Two-Factor Authentication Making Sense of all the Options

Transcription

1 Two-Factor Authentication Making Sense of all the Options The electronic age we live in is under attack by information outlaws who love profiting from the good record of others. Now more than ever, organizations need a secure method to verify the identity of every person with whom they do business. The popular, yet archaic, method of relying on passwords alone is steadily dying. The new kid in town is two-factor authentication, designed to combat fraud and make the business world more secure. Two-factor authentication is a security process that confirms user identities using two distinctive factors something they have and something they know. By requiring two different forms of electronic identification, corporations reduce the risk of fraud and create greater assurance that the Internet is a safe place to do business. In a simplistic example, an automated teller machine (ATM) card and a personal identification number (PIN) represent a form of two-factor authentication. The ATM card and the PIN by themselves are useless to a prospective identity thief. Only when a person has and knows both factors can an identity be confirmed and access granted. This paper will explore the benefits of a variety of two-factor authentication methods and address possible applications for each method. Passwords are a common form of authentication, yet they are open to a broad array of security problems. Password Please? The Problems of Single- Factor Authentication That secret word you (and hopefully only you) know is designed to predominately grant passage or access to controlled information. Though widely adopted as a standard for user identification, passwords suffer from a variety of security limitations. Possible problems include: Keystroke Monitoring: Somewhere right now, someone is monitoring and storing every keystroke an executive is making on his or her keyboard. Using special software, passwords are easily lifted, leading to a potential security compromise. In more extreme situations, a monitor s emissions can be read and deciphered, revealing everything displayed on the screen. Rainbow Technologies Two-Factor Authentication White Paper

2 Peering over someone s shoulder with the intent of acquiring his or her password is one form of social engineering. Social Engineering: This form of attack preys on people to reveal passwords using social situational tactics or outright spying. For example, a smooth-talking impostor could persuade a company s staff member to reveal a password over the phone by claiming to be someone else and explaining that he or she has lost his or her login and password. Shoulder surfing is another example of social engineering that occurs when someone sneaks an overthe-shoulder peek while a user types a password. Man-in-the-Middle Attack: With this type of attack, a computer is set up as an interface between a client computer and the server that handles authentication. The computer in the middle accepts the client s password as if it were the server and logs in to the server using the client s identity. Server access is granted to the man in the middle, which in turn passes information to the client machine. The result is the client s unique login information has been taken without the user s knowledge. Network Monitoring: Also known as sniffing, network monitoring occurs when a computer on a network looks for message streams that contain words such as password or login. This is especially common in Ethernet networks where every computer on the network can easily read any network traffic. Streams containing passwords can be stored and used to gain unauthorized access. Password Cracking: Also known as a brute force attack, this type of security breach is a result of repeated login attempts with different key combinations or words. For example, there are many readily available applications designed to guess passwords by using dictionaries to look up common words, names of children and word combinations. Studies from the worldrenowned European Laboratory for Particle Physics (CERN) found that more than one in four passwords can be quickly determined with password cracking tools. Posting passwords on monitors is one of the most common ways that passwords are compromised. Key Under the Mat: One of the most common ways that passwords are compromised is when they are exposed to passerby s. Since the invention of the Post-It note, passwords have been pasted on monitors and in other obvious places for all to see. This is further complicated by a common pattern of using the same password for everything from voic access to an ATM PIN. If a single password is compromised, it is very easy to access other systems using the same password. IT Staff Abuse: If there is any group within a company that can access anyone s password information, it is the IT staff. Should these individuals become disgruntled or disenfranchised, the possibility for mayhem is great. The above list represents a small sample of the real-world problems that exist with password authentication. For systems that demand reliable security, a two-factor authentication system is an excellent option because it does not rely exclusively on a piece of knowledge, like a password. Rainbow Technologies Two-Factor Authentication White Paper

