Multi-factor authentication



Similar documents
Additional Security Considerations and Controls for Virtual Private Networks

Protecting Your Organisation from Targeted Cyber Intrusion

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Specific recommendations

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

WHITE PAPER Usher Mobile Identity Platform

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

A Decision Maker s Guide to Securing an IT Infrastructure

Strong Authentication for Secure VPN Access

Data Access Request Service

A practical guide to IT security

Enhancing Organizational Security Through the Use of Virtual Smart Cards

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

A brief on Two-Factor Authentication

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Malicious cyber activity is on the increase at risk. This may involve the loss of critical data and consumer confidence, as well as profits

Malicious Mitigation Strategy Guide

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

How Secure is your Authentication Technology?

Using Remote Desktop Clients

Information security management guidelines

Section 12 MUST BE COMPLETED BY: 4/22

Cyber Essentials Questionnaire

A Security Survey of Strong Authentication Technologies

French Justice Portal. Authentication methods and technologies. Page n 1

Information Technology Branch Access Control Technical Standard

Two Factor Authentication for VPN Access

Critical Security Controls

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Swivel Multi-factor Authentication

Multi-Factor Authentication FAQs

Modern two-factor authentication: Easy. Affordable. Secure.

Entrust IdentityGuard

Token Security or Just Token Security? A Vanson Bourne report for Entrust

Two-Factor Authentication and Swivel

ADVANCE AUTHENTICATION TECHNIQUES

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

PINsafe Multifactor Authentication Solution. Technical White Paper

Frequently Asked Questions (FAQ)

PROTECTION FOR SERVERS, WORKSTATIONS AND TERMINALS ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Improving Online Security with Strong, Personalized User Authentication

etoken Single Sign-On 3.0

Security Controls for the Autodesk 360 Managed Services

Achieving PCI-Compliance through Cyberoam

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Microsoft Office Macro Security

Security Management. Keeping the IT Security Administrator Busy

Vidder PrecisionAccess

solutions Biometrics integration

Payment Fraud and Risk Management

Multi-Factor Authentication of Online Transactions

BM482E Introduction to Computer Security

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

ADDING STRONGER AUTHENTICATION for VPN Access Control

Information Security Basic Concepts

Guide to Vulnerability Management for Small Companies

Guide to Evaluating Multi-Factor Authentication Solutions

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

IDRBT Working Paper No. 11 Authentication factors for Internet banking

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

DriveLock and Windows 7

Data Management Policies. Sage ERP Online

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Guidance on Multi-factor Authentication

Entrust. Entrust IdentityGuard 8.1. Deployment Guide. Document issue: 2.0. Date of Issue: April 2007

Did you know your security solution can help with PCI compliance too?

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Two-Factor Authentication Making Sense of all the Options

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Navigating Endpoint Encryption Technologies

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Authentication Tokens

Global Partner Management Notice

Using GhostPorts Multi-Factor Authentication

Smart Card Two Factor Authentication

Moving to Multi-factor Authentication. Kevin Unthank

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

CYBER SECURITY POLICY For Managers of Drinking Water Systems

STRONGER AUTHENTICATION for CA SiteMinder

AB 1149 Compliance: Data Security Best Practices

Transcription:

CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL REFERENCES TO ASD SHOULD BE TAKEN TO BE REFERENCES TO DSD. Multi-factor authentication 1. Multi-factor authentication is one of the most effective controls an agency can implement to prevent a cyber intrusion. This can help to prevent an adversary from gaining access to your network and identifying and accessing sensitive information during a cyber intrusion. When implemented correctly, multi-factor authentication can make it significantly more difficult for a cyber adversary to steal legitimate credentials to facilitate further malicious activities on the network. 2. This document explains different multi-factor authentication methods and why some are more secure, and therefore more effective than others, to assist agencies in selecting an appropriate solution. 3. The Australian Signals Directorate (ASD) recommends that multi-factor authentication be used for all accounts. Using multi-factor authentication provides a secure authentication mechanism that is not as susceptible to brute force attacks and reduces the demands on users to remember long passphrases. What is multi-factor authentication? 4. Multi-factor authentication occurs when a user is required to provide multiple pieces of information to authenticate themselves to a system, from at least two of the following categories: a. something they know (such as a passphrase, response to a challenge or PIN) b. something they have (such as a passport, physical token or card, or software certificate) c. something they are (such as biometric data, like fingerprints or facial geometry). 5. Common combinations of multi-factor authentication include: a. Tokens that generate a random number used in conjunction with a PIN or password. b. Smartcards supplied to a reader and unlocked with a PIN or password. c. One-time time-limited codes sent via SMS used in conjunction with a PIN or password. d. Biometrics such as fingerprint scan or facial recognition used in conjunction with a PIN or password. Page 1 of 7

