Two-Factor Authentication and Swivel

Transcription

1 Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide a strong, cost-effective authentication solution that is easy to use and to manage. 2012

2 White Paper Heading 2 Contents Introduction... 3 Single-Factor Authentication... 4 Threats against Usernames and Passwords... 4 Malware Attack... 5 Guess the Password... 5 Steal the Password... 5 Shoulder Surfing... 5 Phishing... 5 Dual-Factor Authentication... 6 Attacks against Dual Factor Authentication... 6 Steal the Token... 6 Phishing... 6 Dual-Factor Authentication and Swivel... 6 Tokenless... 7 One-Time Code Extraction... 7 Attacks against Swivel... 8 Stealing the token... 8 Phishing... 8 Conclusion... 9

3 White Paper Heading 3 Introduction The increasing use of remote access and web-based commerce has increased the need for convenient, cost-effective, yet strong authentication models. Relying on a single factor of authentication, i.e. username and password, is no longer appropriate for many applications. This has led to the increasing use of multi-factor authentication; whereby authentication requires the user to know something (e.g. a password) and possess something (e.g. some form of authentication token). Swivel s approach to two-factor authentication has the advantage that the user does not need a dedicated authentication token. Add to this PINsafe, our patented one-time code extraction protocol, Swivel can provide a strong, cost-effective authentication solution that is easy to use and to manage.

4 White Paper Heading 4 Single-Factor Authentication When a user authenticates they need to present credentials to the authentication server. A credential maybe based on: Something they know, e.g. a password Something they have, e.g. a security string provided by a token Something they are, e.g. a finger print or retina scan. Each one of these is a factor of authentication. In the early days of authentication (and in many systems still today) authentication is based upon just a single factor of authentication, specifically a combination of a username and a password (UNP). There is an increasing awareness that this is not sufficient for many systems. This realisation is showing itself not only in the increasing number of organizations that are moving to multi-factor authentication but also in more regulations and legislation that are mandating multi-factor authentication. There are three driving forces are behind this. Firstly the increasing value of the systems being protected by authentication systems, secondly the increasing availability and variety of tools that can be used effectively against simple UNP authentication, and thirdly the increase in cybercrime. Threats against Usernames and Passwords One of the weaknesses of UNP is the fact that the password is static; i.e. it does not change from one authentication attempt to the next. Administrators may insist that passwords are changed every 3 months, or even every month, however that still gives an attacker a significant amount of time to aim at a stationary target. Another issue with passwords is that users and helpdesk administrators want them to be easy to remember but IT managers and security managers want them to be difficult to guess. These requirements tend to work against one another. It is much easier to remember words than it is a series of random characters, but it is much easier to guess a word than a series of random characters. Or order for users to help themselves remember more complex passwords they are more inclined to re-use the same password for different applications and interfaces. One final weakness of UNP as an authentication model stems from the fact that username and passwords have been around for so long. This means there are many software-based attacks out there that are, thanks to the internet, widely available. So what are the threats against username and password? The following list is not meant to be exhaustive; it focuses on technical attacks against the

5 White Paper Heading 5 client rather than attacks against server or social engineering based attacks such as con-tricks, blackmail etc. Malware Attack Deploy malicious code on target s computer, for example, a key logger that records a user s keystrokes. By looking at the details of the keys pressed so the password can be determined. Searching the log for a username and the password is likely to follow. Some software attacks are more sophisticated and look for specific actions before starting to log, e.g. accessing banking URL. The static nature of passwords means that this form of attack can be very effective. Guess the Password There are a range of guessing attacks against passwords which are based on how much or how little information the attacker has about the target. On one extreme there is a brute force attack whereby an attacker just guesses different possibilities until they succeed; not very effective but can be used if the attacker can gain access to the file of encrypted passwords. Slightly more targeted is a dictionary attack, where rather than just guess random values, the attacker restricts the attack to words or phrases that are likely, as most people choose passwords that are words. Finally, if the attacker knows personal information about the target, they may try their favourite sports teams or their children s names as password. The need to make passwords memorable makes this kind of attack an option. Steal the Password One way of satisfying the IT security manager s insistence on a complicated password is to write it down somewhere; in an envelope in the desk drawer etc. Whereas this form of attack requires physical access, it is surprisingly common practice for people to write passwords down unencrypted. Shoulder Surfing To find out what someone s password is you just watch them type it in. Another attack that requires physical access, but as passwords are static, you have plenty of attempts at watching the user type in their password to manage to discern the whole thing. This form of attack has become more recognised since the use of Chip and PIN technology with people being asked to hide their fingers as they type in their PIN. Phishing It is particularly difficult to defend against phishing attacks, partly because it is so easy to mount such an attack. You can get all the corporate imagery you need from the real website to build a mocked-up site then you can mass a mock to any valid address. The user goes to the mock site and enters their username and password. The attacker then has the password that they need and they can do what they will with it.

