Tranform Multi-Factor Authentication from "Something You Have" to "Something You Already Have" DIGIPASS Embedded Solutions White Paper DIGIPASS Embedded Solutions White Paper Page 1 of 14 2009 VASCO Data Security. All rights reserved.
DISCLAIMER Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. Copyright No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. DIGIPASS Embedded Solutions White Paper Page 2 of 14
CONTENTS Abstract... 4 1. Overview... 5 1.1 What is Authentication?... 5 1.2 The Factors of Authentication... 5 1.3 Multi factor Authentication... 6 1.4 Why Multi factor Authentication?... 6 1.5 The Authentication Dilemma... 7 2. VASCO Data Security and its philosophy... 8 2.1The Need for Change... 9 3. Digipass Embedded Solutions... 10 4. Enabling a New Paradigm... 11 3.1Why and How?... 11 Within the Computer Platform... 12 Within the Mobile Platform... 12 Within Existing Security Credentials and Smart Cards... 12 Within USB/SD/MMC/SIM (or any other) Memory Devices or Cards... 13 Within (or Packaged With) Security Software... 13 5. Conclusion... 14 DIGIPASS Embedded Solutions White Paper Page 3 of 14
ABSTRACT This paper outlines the need for improved security on a variety of Internet transactions such as ebanking, ecommerce, egaming, and egovernment. The proposed Digipass Embedded Solutions outlines a shift in multi-factor authentication (MFA): eliminating the need to distribute a specific device for security. Digipass Embedded Solutions proposes to enable a variety of devices to support MFA as a part of or in addition to their normal functions; leveraging the processing power and storage capacity that is now found in a multitude of ubiquitous devices. This solution approach improves customer adoption, enhances application security, and lowers the cost of the solution DIGIPASS Embedded Solutions White Paper Page 4 of 14
1. OVERVIEW There is a fundamental problem with exchanging sensitive information or performing valuable transactions over the Internet. In order to perform these tasks, we must have a high degree of confidence that the information being exchanged is passing to the proper individuals. This process is referred to as authentication and it is the critical first step in the exchange of any information via any network or the Internet. This paper will define authentication and discuss the problems that exist in the current environment and illustrate the need for improved and stronger authentication for access sensitive information. It will also cover some of the existing solutions implemented in a variety of markets and will outline, in detail, a new approach to delivering authentication solutions suitable for all markets and all geographies and applications. 1.1 WHAT IS AUTHENTICATION? Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Worth noting in that definition is that there is nothing about technology; authentication has been used long before the computer, the Internet, online banking, or mobile banking. For the purpose of this paper, we will assume that authentication is being used in the virtual realm, i.e. the Internet or a computer network of some kind. But, it is important to keep the basic premise of authentication in mind as we discuss technology options as all we are really attempting to do is identify someone or something. 1.2 THE FACTORS OF AUTHENTICATION With the basic definition of authentication established, we can discuss the varying factors used in verifying identity. They are: SOMETHING YOU KNOW this is normally a password or personal identification number (PIN) of some sort. This can also be answers to questions (e.g. what is your mother s maiden name, what color car did you learn to drive on, etc.). SOMETHING YOU HAVE this factor is commonly a bank card, driver s license, or hardware token or even car keys. SOMETHING YOU ARE this is biometric information such as a fingerprint, voice print, or the patterns in your eyes, to name a few. DIGIPASS Embedded Solutions White Paper Page 5 of 14
1.3 MULTI FACTOR AUTHENTICATION Of course, if there are three factors of authentication, there exists the possibility to combine these factors when verifying the identity of a user online. The use of more than one of the factors of authentication is called multi-factor authentication (MFA). Note: using more than one of the same factors does not constitute multi-factor authentication. Multi-factor authentication is not new, by any stretch. In fact, it predates the Internet by a long shot and every consumer has experienced it in some form or other. The most common example for all is your ATM card (something you have) and PIN (something you know). You must possess both of these factors to withdraw cash at an ATM. Or, your driver s license (something you have) and your face matching the picture on it (something you are). The catch in either scenario is that the issuing authority (your bank or your state) must identify you in some way to issue you the credentials; they are only as strong as that first identification. 1.4 WHY MULTI FACTOR AUTHENTICATION? In the vast majority of online experiences and logins, users are granted access to web sites and [often] confidential information based on the successful verification of a user ID and password. This access/approval method is referred to as a shared secret, meaning that, in order to prove you are who you say you are you must share a secret code with the verifying party. The problem with this methodology is that once you share the secret, it s not a secret anymore. This shared not-so-secret is also used for each authentication; providing for a very high number of occasions when the secret can be compromised. Multi-factor authentication is built on the premise of reducing the importance of the shared secret. The strength of the authentication becomes based not on the complexity of the shared secret password but rather on the strength of the second (or third) factor. In this model, instead of sharing the secret, we provide evidence that we are in possession of the secret. For VASCO, this means the generation of a one-time password, derived from the secret, verified by the authenticating party as matching the response that could only have come from that secret at that time or for that use. However, improving security has, historically, come with a trade-off. DIGIPASS Embedded Solutions White Paper Page 6 of 14