e. Software-based certificates or credentials stored on the user s machine or a removable device that is accessed using a PIN or password. Why is multi-factor authentication important? 6. Cyber adversaries frequently attempt to steal legitimate user or administrative credentials when they compromise a network. These credentials allow them to easily propagate on a network and conduct malicious activities without installing additional exploits, thereby reducing the likelihood of detection and making it easier for less sophisticated adversaries. Cyber adversaries will also try to gain credentials for remote network access solutions, including Virtual Private Networks (VPN), as these accesses can mask their activities and reduce the likelihood of being detected. 7. When multi-factor authentication is implemented correctly, it is significantly more difficult for the cyber adversary to steal legitimate credentials, because: a. The user has to prove they have physical access to a second factor that either they have (e.g. passport, physical token or card) or are (fingerprints, facial recognition). b. The credentials the cyber adversary obtains expire, ensuring that even if the cyber adversary compromises those credentials they can t be used to enable future access or intrusion activity. Are all multi-factor authentication methods equally effective? 8. While all forms of multi-factor authentication listed in this document provide significant advantages over basic username and password authentication, some methods are more effective and secure than others. It is essential that multi-factor authentication is implemented and configured correctly on your network to ensure that vulnerabilities are minimised. Multi-factor authentication that has not been implemented or configured properly can result in a false sense of security and leave your network vulnerable to malicious activity. 9. Multi-factor authentication is most effective when one of the factors is physically separate from the computer from which the user is accessing the system or resource, such as using a token or smartcard rather than a software-based certificate. 10. To maximise the security effectiveness of any multi-factor authentication method chosen, an agency should ensure that: a. The authentication server is hardened and is isolated from the rest of the network as much as possible. This can be achieved by (at a minimum): i. Implementing the Top 4 mitigation strategies from ASD s Strategies to Mitigate Targeted Cyber Intrusions on the authentication server. ii. Applying any specific hardening advice for the product provided by the vendor. Page 2 of 7

iii. Implementing appropriate network segmentation and segregation to limit which machines and users on your network can access the authentication server. b. Users pick reasonably complex passwords or PINs, to ensure defence-in-depth if the token or credential is copied, lost or stolen. c. The PIN or password used, particularly for remote access, is different to the user s standard password for the network if it doesn t require multi-factor authentication. d. Users do not store physical tokens with the device they use for remote access. Common multi-factor authentication methods explained Time-synched and token-based multi-factor authentication 11. The user is provided with a physical token that displays a number on the screen that is valid for a specified period of time. The time on both the device and the authentication server are synched and the authentication server knows what number should be displayed, on all tokens that it services, at a particular time. When the user authenticates with a username, PIN or password, and the number displayed by the token, the authentication server verifies that all details are correct for that user and grants or denies access. 12. When implemented correctly, this is the most effective form of multi-factor authentication. Even if a cyber adversary intercepts the number the user enters, after the expiry time passes that information will be useless. 13. For maximum security and effectiveness, an agency should ensure, in addition to the advice in a. The expiry time of the number displayed on the token is set to the lowest value practical. b. Users are instructed to report any lost or missing tokens. c. Users know that they should never provide details (such as the serial number and number displayed) about their token unless they are certain it is being requested by their ICT staff. Certificate based smartcard login multi-factor authentication 14. The user presents a smartcard to a reader connected to the computer when accessing sensitive information or resources. Software installed on the user s computer prompts the user to also provide a PIN or password to unlock the card, and then verifies their identity using the private key stored on that card. When the card is successfully unlocked, the software installed on the computer assists the user to verify their identity by signing an authentication request with the user s private key. The authentication server then verifies that the authentication request is signed by the valid and correct user s trusted private key, and grants or denies access. Page 3 of 7

