Story

To be or not to be... This is Authentication

We use the Internet on a daily basis to access numerous services available on the web, most of which require a process of identification and validation of a user’s identity, a process commonly defined as Authentication.

As Wikipedia states, the term Authentication derives from Greek terms αὐθεντικός, which means real or genuine, and from αὐθέντης authentic; author, and identify the act of confirming the truth of an attribute of a datum or entity.

Authentication processes are not just a human prerogative.  Consider the case of a web service which accesses data provided by another software platform by supplying the proper credentials.   In many cases we assist with, and need to authenticate with other entities in cyberspace, and we will see there are different types of authentication classes or factors, each related to a different level of security and protection against attacks.

Essentially there are three established classes or factors of authentication used to authenticate or verify a person's identity prior to being granted access, or approving a transaction request,etc :

  1. something the user knows (e.g. a password, a challenge response, or a PIN number)
  2. something the user has (e.g. an ID Card,  a smartcard, a phone, hardware or software token)
  3. something the user is. (e.g. biometric identifies such as fingerprint and retinal pattern, facial morphology)

The combination of the above factors comprise the definition of an authentication process.

It is important to make clear that the process of authorisation is quite distinct from that of authentication.   Whereas authentication is the process of verifying that "you are who you say you are", authorization is the process of verifying that "you are permitted to do what you are trying to do". Authorisation therefore presupposes authentication.  e.g. a client showing proper identification credentials to a bank ATM is asking to be authenticated to act on behalf of the account holder.  A client whose authentication request is approved becomes authorised to access the accounts of only that specific user, and no others.

The most common authentication method used on the Internet is single-factor authentication.  This means that to grant access to a generic resource it is necessary  to have just one of the above factors.  Single-factor authentication for Internet users essentially means the use of basic user name/ password combinations (something the user knows).

As described in our previous article,  single-factor authentication is not considered secure, and general user practice in the choice and management of passwords raises serious security concerns.  Users in fact typically adopt weak passwords, usually related to their lives, such as date of birth, or a son’s name, often also using the same password for multiple web services and/or sharing their credentials with friends and colleagues.  These passwords are often simple to determine by unauthorised persons.

Security research has shown that, to grant a good level of security, it is necessary that at least two, and preferably all three, factors be verified. The number of factors required during the authentication identify the type of authentication.

Therefore, to increase the security level during the authentication procedure, a further factor may be introduced, implementing what is commonly defined a two-factor authentication. A common example is  the use of a smart card (something user has) and a PIN number (something user knows).

We come across this type of authentication on a daily basis, such as accessing a bank account for example.  Online Banking usually require the possession of a token, introducing the term, token-based authentication, or in general terms, a hardware device used in combination with a username and PIN.

There are different hardware devices on the market, one-time password (OTP) tokens, OTP software tokens installed on mobile devices, grid cards, USB tokens, SMS-based tokens (in this case not OTP, event-based tokens), among others.

 

              

 

Token based authentication presents a potential vulnerability, whereby an attacker could attack the authentication  infrastructure, exploiting the authentication server or the authentication protocol, the token provider, the token itself, or the client,  using malware like Zeus for example.  Zeus, secretly captures passwords, account numbers, and other data used to log into online banking accounts.  Some 3.5 million PC’s in the USA alone are known to be affected. Malware is covered in a previous article.

Implementing two factor authentication processes in computer systems without doubt represents a suitable method for validating an entity’s identity, and reducing the incidence of cyber crimes such as identity theft.  However, consider that, in theory, it is possible to perform different attacks, such as MITM (Man In The Middle)  attacks, to compromise the security mechanism.

 

Authentication mechanisms using hardware and software tokens are also vulnerable to MITM attack in which an attacker impersonates the service (e.g. banking service) to the user and vice versa. The attacker, pretending to be the service, asks the user to provide his credentials, and to submit/generate the token value.  This means he does not need to physically possess the token, but he only has to pass the obtained information to the genuine service to gain access..

To solve the problem of both  MITM attacks, and authentication in the banking sector, as well as other realms, author Pierluigi Paganini, and his team at Bit4Id, developed a new multifunctional token equipped with a hardened browser which has already been adopted by several financial institutes. The token, presented at Cyber Security Bank Peru 2012,  enables  banking services to be transacted with full security, and without the need for  installation.