3 The ABC s of Two-Factor Authentication Two-factor authentication is comprised of something a user knows and something he or she has. Two-factor authentication is unique in its strength because it does not rely exclusively on something known by a user, but it adds something that he or she must have. This added factor is a physical device or some part of the user s body, such as a palm print. These devices or things that a user has are sometimes referred to as tokens. The token is unique and not easily replicable. Tokens generally can be disabled at a moment s notice, meaning their ability to serve as an authentication device can be immediately revoked. In addition, a two-factor authentication system is much less expensive to implement for vendors because a single token and PIN can be used for all authentication purposes from placing phone calls to purchasing books on the Internet. To review, two-factor authentication consists of: Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as something you are, and includes physical or physiological characteristics such as a fingerprint or vocal patterns. Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others. The strength of a two-factor security system occurs when combining two factors. Consider a hypothetical example of losing a car key. The key is an example of the something you have factor. If the key is stolen in a single-factor security system, the likelihood of your car disappearing is great. However, a twofactor system removes the risk to your car. In this system, your car is inoperable without a unique PIN and the key. Thus, combining two security factors significantly increases the strength of a security system. Benefits of a Two-Factor System - Resistant to single-factor attacks including keystroke monitoring, social engineering, man-in-the-middle attacks, network monitoring, password cracking, key under the mat and IT staff abuse. - Difficult for a user to deny involvement in a transaction because users are held accountable for all actions resulting from a successful user authentication. - Less likely to lead to fraudulent or unauthorized access to corporate data. - Easy for end-users to use. - Durable and offers a long-term security solution. - Easy to administer. Rainbow Technologies Two-Factor Authentication White Paper

4 Two-Factor Authentication Options Two-factor authentication comes in many unique flavors and each type has benefits and disadvantages. Common methods include: Password Generation Tokens Password generation tokens create custom passwords each time they are activated. Biometrics measure unique bodily characteristics as a form of identification. A password generation token reveals a unique password to its owner each time it is used. The token removes the need to memorize passwords and ensures that the same password is never used twice. The secret password is generated from a secure algorithm that is based on both a unique user ID and the current time. In some form factors, a PIN is used to activate the card and assure that it becomes useless if it is lost or stolen. This type of authentication is sometimes called session-based authentication, since the authentication lasts for a period of time. Password generation tokens are reliable, very easy to use and can withstand physical abuse. Moreover, no special client hardware or readers are needed to use a password generator. Form factors include key chain devices and credit card-sized generators. Applications include intranet and extranet access control. User error is a common problem with password generators because users must manually enter each password during the authentication process. This extra step can be cumbersome when repeated many times and can increase the likelihood of repeated errors. Session-based authentication is vulnerable to session hijacking because the end-user is able to leave the computer unattended while the authenticated session is still active. In addition back-end management of password generation environments is time consuming and costly as databases and servers must be retooled to accommodate the changing password requirements. In addition, the cost of each token may be prohibitive (as much as $75 per token) for some applications. Finally, this type of two-factor authentication is not well-suited for a PKI environment because the user private key must be stored somewhere on the client s file system. This could be a local hard drive or stored within the network, leaving the key open to possible theft or interception when being retrieved. (Note: This is how RSA s KEON works. It stores Digital IDs in a secure place in the network that can be unlocked by an appropriate token.) Biometrics Biometrics, the measurement of unique physical or physiological characteristics of the human body, found early acceptance in highsecurity environments such as government security. Biometric measurements represent something that cannot be easily transferred between individuals, reducing the likelihood Rainbow Technologies Two-Factor Authentication White Paper

5 of fraud. Biometric authentication covers a broad spectrum of measurement techniques, from retinal scanning to voice verification. Some examples of the biometric methods employed today include: Fingerprint verification is the most common biometric authentication method used today. Fingerprint verification: Used by police organizations around the world, fingerprint verification is the most common biometric authentication method in use today. There are a variety of fingerprint verification methods, and some are more accurate than others. Improvements to scanning techniques and enrollment methods have reduced the instances of false rejection experienced in many early fingerprint verification systems. Workstation access is one of the most common business uses of fingerprint verification. Hand geometry: Hand geometry is the three-dimensional analysis of a user s hand and fingers. This form of biometric can be highly accurate and works well with larger groups of users. The downside to hand geometry is the large hand reader that is required. Hand geometry is most commonly used in time and recording environments. Voice verification: This form of biometric requires a user to speak a specified phrase into a microphone. Speech patterns are analyzed and compared to the user s prerecorded voiceprint. Many forms of voice verification are negatively influenced by background noise and low-quality transducers, which can cause false rejections. In addition, a cumbersome procedure is necessary to initially register a user s voice. Workstation access is a common use of voice verification. Retinal and iris scanning: These biometric processes involve examination of patterns found in the human eye. Retinal scanning is very accurate but requires a user to place his or her eye very close to a scanner. Users complain of intrusiveness and retinal scanning can be difficult to accomplish if the user is wearing glasses. Iris scanning does work with glasses and is highly accurate. Difficulty of use and system integration have been weaknesses of both systems. Perhaps the largest problem with biometric systems is false rejections denying access to legitimate users. Facial recognition: The latest solutions using inexpensive cameras combined with 3D techniques are beginning to appear. While these techniques need today s powerful PC systems, they are less intrusive than retinal/iris scanning. There are other biometric systems in use, including signature verification, scent analysis and earlobe recognition. Biometric systems are perceived as high-tech in nature and as being able to distinguish an individual s identity. However, there are many challenges to implement biometrics, including the cost of the devices and their accuracy. It is possible depending on the user group size for biometric systems to falsely reject real registered users or to not be able to distinguish between subtle differences of two similar individuals. In addition, if biometric images are stored and transmitted over a network for Rainbow Technologies Two-Factor Authentication White Paper