15. This type of multi-factor authentication provides significant advantages over username and password login alone. However, there is a potential vulnerability due to the reliance on the software installed on the user s computer. If the user s computer is compromised and the cyber adversary gains elevated privileges, they can use the services provided by the smartcard software to intercept and replay legitimate authentication requests or initiate fraudulent requests on the user s behalf. An example of an attack such as this is documented in the Mandiant M-Trends 2011 1 report. 16. For maximum security and effectiveness, an agency should ensure that, in addition to the advice in paragraph 10, the following is implemented: a. The Certification Authority s keys are adequately protected, for example, stored in an evaluated Hardware Security Module, and backups of the keys are physically secured and stored offline. b. The computer from where users authenticate is hardened and secured. This can be achieved by implementing the Top 4 mitigation strategies at a minimum, using an up-to-date anti-virus program, and implementing a host-based firewall and Intrusion Prevention system (IPS)/Intrusion Detection System (IDS). An alternative approach is only allowing access from frequently updated and restarted, non-persistent, trusted operating environments. c. Users receive a visual notification each time an authentication request is generated that requires the user to enter their PIN or password. This will enable them to potentially detect fraudulent requests. d. Users do not leave their smartcards inserted and unlocked in the reader. Contactless smartcard readers can be used to enforce this control. e. Storage and functionality on the smartcard is minimised as much as possible, so that applications on the smartcard cannot be used to breach the security of your systems. f. Agencies utilise smartcards that have completed an appropriate security evaluation. g. Users are instructed to report any lost or missing smartcards as soon as practical. SMS based one-time multi-factor authentication 17. This emerging multi-factor authentication technology uses mobile phones as a relatively inexpensive second factor. When the user enrols to access the system, they provide the phone number of their mobile phone so that a one-time, time limited, additional password or PIN can be provided to them when they wish to logon or authenticate to conduct a transaction. During the logon process they provide a username and password, and request that the authentication server send them an SMS to their pre-registered mobile phone in order to complete the authentication process. The user then 1 http://www.mandiant.com/news_events/forms/m-trends_2011 Page 4 of 7

provides all this information to the authentication server, which verifies all details are valid and grants or denies access. 18. The advantages of this technology is that it uses a second factor that the user already has and therefore minimises the cost to the system owner, and the PIN or password provided via SMS is time limited. However, there are also a number of disadvantages, namely: a. Mobile phone networks can have degraded service or no service at all, which may affect the availability of the system. b. Use of smartphones for Internet browsing and system access may mean that the SMS containing the PIN or password may no longer be secure. c. Mobile phone networks, and many smartphones, are not secure and SMS can be intercepted by motivated and competent cyber adversaries, particularly when travelling. However, since the one-time PIN or password provided by SMS expires, it will have limited use if intercepted, therefore limiting the scope of the compromise. 19. For maximum security and effectiveness, an agency should ensure, in addition to the advice in a. The expiry time of the one-time password sent via SMS is set to the lowest value practical. b. Users are instructed to report the theft or loss of their phone, or a change in phone number as soon as practical. Biometric based multi-factor authentication 20. This multi-factor authentication mechanism requires the user to enter a PIN or password, along with presenting a biometric such as a fingerprint or facial recognition scan. When the user enrols they provide a scan of the appropriate biometric as a reference point for the authentication server to compare to. When the user authenticates they provide a PIN or password along with their biometric scan, the authentication server verifies both the PIN or password and the biometric with those provided at enrolment, and grants or denies access based on the outcome. 21. When implemented properly and securely, this is an extremely secure method of multi-factor authentication; however, the cost of good biometric readers and user privacy considerations is often a significant barrier to implementation. It should also be noted that for every biometric, due to the wide range of differences between individuals, some of the potential users will not be able to successfully use it. 22. Like smartcard-based logon, the vulnerability in this mechanism is caused by the reliance on the software installed on the user s computer. If a cyber adversary compromises the user s computer and gains elevated privileges, then it is possible for the cyber adversary to use the services provided by the biometric capture software to intercept and replay legitimate authentication requests or initiate fraudulent requests on the user s behalf. Furthermore, the effectiveness of biometric based Page 5 of 7