1.5 THE AUTHENTICATION DILEMMA Obviously, the pinnacle of security would be the combination of all three factors of authentication. However, if you had to swipe your fingerprint, insert a card, and type a password for every transaction or log-on you accomplish throughout the day, the frustration experienced would outweigh the security benefits. Further, such a system User would be cost prohibitive. Figure 1 illustrates the Convenience previously accepted security conflict. The figure shows that, as you design a system that is more secure (and therefore more costly), it will impact user convenience. Conversely, as you create a solution that is more convenient for the user, you will decrease the security of the solution (but likely drive down the solution cost). Security & Cost FIGURE 1: THE SECURITY CONFLICT DIGIPASS Embedded Solutions White Paper Page 7 of 14
2. VASCO DATA SECURITY AND ITS PHILOSOPHY VASCO s philosophy is to provide a solution (or solutions) that will place this system in balance for every customer. Figure 2 represents VASCO s Digipass authentication solutions as they exist today, a family approach to authentication all designed to work on one single infrastructure. Any VASCO customer can add or deploy any/all of our solutions without having to make any changes to their existing set-up. The solutions are designed to provide a broad range of alternatives that can satisfy the demands of any customer ranging from the most secure (higher cost, lower user convenience), to the most user friendly (lower cost, lower security). Traditionally, these solutions have been delivered via the use of onetime password hardware tokens. FIGURE 2: VASCO S FAMILY OF AUTHENTICATION SOLUTIONS DIGIPASS Embedded Solutions White Paper Page 8 of 14
Hardware Digipass are amazingly practical when used for securing customer-facing applications where the user-base is non-transient; meaning they stick around for a while. If the customer remains a customer for years (not days, weeks, or months), the authenticating party can distribute hardware Digipass to the user base and justify the cost of the solution over a period of years. VASCO s success to-date has been primarily, in the worldwide online banking market having deployed solutions to more than 1,700 banks and 100+ million end-users worldwide. 2.1THE NEED FOR CHANGE VASCO s impressive success also reveals a need to expand beyond the traditional authentication business. While 100+ million end-users is an impressive statistic, taken in the context of the actual penetration rate into those banks, there is dramatic room for growth. Assuming that most banks average 500k customers VASCO s success reveals a need to expand beyond traditional business online (most of larger banks have tens of millions of customers) that equates to a potential banking base of 600+ million. Or, in other words, we have roughly 20% penetration. There is a specific reason why that base has not been served yet: they are not practical candidates for hardware Digipass. Yet, the remaining base of banking clients still merits additional authentication; an alternative is needed to deliver security to the remainder of that base. Additionally, other channels require strengthened authentication like: ecommerce, egaming, egovernment, to name a few. Many of these customers are transient or are at such large scale that the traditional hardware Digipass model will not suffice to penetrate deeply into those markets. DIGIPASS Embedded Solutions White Paper Page 9 of 14
3. DIGIPASS EMBEDDED SOLUTIONS Digipass Embedded Solutions (DES) represents the latest evolution of VASCO s continued market leadership and vision. In recognizing the evolution of the worldwide authentication market and the demand for more convenient, portable, and cost-effective methods of adding security to all online applications and functions, VASCO has embarked on a mission to add authentication on any platform, at any time, for any application. The mission The purpose of DES is to transform multi factor authentication from something you have to something you already have. statement of DES is to work to Digipass Enable as many client devices as possible by targeting industry-leading partners with user bases exceeding 1,000,000 deployed individuals; the objective being to create such a wealth of enabled devices that VASCO becomes the de facto worldwide standard for authentication. This enabling changes the authentication process from one that involved the distribution of a device to the end-user to one that simply provisions the security to a device they have. Again, all of this is to be accomplished in such a way as to ensure the interoperability of these embedded solutions for existing VASCO customers. DIGIPASS Embedded Solutions White Paper Page 10 of 14
4. ENABLING A NEW PARADIGM As mentioned, the mission of DES is to Digipass Enable as many client devices as possible. In practical terms, DES will work with industry leaders to leverage the processing power and storage capacity of consumer electronics that have become ubiquitous such as mobile phones, smart cards, software applications, computer components, USB drives, etc. In figure 3, we see the typical hardware Digipass. This device is merely a container for a few elements: the activation button, the display, the secret, and the encryption technology. By extension, any device that has the ability to securely contain information can be enabled to perform the same functionality. Of course, at some point, interaction with a display is also required to show the one-time password to the end-user. In essence, the FIGURE 3: HARDWARE purpose of DES is to transform multi-factor authentication from something you have to something you already have. 3.1WHY AND HOW? Digipass Embedded Solutions challenges the previously accepted beliefs with regard to security. As mentioned earlier, the premise has been that, as you improve user convenience, you decrease the cost of the solution as well as the security. With an embedded approach, costs are inherently lower: there is nothing physical to deploy (in most cases). Therefore, the equation changes from having to sacrifice security for the sake of cost or convenience to one where security can become the cornerstone of any online application (fig.4). Also noteworthy in figure 3 is that user convenience is removed from the equation: with authentication deployed on a device that they have shown they want to carry. ecommerce egov't Security ebanking egaming FIGURE 4: SECURITY AS CORNERSTONE OF EMARKETS The following sections outline a few examples where embedding an authentication credential is practical and the pros and cons of each type of offering. Note: this is not intended to be a comprehensive listing but rather a basis upon which to build. DIGIPASS Embedded Solutions White Paper Page 11 of 14
