Clarifying two-factor authentication

By Toyin Adelakun, a VP at Sestus.

  • Monday, 15th September 2014 Posted 10 years ago in by Phil Alsop

INTRODUCTION
There have been numerous recent reports of security breaches which have brought into focused attention the subject of user authentication for online services. Throughout the search for an effective solution, two-factor authentication (2FA) is escalating to the top as a potential answer; inevitably rendering a few misconceptions in the process. The point to remember is that true 2FA systems use two independent forms of identification to authenticate users. Most 2FA systems use what the user knows and what they have (knowledge and possession) as “authentication factors”. It’s important to note that for an authentication system to be considered as “two-factor”, evidence of at least one of each factor is needed.


BACKGROUND
Rapid increase of applications emerging on the Internet corresponds to the rise in valuable and interesting data to a rising number of groups. Though the data doesn’t hold a legitimate interest for all those concerned, it doesn’t prevent certain groups from attempting to illegally access the data.


The standard username-and-password combination is used by most online resources and sites as a way of identifying users, it is inevitable that the majority of hackings begin with attacks upon the authentication schemes that are in place to protect data that attackers may wish to obtain, modify or prevent access to.


ISSUE
A vast degree of threats can exploit all types of vulnerabilities when it comes to handling passwords. Hackers are aware that passwords can still be physically found – either written down or by observing a user type in their PIN or password. “Social engineering” strategies are also used to fool individuals into exposing their passwords. Mass scale “dictionary attacks” and other password-cracking methods, contribute to hackers guessing at passwords. Theft is another method commonly used -- by targeting databases with weak defences, sniffing end-user traffic at public Wi-Fi locations, or some form of Trojan-horse malware on user devices.
If the recent billion-password heist conducted by Russian group CyberVor is to be believed upfront, it would seem to have been a result of various manual and automated methods. Initially, CyberVor purchased a list compiled of compromised e-mail addresses, which served as the initial target. Following this, they then sent malware to the compromised computers, and additional devices whose users’ e-mail addresses appeared in the address books of the compromised accounts. The malware was activated whenever users would go online; it then tested the visited sites for any present password management vulnerabilities. Upon finding exploitable vulnerabilities, the malware sent back details of the site. This large scale breach which tracked the movements of numerous users across 420,000 sites happened over several months. Subsequently the weakly-protected password databases were harvested from the sites. With such a meticulous modus operandi, it is surprising that the heist didn’t surpass 1.2 billion username-password combinations.


Even if all the claims of the attack cannot be relied on, the attack should serve as a substantial wake-up call for many. The CyberVor group hadn’t quite reached the point of entirely exploiting the commercial value of the attack - this story might yet conclude as the “bad guys” accidentally conducting a large-scale audit of the Web for the “good guys”. But those in charge must react efficiently and rapidly for that to be the case. No doubt that relying only upon the simple password isn’t enough in today’s world.


IMPLICATIONS
Identity in relation to computer systems means we require information as evidence to declare the identity of a user.


A single piece of evidence has deemed adequate for decades, but with the increasing value of online resources it has become top priority to protect them from increasing risks present.


One intangible answer developed is Multi-factor authentication. Inherence (“something only the user is”) is a common factor, as is knowledge and possession. 2FA systems typically make use of the knowledge and possession elements.


NEED
With correct application, there is a substantial promise for 2FA preventing system compromise. With 2FA, the defend-in-depth security principle is seen at the micro level and macro level, and factors are independent of each other.


In 2FA knowledge dictates a user must present for example a username, password, PIN, etc. Possession requires the user to show something like a key-fob, smartcard, or another token. The inherence factor demands users to demonstrate a physiological item innate to them, such as their voice, fingerprint, or eye (for a retinal scan). No item corresponding to one factor can be derived from, nor substitute, an item linked with another. This is the independence requirement as it defines 2FA systems.


INSIGHT
Knowledge proves to be a common misunderstanding; some online administrators and service providers mistakenly believe that by asking for say two e-mail addresses (or for both a PIN and a password) this qualifies as 2FA - however it doesn’t as both the pieces of information given are considered knowledge factors.
Instead, this indicates what is generally considered “strong authentication” – as distinguished from 2FA by the United States’ FFIEC and FDIC. Unfortunately the European Central Bank still maintains on referring to 2FA as “strong customer authentication” which only serves as a source of further confusion on the subject.
Dual controls which require two things of the same type - for example the signatures of two individuals - are common in the operational risk context. It is important to note that these also differ from 2FA.


The good news, however, is that a perfect 2FA system is seamless and practically invisible. And it really exists - we carry it about in our wallets: the bank-card. To withdraw cash from an ATM, you identify yourself through your card (a token you have) and typing your PIN (something you know).


Another form of 2FA in real-life is your mobile phone - to access the carrier’s network you need your handset in addition to the subscriber identity module (SIM) within it, but you also require the PIN (acting as a “knowledge factor”).


It is unfortunately ironic that we then use our various devices to access services which in turn they, in the main, are not protected with two-factor authentication systems. This fact serves to contradict the security principle of defend-in-depth, so it should be hoped that the recently broadcasted breaches focus the minds of company executives and administrators to the conclusion of true 2FA systems becoming the norm.


The problem does indeed go further than authentication however. Authorisation is the next trait of access control, which considers both user rights and privileges within the system to which they are being authenticated. In the real world, this is exemplified by user experiences such as the following: just because you can prove that you are who you claim to be doesn’t mean you can make a phone call (“Sorry: you have no credit”) or even withdraw money (“Sorry: you have no cash”). It’s essential to get authorisation correct, because not only does it certify what genuine users can do, but additionally what hackers can achieve upon breaching defences.


CONCLUSION
Two-factor authentication systems have incredible capacity for preventing the compromise of systems when accurately implemented. It is necessary, nonetheless, that various factors are used for authentication, before allowing users onto the authorisation systems that implement policy and either permit or deny access to valuable assets.