6 White Paper Heading 6 Dual-Factor Authentication Adding another factor of authentication adds another task for the attacker to complete before their attack is successful. The basic model is that the token provides the user with a one-time code that they must enter in order to authenticate; the security string is dynamic in that it is different for each authentication. We can see that there are many and varied ways of gaining one factor, the password, but having succeeded in that what does an attacker need to do in addition to succeed in defeating two-factor authentication systems? Attacks against Dual Factor Authentication There would appear to be two obvious approaches: Steal the Token An attacker may be lucky in that the token may be kept in the same drawer as the user s password! But clearly an attack that combines a software attack determining the password and physically obtaining the token could be a successful attack. The first element being straightforward, the second one less so, however in an e-commerce B2C scenario with many tokens being physically distributed; there may be vulnerabilities that could be exploited. Phishing Phishing can still have some success even against dual factor authentication as the attacker obtains the users password and one-time code and can therefore use those credentials to fraudulently authenticate as the user. Unlike the phishing attack for single factor this does not allow the attacker to steal the user identity as the user still has the token. This means the attacker cannot re-authenticate without re-phishing the required one-time code. This means that a web application that requires repeated authentication provides a good defense against phishing attacks. For example a banking website that requires authentication for every monetary transaction. Dual-Factor Authentication and Swivel Swivel authentication platform is a dual factor authentication solution with subtle but important differences. As with many dual factor authentication systems, Swivel sends a security string to the user that the user needs to authenticate but security strings are sent to the user s mobile phone either in the form of a voice call, SMS or via a mobile app; therefore there is no need for dedicated security tokens.

7 White Paper Heading 7 The received security string is not entered by the user; it is combined by the user with a PIN to extract the one-time code which is then entered. The advantages of these differences are described below. Tokenless The fact that Swivel does not require a dedicated security token (it uses the mobile phone as a token) has a number of advantages. There is nothing that needs to be physically distributed; therefore you are not at the mercy of postal systems etc. to provision users. Users can be provisioned instantly. Just as importantly there is nothing to physically reclaim once a user no longer requires access. This is particularly relevant where you have a population of users that has a high churn rate such as an academic institution. People treat their mobile phone as something vital; they need it for business but also to keep in contact with their friends and families when they are at work. They are less likely to leave it behind; or leave it in a pocket of a garment destined for the laundry. They are also more likely to notice when they have lost it or it has been stolen. As Swivel reuses an existing device as a security token there is no additional cost. If someone loses of damages their mobile phone a replacement is borne by the telecoms budget; not the security budget! One-Time Code Extraction The use of the Swivel one-time code extraction protocol means that both factors of authentication can be combined into a single credential. This means:

8 White Paper Heading 8 The user only needs a 4 digit one-time code to authenticate; (Swivel can be configured to use PINs of 4 to 10 numbers long and it can also be used in conjunction with a password). As the PIN is never entered the attacks described earlier, such as key loggers, cannot be used to ascertain one of the two factors of authentication. So the use of Swivel Dual Factor solution makes some of the attacks discussed before even harder. There is no physical token to distribute, the loss of a mobile phone is likely to be noticed and reported sooner than a security token. In the event that an attack gains access to a mobile phone, security is still not compromised as the attack still needs the PIN, and the PIN cannot be ascertained by key- logging attacks as it is never entered by the user. Attacks against Swivel Stealing the token In the Swivel example this attack still leaves the attacker the problem of the PIN, as the PIN is never entered it cannot be obtained via key logging type attacks. Phishing No authentication product is immune from attack. Forms of phishing attacks may have some success against Swivel; it is very difficult to stop users entering credentials onto a mock web site as discussed before. Once entered these valid credentials can be used by the attacker; as before this does not allow the attacker to steal the account as they cannot reauthenticate without the mobile phone. A mock web site can send a user a false security string and by examining the returned one-time code ascertain the user s PIN. However this requires knowledge of the target s mobile phone number and the means to send an SMS. Once the PIN is known, physical access to the mobile phone is still required.

9 White Paper Heading 9 Conclusion Two-factor authentication is a much stronger form of authentication than single-factor. Swivel s implementation of two-factor authentication, with its unique one-time code extraction protocol and its use of the mobile phone as a security token, provides a number of advantages including increased strength of authenticated and decreased running costs.