TWO-FACTOR AUTHENTICATION GOES MOBILE

Transcription

1 TWO-FACTOR AUTHENTICATION GOES MOBILE

2 First Edition September 2012 Goode Intelligence All Rights Reserved Published by: Goode Intelligence 26 Dover Street London W1S 4LY United Kingdom Tel: Fax: Whilst information, advice or comment is believed to be correct at time of publication, the publisher cannot accept any responsibility for its completeness or accuracy. Accordingly, the publisher, author, or distributor shall not be liable to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by what is contained in or left out of this publication. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electrical, mechanical, photocopying and recording without the written permission of Goode Intelligence. [email protected]

3 CONTENTS Market Analysis: The mobile phone as ultimate tokenless authenticator... 2 Understanding the basics: What is Tokenless Two-Factor Authentication (2FA)?... 3 What is Two-factor Authentication?... 3 Key benefit of 2FA... 3 What is Tokenless 2FA?... 3 It s all about user choice! Self-management the key to 2FA lifecycle management... 4 Benefits of user choice and self-management... 4 More mobile phones than people every phone can support tokenless 2FA... 5 Is SMS a reliable method for OTP delivery?... 5 The importance of innovation in tokenless authentication... 6 Innovate or fail!... 6 Innovation Case Study SecurEnvoy... 6 The changing endpoint needs a rethink in 2FA technology... 7 Customer case study Invensys... 8 Invensys 2FA Project... 8 What Goode Intelligence research tells us about mobile 2FA Mobile 2FA Adoption Tokenless Mobile 2FA Market Activity: Increasing sales erode hardware token market Summary Related research / about Goode Intelligence Goode Intelligence

4 The mobile phone has become the de-facto device for business and leisure and is in the hands of the majority of the world s population. Mobile phones have become the dominant computing platform for every part of our daily lives including communication (including business ), social networking, gaming, media consumption, navigation and even payment with the advent of Near Field Communications (NFC) technology. The mobile phone is the ultimate disruptive technology and authentication is not immune from its influence. MARKET ANALYSIS: THE MOBILE PHONE AS ULTIMATE TOKENLESS AUTHENTICATOR This white paper from mobile security research and consultancy specialist, Goode Intelligence (GI) explores how mobile phones are transforming authentication and eroding the position of hardware token technologies as the dominant form in Two-factor authentication (2FA). GI first started its research into mobile phone-based authentication (mobile 2FA) products and solutions in the summer of 2009 and has discovered a number of key facts: Mobile (tokenless) 2FA is considerably cheaper than hardwarebased 2FA solutions including hardware tokens and smart cards Mobile 2FA is easy to deploy and manage with provisioning taking a fraction of the time that hardware-based 2FA solutions can take Mobile 2FA is ubiquitous in that it is available for all mobile phones, not just smart phones In an age where users are bringing in their own mobile devices into the workplace and using consumer cloud-based services for business purposes, end-user choice is vital. Tokenless 2FA solutions must offer user choice through self-management functionality GI s research has uncovered examples of excellent technology innovation from vendors involved in mobile 2FA. Choosing a technology vendor with innovation as a primary pillar is key for end-users when making strategic buying decisions for authentication As mobile 2FA is cost-effective, easy to deploy and available to billions of mobile phone users around the world, it is quickly becoming the de-facto technology to replace weak userid and password authentication solutions Goode Intelligence White Paper Goode Intelligence s white papers offer analyst insight from research extracted from primary sources including surveys, analyst reports, interviews and conferences. GI Research Facts 35% of organisations have deployed mobile phone-based authentication 1 Mobile phonebased authentication has increased marketshare from 5% in 2009 to over 20% by the end of By the end of 2014, 64 percent of 2FA sales will be mobile-based 3 1 Taken from msecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012: 2 Goode Intelligence primary research 3 Taken from The mobile phone as an authentication device Published by Goode Intelligence, November 2009: Goode Intelligence 2012 P a g e 2