WITHIN THE COMPUTER PLATFORM Considering that the vast majority of end-users around the world still connect to the Internet via their laptop or desktop, the first place that comes to mind for embedding an MFA credential is within the computer that individual is using. Pros: resident on the computer, potential for seamless use by user, device has large storage capacity and can support complex operations, can be used to authenticate virtually all channels Cons: not portable, connected to Internet (potential exposure to attack and remote misuse), cannot authenticate mobile channel, requires multiple profiles for users that have/use multiple PCs. WITHIN THE MOBILE PLATFORM Embedding the MFA credential in the mobile platform can take two different routes to completion. The credential can be embedded within the components of the phone/mobile device itself (similar to the example above) or, the credential can be embedded within an application that is resident on the mobile phone. Perhaps the best example of this model is Mobile Banking or Mobile Commerce/Wallet. Pros: can be used to authenticate all channels (mobile, traditional Internet, VPN, etc.), portable, convenient, not connected to Internet Cons: operating systems are currently limited in functionality, not all users have mobile technology or are willing to put authentication on their device. WITHIN EXISTING SECURITY CREDENTIALS AND SMART CARDS Excepting the United States, smart cards have become the accepted standard for banking cards (credit/debit). For a number of years, these cards have had the capability to include MFA credentials working with market leaders allows for the deployment of MFA credentials to be proactive and included as a standard offering. In many corporate environments, users carry access cards or credentials of some sort that grant them physical access to particular areas, buildings, etc. These cards are now leveraging smart card technology whereby a smart card chip (visible or not) is embedded within the plastic. For several years now, the technology has existed to embed an authentication credential on these chips for allowing physical AND logical access to employees. Pros: already carried by employees/staff, convenient style (fits in wallet), low cost and high security DIGIPASS Embedded Solutions White Paper Page 12 of 14
Cons: requires a reader of some sort to be used to display the one-time password, backward compatibility (most physical access cards in circulation today do not have the chip yet) WITHIN USB/SD/MMC/SIM (OR ANY OTHER) MEMORY DEVICES OR CARDS Another source of storage/security that has become so commonplace they often go unnoticed. A high percentage of mobile devices, laptops, desktops, cameras, even MP3 players have the ability to expand their on-board memory using a variety of methods. The emerging trend for these memory devices is to be able to have an element within them that is secure; a perfect place to embed an MFA credential. Pros: ultra portable, inexpensive, used in a multitude of devices, sold commercially Cons: diversity of marketplace, must be inserted into something for use, users don t typically remove a SD (or other) card portability would depend on the device used, backward compatibility with deployed devices WITHIN (OR PACKAGED WITH) SECURITY SOFTWARE Again, the aim of DES is to embed a security credential in something the user has. Most users have some sort of security software installed on their platform to protect it from misuse. This is another logical place to include an MFA credential both from a security perspective but also from the standpoint of user comprehension. Pros: user education is minimal, security software is updated regularly (allowing for updates to the MFA credential) Cons: not all users have security software, diversity of marketplace, potential exposure to Internet and attacks DIGIPASS Embedded Solutions White Paper Page 13 of 14
5. CONCLUSION Clearly, the Internet is here to stay. However, there is a fundamental problem with attempting to do business over the Internet: the need to positively identify the parties involved. To date, most attempts at verifying consumers and customers fall woefully short of the needed security, relying heavily on one single factor of authentication: the password. The problem with using the password is that, once it is learned by an unauthorized party, it is nearly impossible to distinguish the proper individual from a criminal. Multi-factor authentication (MFA) is one effective method for disrupting this type of crime. MFA diminishes the importance of the user s password and adds a second layer of security to the online experience. Until now, VASCO s offering in the MFA arena has been via the use of one-time password (OTP) tokens. In response to the increased need of MFA in a variety of online channels (egaming, egovernment, ecommerce), VASCO has launched an initiative of Digipass Embedded Solutions. Under this initiative, VASCO intends to Digipass Enable a variety of devices that consumer and customers already have. This removes the burden of distributing a physical device to the end-user and, instead, places security on something that they have purchased (or have been given), increasing adoption, usage, and customer acceptance while lowering the cost of the solution to ensure high scalability for Internet markets of today and beyond. For more information about Digipass Embedded Solutions visit http://www.vasco.com/products/digipass/digipass_software/digipass_for_web_powered_by_ intel_itp.aspx DIGIPASS Embedded Solutions White Paper Page 14 of 14