XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Transcription

1 Ken Scudder Senior Director Business Development & Strategic Alliances XYPRO Technology Talbot A. Harty CEO DeviceAuthority XYPRO Technology Brief: Stronger User Security with Device-centric Authentication Introduction The internet provides a massive threat surface for all things that are connected to it. Cybercrime and cyber warfare-related security breaches are becoming common news events, increasing in both frequency and sophistication. Recent research reports from RSA and other security vendors illustrate the alarming increase of social media-based phishing and malware-based attacks which are systematically defeating a wide variety of user authentication solutions. The internet provides a massive threat surface for all things that are connected to it. The fundamental vulnerability of most online applications is that they do not meaningfully reduce this threat surface when challenging user access. Online user credentials the things that a user has, knows or does cannot actually identify the person behind the connection. This brief will highlight some of the common multi-factor authentication approaches used to strengthen user security and discuss the pros and cons of each method. It will also introduce a new type of device-centric authentication that addresses the major challenges of the existing technologies: reliability, cost, scalability and user-experience. Usernames and passwords alone do not provide sufficiently strong authentication. Moving beyond Username and Password It is widely accepted that usernames and passwords alone do not provide sufficiently strong authentication to prevent security breaches. In response, a number of multi-factor authentication solutions have been developed to provide additional certainty that the person attempting to login is the authorized user. Multi-factor authentication works by requiring additional authentication credentials to be presented in addition to username and password. There are three broad types of multi-factor authentication: 1. Something the user knows (e.g., password, PIN, pattern) 2. Something the user has (e.g., ATM card, smart card, mobile phone) 3. Something the user is (e.g., biometric characteristic, such as a fingerprint)

2 Traditionally, companies have had to manage a trade-off between security and user experience. Within the three categories of multi-factor authentication, a large number of solutions have been developed with varying degrees of security, cost and impact on user-experience. Traditionally, companies have had to manage a trade-off between security and user experience. The Security-Usability Trade-off Traditional user authentication is inversely proportional to user experience Security measures Increased security can result in impared user experience and customer dissatification User experience Decreased security may improve user authentication experience but results in more fraud and losses Let s look at a few of the more common solution types: KBA Challenge. This approach uses an interactive challenge-response session whereby users attempting to login are prompted to correctly answer questions that only they could know. KBA Challenge requires the user to previously set-up two or more challenge questions (either from a standard list or user-created) and also to provide the user-specific answers (for example, Question: What is your mother s maiden name Answer: Smith ). Pros: KBA is relatively low cost and easily scalable. Cons: Reliability is a key concern with KBA Challenge. Social engineering and the large amount of personal data that is public and easily discoverable make this approach vulnerable especially since the challenge-response secrets are often static. Further reducing the value of this approach is the negative impact on usability the challenge-response session adds another step in the user login process and requires the user to remember specific challenge responses. Page 2

3 Increased security can result in impaired user experience and customer dissatisfaction. Browser Cookies. A browser cookie is a small piece of data that is given to a web browser by a web server. The data sent from a website is stored as a text file in a user s web browser. Each time the user s browser requests a new web page, the cookie is sent to the web server and can be used to identify the user, prepopulate information and to notify the website of the user s previous activity. Cookies can also store data that a user has entered (such as passwords, credit card numbers, and form data). There are several types of cookies including authentication cookies (to determine logon status) and tracking cookies (to record browsing history). Pros: Browser cookies are inexpensive to deploy and do not impact user experience. Cons: Cookies provide a low level of reliability and security. They are typically static, easy to capture/steal and can be replayed. Cookies also create an unreliable association with a device and, when they are absent, there is no difference between a condition of not recognizing a valid device and attempted access from another device which requires a fallback to another authentication factor (usually KBA) to provide a new cookie. HW OTP Tokens. This approach uses a hardware token to generate a one-time password (OTP) for logging into an account. Since a specific username and OTP combination cannot be re-used, account access through stolen credentials is prevented. Pros: HW OTP Tokens provide strong security. Cons: Relatively high cost, difficulty to manage and usability are major drawbacks of HW OTP Tokens. Since physical token devices must be procured, distributed and managed for each user, there is an inherent scalability challenge with large user groups. Furthermore, adding another device and multiple steps into the login process significantly impacts user experience. OTP Messaging. This approach uses an out-of-band messaging system (such as SMS or ) to send the user an OTP during the login process. Typically, the user will initiate a login session which will trigger the OTP being sent. The user then accesses the alternate messaging system, retrieves the OTP and uses it to continue with the original login process. Since a specific username and one-time password combination cannot be re-used, account access through stolen credentials is prevented. Pros: OTP Messaging is relatively low cost and scalable. Cons: Ease of use is negatively impacted multiple login steps are added and there is a potential delay of the alternate messaging system. OTP messaging is vulnerable to re-direction and man-in-the-middle (MitM) replay attacks. Page 3