5 UNDERSTANDING THE BASICS: WHAT IS TOKENLESS TWO- FACTOR AUTHENTICATION (2FA)? What is Two-factor Authentication? Two-factor authentication (2FA) is an information security process in which two means of identification are combined to increase the probability that an entity, commonly a computer user, is the valid holder of that identity. 2FA requires the use of two reliable authentication factors: Something the user knows, e.g. a password or a PIN Something the user owns, e.g. a mobile phone, a hardware token or a smart card In many 2FA solutions, possession of the second factor, something that the user owns, is demonstrated by knowledge of a one-time password (OTP). This OTP is either generated by the second factor in the possession of the user, e.g. a mobile phone, or by a trusted server that is then delivered to the second factor. This delivery can include SMS text messages. Key benefit of 2FA Reduces the possibility of an authentication credential being stolen and hacked. Passwords are static codes that are prone to theft, e.g. through a phishing, keylogging, or replay attacks. By utilising OTPs, a 2FA solution can avoid many of the weaknesses associated with static password solutions. What is Tokenless 2FA? Hardware tokens generating OTPs have been a common method for 2FA. For many years enterprise users have been carrying around hardware tokens for enterprise 2FA. But have hardware tokens had their day? Has a combination of high purchase and distribution costs, a move away from centralised support to self-service and security concerns created by high-profile hacks meant that alternative 2FA solutions are beginning to erode this once dominant technology? A credible alternative to hardware tokens are tokenless solutions. Tokenless solutions do not rely on proprietary hardware but instead make use of existing hardware that is already in the hands of users. They perform all of the security functions that hardware tokens offer, and in some cases enhance security, but are not reliant on expensive, single-use, hardware technology. The power of tokenless is especially strong when the device being utilised is a mobile phone. GI Definitions 2FA: Two-factor Authentication. Something the user knows and something the user owns or has Tokenless 2FA: 2FA solutions that do not rely on proprietary hardware technology OTP: A one-time password is a password or code that is generated for only one login session Credential: Identity attestation issued by an authority to validate users at logon Replay attack: Where a password is intercepted or stolen and then replayed by an imposter user to get unauthorised access to a computer or network Goode Intelligence 2012 P a g e 3

6 IT S ALL ABOUT USER CHOICE! SELF-MANAGEMENT THE KEY TO 2FA LIFECYCLE MANAGEMENT Choice is a frequently used word in IT at the moment. The choice for an employee to bring in their own personal device to the workplace and use it for business purposes; where device can mean smart phone, tablet computer, netbook, laptop or MacBook. The choice to share information with friends and colleagues using agile cloud-based services such as Dropbox and Box. The choice to communicate with friends and colleagues using social network tools such as Facebook, Twitter and LinkedIn. Is choice relevant to information security and in particular is it relevant to 2FA? On the surface you would think not as it goes against some of the tenants of information security; strict information security policy drive technology controls that are deployed by central IT and information security functions. This does not really sit well with user choice; or does it? Will bring your device (BYOD) turn into bring your own token (BYOT)? Over two-thirds of organisations now support BYOD and many are using tools such as Mobile Device Management (MDM) to enforce security policy. 4 These employee-owned devices are also being utilised as authenticators; soft tokens running as mobile apps Bring your own token (BYOT) Are we able to put the user in control whilst at the same time ensuring that information security policy is met? GI firmly believes that the two can coexist with each other for 2FA solutions by: 1. Choosing an authentication technology partner that puts the user in control but also allows authentication security policy to be met 2. Allows administrators to create the technology framework to support choice 3. Allows the end user to choose the authentication device of choice 4. Supports any mobile phone, not just smart phones that can run mobile apps 5. Allows the user to swap seamlessly between mobile phones without incurring additional license cost Benefits of user choice and self-management Modern enterprise IT is all about providing users with choice and information security should not be immune to this trend. It is important that authentication solutions provide the user with choice; putting the user in control of what authentication device (mobile phone) they want to choose. A core strength of today s authentication solution should be the offer of selfmanagement; empowering the user to manage their own authentication service, thus removing the onus on administrators of authentication lifecycle management. 4 Taken from msecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012: Goode Intelligence 2012 P a g e 4

