Introduction
One of the newer terms coined in today’s business world is “multi factor” security. With all of the new security threats appearing daily, having the ability to authenticate a user of a networked system is essential to the success of any business. With multi factor security we can close the gap of doubt when determining if a user is in fact the user that is authenticating. Multi factor security goes beyond traditional password authentication, which is “something you know”, by incorporating two new factors “something you have” and “something you are”.
Something you know – an easy explanation and has been used for years, it is basic password authentication. A user is assigned a username and password and by entering it at some prompt is granted access.
Something you have – a token or smart card that provides additional authentication data and can be physically carried by a user.
Something you are – any form of biometric data. A user would provide a fingerprint, look into a retina scanner, speak into a voice recognition system, or perhaps even look at a system that utilizes facial recognition.
If all three forms of authentication are required by a system we have true multi factor authentication.
All the talk of true multi factor security sounds like a security utopia, and in most cases it is proved to be the case. Currently very few security systems require all three factors of authentication, and the current industry standard is slimmed down and called two-factor security or strong authentication. Two-factor differs from multi factor by only requiring two of the three authentication factors when verifying a user’s identity and the biometric factor is normally left out due to cost and the logistics of deployment.
Why implement multi-factor security?
The current pressing reason to move to multi-factor security is to meet the requirements of SOX, GLBA, or FFIEC. As a specific example the FFIEC has issued an official document giving guidance to all financial institutions that offer on-line banking to adopt a risk based model in which two-factor security is implemented for all sensitive user data. However, since this is just a “guidance” document a significant amount of banks still solely use password authentication such as Wells Fargo’s online banking system that only requires an ssn/username and password to authenticate to their online banking system which allows a user to transfer money, view account balances, and send bill pay checks. In some cases the bank could be using a risk model that is more lenient than others and thus is left up to the interpretation of the party determining the use of multi factor security.
A great example of a working two-factor authentication implementation is PayPal’s online banking site which uses SMS or a small token generating device to implement the “something you have” factor of two-factor authentication. When you login to PayPal they will ask for a username/password and then will send a text message to your designated cell phone number with a random pass code that is only valid for a minute before a new one has to be sent. Having a text message sent to a user’s phone makes that user a lot more confident when dealing with the business, especially when the transaction refers to an account containing access to financial information.
However the problem is sliced the main reason to implement two-plus-factor security is to secure the personal information of users. In some cases companies have to pay large fines to business partners for losing user data and in almost all cases purchase credit monitoring for users whose data was lost or stolen. Even though two-factor authentication is a necessary evil that is slowly, but surely, working its way into the security infrastructures of thousands of companies, we must remember that this type of authentication only secures identity validation and not the back-end data and network structure from a direct hack. Network security is still extremely important.
Factor Implementation
When the three factors that can be used in multi-factor security are examined it is easy to see that “something you know” is fairly easy to implement while “something you have” and “something you are” are more difficult to implement. Let’s discuss the implementation examples of “something you have.”
One way that “something you have” can be implemented is by using a small device that can generate a pass code that is required when authenticating to a system in addition to the “something you know” username/password. The small device is activated once a user has entered a username/password and is prompted to give the generated pass code from their generator. Since these devices are small enough to be kept on a key chain they are reasonably useful. Another way of handling the token generation is to have the system that is verifying an identity know some way to contact the user to give them a pass code. SMS is one way of receiving a pass code, instead of entering the code generated by the portable generator a SMS message is received from the server containing the pass code. Since the SMS device is owned by the user is can be considered something they have.
“Something you are” is much more difficult to implement and implementing it remotely is far to costly. Unless a cheap body scanner becomes available soon this factor will most likely be used sparingly and only in extremely security critical applications. It is good to note that facial recognition is slowly becoming more popular and can be seen on some laptops today for authenticating to the machine.
Hacking Two Factor Security
Taking a look deeper into two factor security we clearly see that it has holes that can be exploited, just not as easily as single factor authentication. The reported ways that two-factor authentication has been hacked are using spyware that install a keylogger that reports back to the hacker and phishing scams that contain viral attachments which are requested to be installed which send login information in real time to the hacker’s server. This method would allow the hacker to log into the customers account at the same moment the pass code was generated. In some cases these virus/spyware programs even send screen shots of the entire process to the hacker. This is another great example of an old hack working with new technology.
Summary
Just because two-factor security can be hacked doesn’t mean to abandon it, it is still very useful in detouring a large portion of the hacking community. More importantly multi-factor authentication eliminates a lot of the security concerns that users have when transferring personal information to a company over the internet and should be considered a necessary investment for companies who truly care about the security of their customers.
Referenced Sources
http://www.entrust.com/governance/sox.htm
http://www.safenet-inc.com/library/8/iam_wp.pdf
http://en.wikipedia.org/wiki/Two-factor_authentication
http://www.ussrback.com/crypto/srp/others.html
http://www.ffiec.gov/pdf/authentication_guidance.pdf
http://www.csoonline.com/article/221068/Strong_Authentication_for_Online_Banking_Success_Factors?page=6
http://www.vnunet.com/vnunet/news/2139253/two-factor-authentication
http://www.wallstreetandtech.com/data-security/showArticle.jhtml
http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication
http://www.imx-solutions.com/docs/imX Matrix 5-1-06.pdf
