Two-Factor Authentication and Swivel



Similar documents
How Secure is your Authentication Technology?

Swivel Multi-factor Authentication

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Authentication Solutions

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Remote Access Securing Your Employees Out of the Office

PINsafe Multifactor Authentication Solution. Technical White Paper

A Security Survey of Strong Authentication Technologies

Guidance on Multi-factor Authentication

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

WHITE PAPER Usher Mobile Identity Platform

Welcome to the Protecting Your Identity. Training Module

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

Guide to Evaluating Multi-Factor Authentication Solutions

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

Entrust IdentityGuard

Multi-factor authentication

White Paper. Options for Two Factor Authentication. Authors: Andrew Kemshall Phil Underwood. Date: July 2007

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

White Paper. The Principles of Tokenless Two-Factor Authentication

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

User Identification and Authentication Concepts

A brief on Two-Factor Authentication

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Layered security in authentication. An effective defense against Phishing and Pharming

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Modern two-factor authentication: Easy. Affordable. Secure.

Hard vs. Soft Tokens Making the Right Choice for Security

How to reduce the cost and complexity of two factor authentication

Strong Authentication for Secure VPN Access

An Innovative Two Factor Authentication Method: The QRLogin System

Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

Authentication Solutions Buyer's Guide

White Paper: Multi-Factor Authentication Platform

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

ADDING STRONGER AUTHENTICATION for VPN Access Control

Host/Platform Security. Module 11

Cyber Security. Maintaining Your Identity on the Net

Securing Virtual Desktop Infrastructures with Strong Authentication

Multi-Factor Authentication

Using Remote Desktop Clients

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

AB 1149 Compliance: Data Security Best Practices

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Retail/Consumer Client. Internet Banking Awareness and Education Program

Multi-Factor Authentication

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Chip and PIN: two-factor authentication

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

The Key to Secure Online Financial Transactions

Section 12 MUST BE COMPLETED BY: 4/22

Two-Factor Authentication Basics for Linux. Pat Barron Western PA Linux Users Group

Two-Factor Authentication

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

ViSolve Open Source Solutions

STRONGER AUTHENTICATION for CA SiteMinder

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Presented by: Mike Morris and Jim Rumph

Online Banking Risks efraud: Hands off my Account!

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

What Do You Mean My Cloud Data Isn t Secure?

OPENID AUTHENTICATION SECURITY

International Journal of Software and Web Sciences (IJSWS)

Dashlane Security Whitepaper

Information Security. Annual Education Information Security Mission Health System, Inc.

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Multi-Factor Authentication FAQs

Securing corporate assets with two factor authentication

Research Article. Research of network payment system based on multi-factor authentication

HARDENED MULTI-FACTOR AUTHENTICATION INCREASES ENTERPRISE PC SECURITY

SECURING YOUR REMOTE DESKTOP CONNECTION

Enhancing Organizational Security Through the Use of Virtual Smart Cards

SOLUTION BRIEF ADVANCED AUTHENTICATION. How do I increase trust and security with my online customers in a convenient and cost effective manner?

Interlink Networks RAD-Series AAA Server and RSA Security Two-Factor Authentication

Learn to protect yourself from Identity Theft. First National Bank can help.

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

2 FACTOR + 2. Authentication WAY

Security Bank of California Internet Banking Security Awareness

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

PASSWORD MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Entrust. Entrust IdentityGuard 8.1. Deployment Guide. Document issue: 2.0. Date of Issue: April 2007

Electronic Fraud Awareness Advisory

EBA STRONG AUTHENTICATION REQUIREMENTS

Frequently Asked Questions (FAQ)

Tips for Banking Online Safely

Transcription:

Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide a strong, cost-effective authentication solution that is easy to use and to manage. 2012