7 MORE MOBILE PHONES THAN PEOPLE EVERY PHONE CAN SUPPORT TOKENLESS 2FA It is forecast that shortly there will be more mobile devices than people on this planet (forecast for just over seven billion people in 2012) 5. Ericsson, the mobile network technology vendor, forecasts that by 2017 there will be nine billion mobile phone subscriptions. 6 Forecasts for 2011 indicated that there were around six billion mobile phone subscribers around the world with predictions that this figure would rise by 500 million, to a total of 6.5 billion, by the close of billion mobile phone subscribers by the end of 2012 Every one of these mobile devices has the capability to support tokenless 2FA, either through the receipt of SMS text messages containing OTPs or by utilising a mobile app that generates the OTP on the device itself. Two-factor authentication is within easy reach of the majority of the world s population without the need to issue and manage any additional hardware that is over six billion potential authenticators. That means tokenless 2FA for any mobile device, anytime from anywhere in the world. Is SMS a reliable method for OTP delivery? There is occasionally an issue with reliability of OTP delivery with SMS text message-based 2FA solutions. Mobile network operators (MNOs) cannot guarantee SMS text message delivery within an acceptable timeframe for 100 percent of all SMS messages delivered. There are times when the mobile network is overloaded, e.g. peak times at events and natural disasters, and other times when network coverage is either poor or non-existent, e.g. an IT engineer in a data centre that may be underground or protected from radio. Late delivery of an OTP contained in an SMS text message can be problematic for a timecritical login that can mean no access to critical enterprise resources. To overcome this tokenless 2FA vendor, SecurEnvoy, has developed a patented pre-loading feature where 5 United Nations world population figures 6 Ericsson: Please note that this forecast is for subscriptions. One mobile phone subscriber can have multiple mobile phone subscriptions. 7 Goode Intelligence 2012 P a g e 5

8 the problem of poor mobile phone network coverage is removed by the ability to pre-load OTPs. Pre-loaded one time codes are an innovation from SecurEnvoy that gets over the problem of guaranteeing the receipt of SMS text messages. There are situations, e.g. peak-times for SMS traffic or when a mobile phone user is outside of network coverage, when an SMS text message cannot be delivered to a user within a timely manner. This can be critical if you are using SMS to deliver an OTP for remote network access. By pre-loading one time authentication codes each time (three codes are sent with each SMS text message) a user initiates a logon session this issue is resolved THE IMPORTANCE OF INNOVATION IN TOKENLESS AUTHENTICATION Innovate or fail! There are many examples in the history of information technology where market-dominant technology vendors have seen a steep-decline in fortunes as a result of a failure to keep innovating. The IT and telecommunications graveyard is full of organisations that, instead of keeping innovation central to their strategy, have relied on technology that may have been disruptive and innovative in a previous IT age. The current problems that technology vendors such as Research In Motion (RIM) and Nokia are facing testify that companies must strive to innovate and successfully get that innovation to market. The mantra of innovate or fail is as true in the world of information security and authentication as it is with other areas of IT and telecommunications. One authentication vendor that views innovation as key to its success is SecurEnvoy. Innovation Case Study SecurEnvoy Tokenless mobile phone-based authentication has been around as a concept since the late 1990s and as a product since the early part of the current century. SecurEnvoy has been at the vanguard of innovation (see figure 1 for a timeline of SecurEnvoy s innovation) in tokenless authentication since 2001 when the first pre-loaded one time code was sent to a mobile phone. Goode Intelligence applauds SecurEnvoy s track record of innovation in tokenless authentication from its early beginnings in Its record for innovation includes using mobile 2FA for password resets (2006), tokenless cloud-based authentication with SecurCloud (2009) and continues into the present with supporting the use of its tokenless authentication for enterprise-grade disk encryption solutions. Future product releases will build on this strong track record in innovation and will include solutions to use one time codes to session lock the voice network to the browser s current network connection for phone call-based authentication. Goode Intelligence 2012 P a g e 6