6 authentication, then the system may be less secure and open to theft or interception. Some systems actually store the original biometric image in the reader itself, never using a remote server for authentication. Unless properly protected, this could open a possible security loophole. Someone could hack the reader and force it to report a user confirmation when one did not transpire. Smart Cards and Smart Tokens Smart devices are the most widely adopted forms of two-factor authentication. Smart cards and smart tokens share similar underlying technology but rely on different form factors and equipment interfaces. Both types of smart devices contain tiny computer chips that store information, and in some cases, perform encryption techniques. Because these devices contain active components that are frequently be interrogated by software, cards and tokens can be used to provide an always-on authentication system. Therefore, smart devices represent the most widely adopted form of two-factor authentication. Smart Cards First introduced in Europe in the 1970s, smart cards have found large international acceptance with more than one billion cards shipped annually. A smart card is a credit card-sized device with an embedded computer chip. Generally speaking, a smart card must be inserted into a reader device for use. Memory cards rely on the reader to secure the data stored within the card. There are two types of smart cards: memory cards and microprocessor cards. A memory card stores information, much like a floppy disk, and is read when inserted into a reader device. Memory cards are less expensive than microprocessor cards and rely on the card reader for securing the data on the card. Memory cards tend to be used in lower-security environments because of their inability to perform encryption algorithms. A microprocessor smart card can store, add, delete and process data much like a tiny computer. A microprocessor smart card can download data and applications. The card itself offers security independent of the reader device, making it ideal for high-security applications. Microprocessor cards offer higher security because the user s private key never leaves the card. With microprocessor smart cards, a user s private key is securely stored within the smart card and never leaves the card. Using the onboard processor, all cryptographic functions, including digital signatures and decryption of session keys, occur inside the card. Smart cards are small, easy to transport and difficult to replicate. Smart card applications range from mobile phone identification to satellite television control. Internationally, banks have distributed smart cards to millions of customers to increase the security of Rainbow Technologies Two-Factor Authentication White Paper

7 credit and ATM cards. Telephone operators and other industries run pre-payment systems using smart cards. In Germany, 80 million people use smart cards to access Germany s national health system. Smart cards have their disadvantages as well. Hooking up smart card readers to computer systems can be a very time-consuming process. A recent study by the U.S.A. military estimated that the average time to install and configure a smart card reader onto an existing Windows system takes more than 30 minutes. Smart Tokens Smart tokens are the same as smart cards but come in different form factors and use different interfaces. Smart tokens are technologically identical to smart cards with the exception of their form factor and interface. Smart tokens are similar in size to a house key and are designed to interface with the Universal Standard Bus (USB) ports found on millions of computers and peripheral devices. Like smart cards, smart tokens are available in both memory and microprocessor variations. USB-based smart tokens provide unique advantages in corporate IT environments. Smart card readers are not required because smart tokens simply plug into USB ports commonly found on most modern computer keyboards and on some monitors. Most recent popular Operating Systems have USB drivers built-in that utilize plug-and-play techniques to load the required Smart Token drivers. USB smart tokens can be much faster due to the high-speed of USB than the traditional parallel or comm. port-connected smart card reader. In addition, USB smart tokens are easy to use and designed to fit on a key chain. Studies have shown that when presented with a choice between a smart card or a smart token, 95% of users prefer the smart token. Of all the two-factor authentication devices in use today, smart devices are the most widely accepted and the most secure for high security and PKI applications because they can provide always-on authentication Rainbow Technologies Two-Factor Authentication White Paper