White Paper Heading 2 Contents Introduction... 3 Single-Factor Authentication... 4 Threats against Usernames and Passwords... 4 Malware Attack... 5 Guess the Password... 5 Steal the Password... 5 Shoulder Surfing... 5 Phishing... 5 Dual-Factor Authentication... 6 Attacks against Dual Factor Authentication... 6 Steal the Token... 6 Phishing... 6 Dual-Factor Authentication and Swivel... 6 Tokenless... 7 One-Time Code Extraction... 7 Attacks against Swivel... 8 Stealing the token... 8 Phishing... 8 Conclusion... 9

White Paper Heading 3 Introduction The increasing use of remote access and web-based commerce has increased the need for convenient, cost-effective, yet strong authentication models. Relying on a single factor of authentication, i.e. username and password, is no longer appropriate for many applications. This has led to the increasing use of multi-factor authentication; whereby authentication requires the user to know something (e.g. a password) and possess something (e.g. some form of authentication token). Swivel s approach to two-factor authentication has the advantage that the user does not need a dedicated authentication token. Add to this PINsafe, our patented one-time code extraction protocol, Swivel can provide a strong, cost-effective authentication solution that is easy to use and to manage.

White Paper Heading 4 Single-Factor Authentication When a user authenticates they need to present credentials to the authentication server. A credential maybe based on: Something they know, e.g. a password Something they have, e.g. a security string provided by a token Something they are, e.g. a finger print or retina scan. Each one of these is a factor of authentication. In the early days of authentication (and in many systems still today) authentication is based upon just a single factor of authentication, specifically a combination of a username and a password (UNP). There is an increasing awareness that this is not sufficient for many systems. This realisation is showing itself not only in the increasing number of organizations that are moving to multi-factor authentication but also in more regulations and legislation that are mandating multi-factor authentication. There are three driving forces are behind this. Firstly the increasing value of the systems being protected by authentication systems, secondly the increasing availability and variety of tools that can be used effectively against simple UNP authentication, and thirdly the increase in cybercrime. Threats against Usernames and Passwords One of the weaknesses of UNP is the fact that the password is static; i.e. it does not change from one authentication attempt to the next. Administrators may insist that passwords are changed every 3 months, or even every month, however that still gives an attacker a significant amount of time to aim at a stationary target. Another issue with passwords is that users and helpdesk administrators want them to be easy to remember but IT managers and security managers want them to be difficult to guess. These requirements tend to work against one another. It is much easier to remember words than it is a series of random characters, but it is much easier to guess a word than a series of random characters. Or order for users to help themselves remember more complex passwords they are more inclined to re-use the same password for different applications and interfaces. One final weakness of UNP as an authentication model stems from the fact that username and passwords have been around for so long. This means there are many software-based attacks out there that are, thanks to the internet, widely available. So what are the threats against username and password? The following list is not meant to be exhaustive; it focuses on technical attacks against the

White Paper Heading 5 client rather than attacks against server or social engineering based attacks such as con-tricks, blackmail etc. Malware Attack Deploy malicious code on target s computer, for example, a key logger that records a user s keystrokes. By looking at the details of the keys pressed so the password can be determined. Searching the log for a username and the password is likely to follow. Some software attacks are more sophisticated and look for specific actions before starting to log, e.g. accessing banking URL. The static nature of passwords means that this form of attack can be very effective. Guess the Password There are a range of guessing attacks against passwords which are based on how much or how little information the attacker has about the target. On one extreme there is a brute force attack whereby an attacker just guesses different possibilities until they succeed; not very effective but can be used if the attacker can gain access to the file of encrypted passwords. Slightly more targeted is a dictionary attack, where rather than just guess random values, the attacker restricts the attack to words or phrases that are likely, as most people choose passwords that are words. Finally, if the attacker knows personal information about the target, they may try their favourite sports teams or their children s names as password. The need to make passwords memorable makes this kind of attack an option. Steal the Password One way of satisfying the IT security manager s insistence on a complicated password is to write it down somewhere; in an envelope in the desk drawer etc. Whereas this form of attack requires physical access, it is surprisingly common practice for people to write passwords down unencrypted. Shoulder Surfing To find out what someone s password is you just watch them type it in. Another attack that requires physical access, but as passwords are static, you have plenty of attempts at watching the user type in their password to manage to discern the whole thing. This form of attack has become more recognised since the use of Chip and PIN technology with people being asked to hide their fingers as they type in their PIN. Phishing It is particularly difficult to defend against phishing attacks, partly because it is so easy to mount such an attack. You can get all the corporate imagery you need from the real website to build a mocked-up site then you can mass email a mock email to any valid email address. The user goes to the mock site and enters their username and password. The attacker then has the password that they need and they can do what they will with it.