authentication is reliant on the quality of the biometric readers and software to ensure that false negatives (denying access when it should be allowed) and, more importantly, false positives (granting access when it should have been denied) are both minimised. The expense and availability of high quality biometric readers and software for a user s system make implementing secure biometric multifactor authentication difficult. 23. For maximum security and effectiveness, an agency should ensure, in addition to the advice in a. The computer from where users authenticate is hardened and secured. This can be achieved by at a minimum implementing the Top 4 mitigation strategies, using an up-to-date anti-virus program, and implementing a host-based firewall and IPS/IDS. An alternative approach is only allowing access from frequently updated and restarted, non-persistent, trusted operating environments. b. Each time an authentication request is generated, the user is required to enter their PIN or password and have the system display a visual notification; this will enable them to more likely detect fraudulent requests because they will be prompted. c. They implement a good quality biometric reader and software to minimise the risk of both false positives and negatives. d. They plan for an alternative authentication method for those likely, but probably few, cases where an individual cannot successfully use the biometric mechanism. Software based certificate multi-factor authentication 24. When the user wishes to authenticate to the system, the system attempts to access the user s software-based certificate, which is stored in a file or in the registry on the hard drive. When the certificate is located, the user is prompted to provide their PIN or password to unlock the certificate store. If successful, the software installed on the computer assists the user to verify their identity by signing an authentication request with the user s private key. The authentication server then verifies that the authentication request is signed by the valid and correct user s trusted private key and grants or denies access based on the outcome of that verification. 25. Software-based certificates are the least preferred multi-factor authentication method. They do not provide one of the factors independently of the computer from which the user is accessing the resource that requires multi-factor authentication and they can be easily copied or stolen without the user s knowledge. 26. The vulnerability in this mechanism is caused by the reliance on the software installed on the user s computer. If a cyber adversary compromises the user s computer, then it is possible for the cyber adversary to use the services provided by the software in order to intercept and replay legitimate authentication requests or initiate fraudulent requests on the users behalf. By Page 6 of 7

compromising the user s computer, the cyber adversary can gain access to both factors easily with a low likelihood of detection. There is also the additional risk that if the cyber adversary can gain elevated privileges, the user s keys and certificates can be stolen from their computer (as they are just files or registry values) and used by the cyber adversary from their own computers or infrastructure to enable prolonged and difficult to detect remote access. For this reason, it is recommended that agencies only use software-based certificates for low risk transactions or systems, and never for authentication via a remote access solution. 27. For maximum security and effectiveness, an agency should ensure, in addition to the advice in a. The computer from where users authenticate is hardened and secured. This can be achieved by at a minimum implementing the Top 4 mitigation strategies, using an up-to-date anti-virus program, and implementing a host-based firewall and IPS/IDS. An alternative approach is only allowing access from frequently updated and restarted, non-persistent, trusted operating environments. b. Each time an authentication request is generated, require the user to enter their PIN or password and have the system display a visual notification; this will enable them to more likely detect fraudulent requests because they will be prompted. c. Store the certificate/keys in the operating systems certificate store rather than in a regular file on the hard disk. Further information 28. The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian Government systems. The ISM can be found at: http://www.asd.gov.au/infosec/ism/index.htm. 29. The Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top35mitigationstrategies.htm Contact details Australian Government customers with questions regarding this advice should contact the ASD Advice and Assistance Line on 1300 CYBER1 (1300 292 371) or asd.assist@defence.gov.au. Australian businesses or other private sector organisations seeking further information should contact CERT Australia at info@cert.gov.au or by calling 1300 172 499. Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information