8 Smart Tokens: How They Work When a smart token is initialized, a shared secret or key is generated from the vendor s server and placed in the token. The shared secret is an electronic piece of data that plays an important role in authenticating the user and is not known by the user. When the user receives the smart token, he or she activates it with a custom PIN. The shared secret stored within the token creates the first factor. The PIN creates the second factor. Authentication will only be granted when both factors are present. A TYPICAL SMART DEVICE AUTHENTICATION PROCESS The smart token authentication process begins when a user plugs his or her smart token into a spare USB port. This represents the first factor: something the user has. The second factor is accomplished when the user enters his or her PIN: something the user knows. The server reads the user s unique token identifier or serial number to determine if it is a known token. The server then sends the client a random string of data as a challenge, designed to help authenticate the user s identity. The client creates a message digest by processing the challenge data with his or her shared secret or key. The client digest, also known as a response, is then transmitted to the server. Using the token s serial number, the server locates within its database a copy of the user s shared secret. The server uses the shared secret to process the random string of data sent to the client, Rainbow Technologies Two-Factor Authentication White Paper

9 resulting in a server digest. If the client and the server digests match, the client is authenticated. Recent progress with biometrics has seen PIN entry replaced by either fingerprint or facial scans. Here at enrollment, the user s biometric is taken and verified before being stored as a template on the smart token. Subsequently, when needed, the smart token is inserted into the USB port. The client software then asks the user for a biometric; e.g.: a fingerprint or facial scan, which it compares with the stored template. If there is a match, then the client authentication continues as above. In this example, three factors have been utilized: the token (something you have), the biometric PIN, and the shared secret (something you know) that has been released. The Next Wave of User Authentication SSL User Authentication The next generation of two-factor authentication is known as SSL user authentication (SSL/UA), which involves public key infrastructure technology (PKI) and the secure socket layer (SSL). For an overview of PKI and SSL see Rainbow white papers Public Key Infrastructure Securing the Future of Communication and The Secure Sockets Layer Protocol Enabling Secure Web Transactions. With SSL/UA, the client contacts the server via SSL and a onetime symmetric session key is generated. The client signs the session key with his or her digital signature (generated within the smart token) and encrypts the resulting data using the server s public key. The server receives the signed and encrypted information from the client, decrypts it using the server s private key and validates the client s digital signature and digital certificate via normal PKI methods. The server then checks its own database to determine if the user s digital certificate is among those authorized to use the service. If the certificate is confirmed and the user is authorized, the client session is authenticated. The server sends back an authorization by encrypting it with the one time session key. All future communication is encrypted and decrypted with the symmetric key. With SSL/UA there is no management of a shared secret, instead it is replaced by the digital certificate. Using the digital certificate makes SSL/UA a more widely adapted security approach because certificates can be easily shared, yet corresponding digital signatures can only be generated by using the associated private key. Storing the private key within a cryptographic token provides a higher security assurance because of the benefits of PKI. Rainbow Technologies Two-Factor Authentication White Paper

10 Rainbow s Two-Factor Authentication Products Founded in 1984, Rainbow Technologies is a leading provider of security solutions for the Internet and ecommerce. Rainbow products bring high-performance, secure, PKI-based solutions to end-users and corporations. Rainbow s ikey 2000 is a USB-based portable PKI authentication token that can generate and store private cryptographic keys and digital certificates on a device small enough to fit on a key chain. An extension of smart card technology, the ikey 2000 simply plugs into any USB port and provides strong always-on user authentication without the need for costly reader devices. The ikey 2000 was designed to support a wide range of desktop applications and portable systems. Rainbow also offers a memory-based smart device, the ikey 1000, which again can provide always-on user authentication and is ideally suited for moderate-security authentication applications that do not need to generate cryptographic keys or store digital certificates. For more information about Rainbow Technologies and Rainbow products, visit Rainbow Technologies Two-Factor Authentication White Paper