9 Figure 1: SecurEnvoy Timeline of tokenless innovation Source: Goode Intelligence, July 2012 (data from SecurEnvoy) THE CHANGING ENDPOINT NEEDS A RETHINK IN 2FA TECHNOLOGY We are witnessing diverse and fundamental changes in how enterprise IT is accessed and consumed. A combination of smarter connected consumer devices and cloud-based enterprise services is leading to a revolution in how employees access enterprise IT resources. Company-issued laptop computers have been the de-facto endpoint computer device for accessing enterprise IT resources when away from the office. Laptop computers are equipped with serial and USB ports that allow devices, such as smart card readers and USB memory sticks, to be easily attached and used. Smart cards and USB-based authenticators have been methods in which 2FA has been supported. However, as falling laptop sales testify, the laptop is losing its grip on being the prime enterprise mobile computing device. Goode Intelligence 2012 P a g e 7

10 In recent years the trend has been to complement, and even replace, enterprise laptop use with a new breed of smart connected devices. Commonly these new smart mobile devices (SMDs) are smart phones and tablet computers running mobile operating systems. Additionally the enterprise is been extended out to a new range of connected intelligent consumer devices that offer similar levels of functionality as smart phones and tablet computers. It is feasible that access to enterprise resources could well be pushed out to Smart TVs, games consoles and other touch-screen consumer devices. The changing nature of enterprise IT requires a good long-term strategy and involves a good degree of future-proofing and authentication is certainly not immune from this These are consumer devices and, in the main, do not offer the same levels of local connectivity that a laptop computer does. If an organisation has adopted hardware-based a 2FA solution that requires either a physical connection, certificate or pre-installed software on an enterprise owned device than this investment would be redundant in this new age. As a result of this change, organisations should embrace 2FA technology solutions that have a zero footprint at the point of authentication; thus accommodating both existing connection points on any present or future device. This approach is more in-tune with the changing nature of enterprise IT. Goode Intelligence believes that tokenless mobile 2FA currently offers the best solution to provide strong authentication for the new breed of remote enterprise workers. CUSTOMER CASE STUDY INVENSYS Invensys is a UK-based FTSE100 engineering conglomerate with revenue of nearly 2.5 billion (2011) employing more than 20,000 staff around the world. The company is comprised of three companies; Invensys Rail, Invensys Controls, Invensys Operations Management. Historically, each of three businesses was run independently, including its IT infrastructure services. To streamline its operation, Invensys introduced a global IT infrastructure division with a remit of developing shared IT services across all three of the business units. This included remote access services with a vision of creating a single solution to support employees accessing Invensys IT resources remotely. Naturally, user authentication is a vital part of this shared infrastructure. Invensys 2FA Project Back in 2009, Invensys Rail was using a hardware token solution to provide user authentication for its remote access service. The hardware 2FA solution was not without its Goode Intelligence 2012 P a g e 8

11 problems; despite being run as an outsourced service Invensys Rail found it to be time consuming and costly to operate. One key issue was availability of the hardware token when end-users really needed it. Users were often without their tokens when they were required to connect to the Invensys Rail IT network remotely. A decision was made to replace the hardware token solution with the key project drivers being: 1. To reduce the cost of the current hardware token 2FA solution; calculated as $8 per person per month for hardware token. 2. To reduce the time it took to deliver 2FA credentials to users; calculated as taking around ten days. The task was given to David van Rooyen, principal solutions architect, responsible for Invensys telecommunication based infrastructure strategy. After developing the requirements and evaluating the technology available, Van Rooyen decided to deploy a mobile phone-based 2FA solution provided by SecurEnvoy - SecurAccess. Van Rooyen outlined how the SecurEnvoy solution fulfilled Invensys requirements for an agile cost effective 2FA solution; Provisioning a physical token for one of our users takes around ten days compared with five minutes provisioning a soft token, so the man hours are vastly reduced as well as the costs of shipping them out. I ve completed a full business analysis and found that $8 per person per month is what it was costing for a physical token versus $2 per person per month for a soft token. When you replicate that across 15-20,000 users, the savings are in the millions. Table 1: Key benefits: Hardware token vs. Tokenless - Cost reduction and Time saving Hardware Token Tokenless Cost Reduction ($) $8.00 per user per month $2.00 per user per month Time Saving (Provisioning single token) 10 days 5 minutes Goode Intelligence 2012 P a g e 9