4 Biometrics. Biometrics involve identifying a user through a set of physiological parameters (such as voice, fingerprint, and keystroke patterns). Decreased security may improve user authentication experience but results in more fraud and losses. Pros: Biometrics authentication is difficult to fake which makes it relatively more secure than traditional methods like tokens or certificates. Cons: Biometrics can be expensive and intrusive on the user experience. Depending on the physiological parameters being captured, biometrics may require additional physical devices for user to have and manage (e.g., fingerprint reader). Certificates. Certificates are digital credentials, valid for a specific period of time, used to identify an entity and support public key encryption. Certificates are issued by a Certification Authority (CA) which guarantees the authenticity and validity of information in the certificate. Pros: Certificates are standards based and relatively easy to deploy. Certificates mitigate transmission weak points and are more secure than just credentials alone. Cons: Can be expensive to setup and messy to distribute and manage. Higher likelihood of false positives. Like browser cookies, certificates also create an unreliable association with the device and can be stolen and used from another device. They have the added issue of being very difficult to manage from a Certificate Authority perspective and there are numerous attack scenarios which undermine their reliability. Multi-factor Authentication Methods Solution Pros Cons KBA Challenge HW OTP Tokens OTP Messaging Browser Cookies Certificates Biometrics Cost, scalability Security strength Scalability, cost Ease-of-use Ease-of-use Security strength Reliability, public/discoverable data vulnerabilities, ease-of-use, static secrets Cost, provisioning and management, ease-of-use, vulnerability of static keys Ease-of-use, vulnerable to redirection and MitM replay attacks Unreliable, static, capture and replay vulnerabilities, transportable Cost, management overhead, static keys, transportable, CA redirection capabilities Cost, requires presence and secure/controlled input devices, static secrets Page 4

5 Caution! Traditional Authentication Does Not Protect the Transaction DeviceAuthority establishes which devices are authorized to access an account or system, dramatically reducing the threat surface and fundamentally changing the reliability of user credentials. It is important to note that none of the traditional user authentication solutions deal well with post-authentication attacks. Using a token, certificate, OTP, cookie, or even a biometric for login authentication will not protect against malware from being used to manipulate a transaction. Device authentication with input/transaction verification can provide this protection without requiring the user to go through additional transactional challenges. Device-centric Authentication Security, Scalability, and Usability Device identification solutions have been on the market for many years. In fact, it is quite easy to identify a device. The difficulty comes in authenticating the device s identity. Most solutions attempt to fingerprint or profile devices based on data that is discoverable, transportable and spoof-able. Because this information can be easily captured and impersonated, these systems typically use black listing, scoring, risk policies and analytical comparison to rule-out bad devices or trigger other forms of authentication. Other drawbacks include large investments in storage for historical analytics, false positives, and circumvented adaptive authentication. Recently, a Silicon Valley technology company, DeviceAuthority, Inc., delivered a new, more robust device-centric solution. DeviceAuthority s D-FACTOR is a device authentication solution that establishes which devices are authorized to access a given user account or communicate with another system, dramatically reducing the threat surface and fundamentally changing the reliability of user credentials. DeviceAuthority s patented device authentication technology provides a unique authentication challenge of the device s physical and environmental attributes for each authentication session, enabling reliable, sub-second, device identification and authentication of authorized devices without impairing the user authentication experience. Page 5

6 DeviceAuthority D-FACTOR The Device is the Key TM DeviceAuthority provides real-time transaction integrity verification to protect against post-authentication malware and automated man-in-the-browser based transaction fraud. D-FACTOR Authentication Engine Prevent security breaches from unauthorized devices Key loggers Stolen cookies and user credentials Phishing attacks Circumvented KBA Circumvented Fraud Detection Man in the middle attacks Man in the browser attacks Furthermore, the DeviceAuthority solution provides real-time transaction integrity verification to protect against post-authentication malware and automated man-in-the-browser based transaction fraud. Moving Forward with Stronger Authentication While a layered, multi-factor authentication strategy can increase online account security, many online and mobile application service providers are reluctant to implement stronger security measures due to concerns about impairing user experience and alienating customers. This Security-Usability compromise has historically been viewed as a necessary balancing act. For most security solutions, this is a valid paradigm. Adding anything more for the user to have, know or do will have a negative impact on the user s authentication experience. Additionally, while it has been clear for some time that usernames and passwords can be easily compromised, it is also becoming increasingly clear that attackers have rapidly evolved their skills and capabilities to quickly compromise or circumvent some of the broadly adopted multi-factor security solutions, including knowledge-based (KBA) authentication, one-time passwords, and certificates. Page 6

7 Device-centric authentication provides the opportunity to enable a deeper level of authentication and transaction security. While basic forms of device identification, like fingerprinting or simple profiling provide weak security benefits, DeviceAuthority s patented device-centric authentication solution, D-FACTOR, delivers irrefutable authentication that is scalable, cost effective and transparent to the end-user. About XYPRO Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, audit, compliance assessment and FIPS-validated encryption solutions. XYPRO solutions meet the strict requirements of companies who manage, access and transport sensitive data using heterogeneous hardware platforms and multiple communications media. XYPRO helps mission critical businesses manage their security risks, protect assets and gain a competitive edge through compliance, while improving efficiency. XYPRO Technology Corporation is a global reseller and system integrator for DeviceAuthority. For more information on DeviceAuthority s device-centric authentication solution, please contact your XYPRO representative. XYPRO Headquarters, USA 4100 Guardian St., Suite 100 Simi Valley, California USA XYPRO Technology Pty Ltd. Asia Pacific Sales & Support: International Sales EMEA: +44 (0) Ibero América: / Japan: Professional Services Worldwide: ext HP AllianceOne Partner of the Year Security Category Page 7