Product proliferation

The first challenge to face is the difficulty of deploying the client PC software required to make T-FA systems work. Most vendors have created separate installation packages for network login, Web access credentials and VPN connection credentials. In other words, there may be four or five different software packages to push down to the client PC in order to make use of the token or smart card. This translates to four or five packages on which version control has to be performed, and four or five packages to check for conflicts with business applications. If access can be operated using web pages, it is possible to limit the overheads outlined above to a single application.

[edit] Authentication factor options

[edit] Tokens

The most common forms of the 'something you have' are smart cards and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area.

[edit] Biometrics

A human thumbprint - a common type of biometric data used in authentication.

In both cases, vendors are beginning to add biometric readers on the devices, thereby providing multi-factor authentication. Users biometrically authenticate via their fingerprint to the smart card or token and then enter a PIN or password in order to open the credential vault. However, while this type of authentication is suitable in limited applications, this solution may become unacceptably slow and comparatively expensive when a large number of users are involved. In addition, it is extremely vulnerable to a replay attack: once the biometric information is compromised, it may easily be replayed unless the reader is completely secure and guarded.

For all biometric identifiers, the actual biometric image is not stored and checked against - a scanning algorithm extracts critical information from the image and stores the result as a string of data. Comparison is therefore made between two data strings, and if there is sufficient commonality a pass is achieved. It may be appreciated that choice of how much data to match, and to what degree of accuracy, governs the accuracy/speed ratio of the biometric device. All biometric devices, therefore, do not provide unambiguous guarantees of identity, but rather probabilities, and all may provide false positive and negative outputs. If a biometric system is applied to a large number of users - perhaps all the citizens in a country, the error rate may make the system impractical to use.

[edit] Threat and advantage

Above all, biometric information can not be changed, that is a key advantage. However, though biometrics cannot be reproduced in a growth process, a biometric identifier may be mechanically copied. And a bio-identifier can be faked: Apart from forcing a valid user to operate a reader, fingerprints can easily be captured on sticky tape and false gelatine copies made, or simple photos of eye retinas can be presented. However, intelligent biometrics sensors should be capable to distinguish between live original and dead replicas. It is likely that, as biometric identifiers become widespread, more sophisticated techniques to spoof them will be developed. The race between biometrics security means and threatening and challenging biometrics is steady as with technical alternatives.

[edit] History

Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability[citation needed]. Other biometric methods such as retinal scans are promising, but have shown themselves to be easily spoofable in practice. Hybrid or two-tiered authentication methods offer a compelling solution, such as private keys encrypted by fingerprint inside of a USB device.

[edit] Phones

A new category of T-FA tools transforms the PC user's mobile phone into a token device using SMS messaging or an interactive telephone call. Since the user now communicates over two channels, the mobile phone becomes a two-factor, two-channel authentication mechanism.

Some methods simply place a traditional telephone call to the end user's phone, prompting the user to press a key or sequence of keys. These solutions can be used with any telephone, not just mobile devices.

While such a method can simplify deployment, reduce logistical costs and remove the need for a separate hardware token devices, there are trade-offs. Users may incur fees for text/data services or cellular calling minutes. In addition, there is a latency involved with SMS services especially during peak SMS usage periods like the holidays.

There is a newer method of using the mobile phone as the processor and having the Security Token reside on the mobile as a Java ME client. This method does not include data latency or incur hidden costs for the end user.

[edit] Smart cards

Smart cards are about the same size as a credit card. Some vendors offer smart cards that perform both the function of a proximity card and network authentication. Users can authenticate into the building via proximity detection and then insert the card into their PC to produce network logon credentials. They can also serve as ID badges. The downside is that the smart card is a bigger device, the card reader is an extra expense.

Additionally, many banks and financial institutions are implementing Chip Authentication Program technology which pairs a banking smart card with an independent, unconnected card reader. Using the card, reader and ATM PIN as factors, a one-time password is generated that can then be used in place of passwords. The technology offers support against man-in-the-middle attacks by facilitating Transaction Data Signing, where information from the transaction is included in the calculation of the one-time password - this is proving to be strong protection when making bank transfers or other financial transactions. During 2008, this method of two-factor authentication will be made available in the e-commerce environment through the 3D Secure architectures managed by MasterCard (SecureCode) and VISA (Verified by Visa).

[edit] Universal Serial Bus

A USB token has different form factor; it can't fit in a wallet, but can easily be attached to a key ring. A USB port is standard equipment on today's computers, and USB tokens generally have a much larger storage capacity for logon credentials than smart cards.

[edit] Other types of factors

Entrust IdentityGuard OTP Token

Some manufacturers also offer a One Time Password (OTP) token. These have an LCD screen which displays a pseudo-random number consisting of 6 or more alphanumeric characters (sometimes numbers, sometimes combinations of letters and numbers, depending upon vendor and model). This pseudo-random number changes at pre-determined intervals, usually every 60 seconds, but they can also change at other time intervals or after a user event, such as the user pushing a button on the token. Tokens that change after a pre-determined time are called time-based, and tokens that require a user event are referred to as sequence-based (since the interval value is the current sequence number of the user events, i.e. 1, 2, 3, 4, etc.). When this pseudo-random number is combined with a PIN or password, the resulting passcode is considered two factors of authentication (something you know with the PIN/password, and something you have from the OTP token). There are also hybrid-tokens that provide a combination of the capabilities of smartcards, USB tokens, and OTP tokens.

[edit] Organizational effort

Security does not happen without organizational embedding. This applies as well to structures as to individuals and their training and motivation.

[edit] User password management

Users have natural problems retaining a single authentication factor like a password. It is not uncommon for users to be expected to remember dozens of unique passwords. T-FA where one factor is a password or PIN code, does not eliminate this problem. One possible solution is to have the second factor be a biometric, instead of an entity that the user needs to memorize.

[edit] Interoperability of authentication mechanisms

Two-factor authentication is not standardized. There are various implementations of it. Therefore, interoperability is an issue.

[edit] Password security

Another concern is the security of the T-FA tools and their systems. Several products store passwords in plain text for either the token or smart card software or its associated management server. In either case this largely negates one factor of the authentication since although an intruder could easily find the password/PIN used to authenticate to the device, they still need to be in possession of the relevant token or smart card for this type of attack to work.

There is a further argument that purports that there is nothing to stop a user (or intruder) from manually providing logon credentials that are stored on a token or smart card. For example to show all passwords stored in Internet Explorer, all an intruder has to do is to boot the Microsoft Windows OS into safe mode (with network support) and to scan the hard drive (using certain freely available utilities). However, making it necessary for the physical token to be in place at all times during a session can negate this.

[edit] Software security

Another concern when deploying smart cards, USB tokens, or other T-FA systems is the security of the software loaded on to users' computers. A token may store a user's credentials securely, but the potential for breaking the system is then shifted to the software interface between the hardware token and the OS, potentially rendering the added security of the T-FA system useless.

[edit] Market segments

Market segments in regards to two-factor authentication are:

[edit] Related technologies

Two-factor authentication solutions sometimes includes technologies to generate one-time passwords, a few solutions also include single sign-on (SSO) technology.

[edit] See also

[edit] References

  1. ^ The Failure of Two-Factor Authentication (Bruce Schneier, March 2005)
  2. ^ According to estimates released by research and consulting firm Celent on 23 July 2007.

[edit] External links

Personal tools