Another possible solution is the use of transaction-based tokens. In general OTPs (one time passwords) are generated by a cryptographic process where the device (the token) and the back-end server are able to check the OTP by means of a shared-key scheme.  But the OTP has nothing to do with the authenticated data.  So, some implementations use additional information to generate the OTP in a way that it can not be used in other context even if it is captured by a MITM attack.

A two factor authentication process could be also compromised if the attacker already has access the victims machine.  This is the case of malware which, when a user accesses a specific resource or service, attempts to piggyback on the transmission and perform fraudulent transactions.

The cost of implementing two factor authentication, in comparison to single factor authentication, is far greater due to the presence of the token and it’s management overheads.  For example, with  hardware tokens,  large numbers of users, will proportionally scale up the overall costs of authentication.  With a software token there is the need of a computing device, a PC, or mobile, and this also represents additional costs for the provider.

The current trend is to implement authentication procedures that require three-factor authentication, which request possession of a

  1. physical token,
  2. the knowledge of a password and
  3. the usage in conjunction with biometric data such as finger scanning.

Biometric Authentication is already becoming mainstream in certain industry sectors, particularly for mobile users, in the report, “Mobile Phone Biometric Security – Analysis and Forecasts 2011–2015“.   Alan Goode, the managing director of London-based research firm Goode Intelligence, predicts mobile phone biometric security products and services, which currently generate around $30 million a year globally, will grow to $161 million by 2015.

The Security Devices Industry has immediately identified these requirements, and are working on a new generation of authentication devices which will include several supplementary services and applications that have transformed a common token into a smart token that can then be used across a wide range of solutions.

The new generation of authentication devices are equipped with cryptographic chip that works as an authentic Hardware Security Module (HSM), flash memory, and a broad portfolio of mobile solutions that allow the users to execute the most common applications in mobility, in total independence from the host operating system.

 

 

Principal features of these tokens are:

  • Zero Installation - No installation or management costs.
  • Portable – Devices totally independent from the host Operating System.
  • Zero foot-print – No trace left on host systems.

It is clear that a similar device could represent an excellent instrument for the authentication process, and can also  be used as a component in some solutions for the prevention of digital identity theft.

This particular design for the devices is fundamental for use with biometric data, which is very sensitive information.  If biometric information is somehow disclosed, it may be possible for an attacker to forge your identification in many systems that depend on this data. That´s why some additional (and securely designed) hardware is necessary, and why the biometric alternative is always used in combination with other means of authentication.  Of course, it will not be easy to change your fingerprint, your retina or your palm vein structure in the case of a biometric data leakage.

Another useful step to reinforce the security of an account is to introduce two-factor authentication provided by several different service providers.  Let’s take Google for example.  If a user has an account and wants enhanced protection, s/he can selectively activate two-factor authentication.  This means that for each access to the Google platform, the user needs to provide their username and password (something they know), and a code that Google sends them via text or voice message upon signing in (something they have).

2-step verification drastically reduces the chances of having the personal information in every Google account stolen by someone else, because hackers would have to not only get a user’s password and username, but would also need to get hold of their phone.

 

 

Note that all these tokens and devices are frequently dependent on the legitimate possession of the token-generation device itself.  If it has been stolen, or acquired illegally, then the authentication process is clearly compromised.

So, here are some tips on how to enhance your security when accessing some systems:

  • First of all, read our previous article about secure passwords. It is your first barrier against attackers;
  • Use an authentication token when available.  Mobile-phone based tokens are becoming common and cheap.  Google, Facebook and other services are starting to provide their solutions for this purpose;
  • Always use at least a PIN protection to block your smart phone. If your smart phone is open(unlocked/unsecured), then unauthorised access to your e-mails, Facebook, and to your mobile token is completely open or at the very least, facilitated. This is particularly important when the token application does not have its own PIN security.
  • Use one PIN for your smart phone and a different one for the mobile token, when this feature is available.
  • Be careful with BYOD (“bring your own device”) policies imposed by your company. Some companies have a deeper level of access to your device, so you never know when someone in the back-office is looking at your SMS’s or using a new disclosed (zero-day) vulnerability to sniff your data, including screenshots of your mobile token.

Be safe! Keep you web and device access secure, and you will minimise your risk of exposure and exploitation.

Pierluigi Paganini

http://securityaffairs.co/wordpress/8867/security/to-be-or-not-to-be-this-is-authentication.html

 

Article published on The Malta Indipendent

Ron Kelson,

Pierluigi Paganini,

Fabian Martin,

David Pace,

Benjamin Gittins