12 WHAT GOODE INTELLIGENCE RESEARCH TELLS US ABOUT MOBILE 2FA Goode Intelligence is a leading authority in mobile security and has been covering the mobile phone-based authentication market since 2009 when it first published its report The mobile phone as an authentication device. Since that report was published GI has noticed the steady rise in the adoption of mobile phone-based authentication solutions. Mobile 2FA Adoption In Goode Intelligence s annual mobile security survey (GI msecurity survey report) there has been a steady rise in the adoption of mobile phone Two-factor (2FA ) authentication solutions from zero adoption in 2009, rising to 22 percent in 2010 and standing out 35 percent in the last survey from late 2011 (with a further six percent planning to deploy). Figure 2: The percentage of organisations that have adopted the mobile phone as an authentication device % 22% 35% Tokenless Mobile 2FA Market Activity: Increasing sales erode hardware token market In terms of market activity, Goode Intelligence s market analysis (started in the summer of 2009) suggests a steady annual increase in the sales of mobile 2FA solutions. In 2010, data harvested from end-users and technology vendors, suggested that around five percent of global 2FA sales were mobile-based. A follow-up study in 2012 discovered that this figure was now over 20 percent. A forecast, made by GI in 2009, suggested that by the end of 2014, 64 percent of 2FA sales will be mobile. 8 By 2012, 64 percent of total 2FA worldwide sales will be mobile-based 8 Taken from The mobile phone as an authentication device Published by Goode Intelligence, November 2009 Goode Intelligence 2012 P a g e 10

13 SUMMARY Mobile phones offer organisations that are evaluating their end-user authentication strategy a realistic alternative to both single-factor, userid/password, and hardware-based (singleuser devices) two-factor authentication solutions. This white paper has explored how mobile 2FA is meeting the needs of modern IT functions that require agile, cost-effective and easy to deploy/manage two-factor authentication solutions. The market for mobile 2FA will continue to grow and it is on course to become the dominant force in two-factor authentication. End-users who are reviewing their authentication strategy must seriously consider mobile 2FA as a viable solution. End-users should ask potential authentication partners these important questions when evaluating a suitable 2FA technology solution: Does the solution offer an end-user choice in what mobile phone they can use for 2FA purposes? Can the end-user make these choices through a self-management function? Does the mobile 2FA solution work on any phone, in any region and any time? If the solution is SMS-based, how is the problem of delayed SMS delivery and poor network coverage resolved? How easy is it to re-provision an end-user when that user changes their mobile phone and is there any additional cost involved in this process? What track record does the potential technology partner have for innovation and will innovation continue to be important for future product releases? Should allow 2FA on any device allowing zero footprint at the point of login Goode Intelligence 2012 P a g e 11

14 RELATED RESEARCH / ABOUT GOODE INTELLIGENCE The mobile phone as an authentication device (Published November 2009) Mobile Phone Biometric Security Analysis and Forecasts (Published June 2011) GI msecurity 2011 Survey Report Premium Edition (Published April 2012) mbiometric Series Insight Report: Mobile Fingerprint Biometrics (Planned publication September 2012) Mobile Financial Services (MFS) Series - Insight Report: Mobile Banking Security (Planned publication October 2012) Smart Mobile Identity the next wave of mobile identity and authentication solutions (Planned publication December 2012) For more information on this or any other research please visit Since being founded by Alan Goode in 2009, Goode Intelligence has built up a strong reputation for providing quality research and consultancy services in mobile security. This document is the copyright of Goode Intelligence and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Goode Intelligence. Goode Intelligence 2012 P a g e 12