White Paper Heading 6 Dual-Factor Authentication Adding another factor of authentication adds another task for the attacker to complete before their attack is successful. The basic model is that the token provides the user with a one-time code that they must enter in order to authenticate; the security string is dynamic in that it is different for each authentication. We can see that there are many and varied ways of gaining one factor, the password, but having succeeded in that what does an attacker need to do in addition to succeed in defeating two-factor authentication systems? Attacks against Dual Factor Authentication There would appear to be two obvious approaches: Steal the Token An attacker may be lucky in that the token may be kept in the same drawer as the user s password! But clearly an attack that combines a software attack determining the password and physically obtaining the token could be a successful attack. The first element being straightforward, the second one less so, however in an e-commerce B2C scenario with many tokens being physically distributed; there may be vulnerabilities that could be exploited. Phishing Phishing can still have some success even against dual factor authentication as the attacker obtains the users password and one-time code and can therefore use those credentials to fraudulently authenticate as the user. Unlike the phishing attack for single factor this does not allow the attacker to steal the user identity as the user still has the token. This means the attacker cannot re-authenticate without re-phishing the required one-time code. This means that a web application that requires repeated authentication provides a good defense against phishing attacks. For example a banking website that requires authentication for every monetary transaction. Dual-Factor Authentication and Swivel Swivel authentication platform is a dual factor authentication solution with subtle but important differences. As with many dual factor authentication systems, Swivel sends a security string to the user that the user needs to authenticate but security strings are sent to the user s mobile phone either in the form of a voice call, SMS or via a mobile app; therefore there is no need for dedicated security tokens.

White Paper Heading 7 The received security string is not entered by the user; it is combined by the user with a PIN to extract the one-time code which is then entered. The advantages of these differences are described below. Tokenless The fact that Swivel does not require a dedicated security token (it uses the mobile phone as a token) has a number of advantages. There is nothing that needs to be physically distributed; therefore you are not at the mercy of postal systems etc. to provision users. Users can be provisioned instantly. Just as importantly there is nothing to physically reclaim once a user no longer requires access. This is particularly relevant where you have a population of users that has a high churn rate such as an academic institution. People treat their mobile phone as something vital; they need it for business but also to keep in contact with their friends and families when they are at work. They are less likely to leave it behind; or leave it in a pocket of a garment destined for the laundry. They are also more likely to notice when they have lost it or it has been stolen. As Swivel reuses an existing device as a security token there is no additional cost. If someone loses of damages their mobile phone a replacement is borne by the telecoms budget; not the security budget! One-Time Code Extraction The use of the Swivel one-time code extraction protocol means that both factors of authentication can be combined into a single credential. This means:

White Paper Heading 8 The user only needs a 4 digit one-time code to authenticate; (Swivel can be configured to use PINs of 4 to 10 numbers long and it can also be used in conjunction with a password). As the PIN is never entered the attacks described earlier, such as key loggers, cannot be used to ascertain one of the two factors of authentication. So the use of Swivel Dual Factor solution makes some of the attacks discussed before even harder. There is no physical token to distribute, the loss of a mobile phone is likely to be noticed and reported sooner than a security token. In the event that an attack gains access to a mobile phone, security is still not compromised as the attack still needs the PIN, and the PIN cannot be ascertained by key- logging attacks as it is never entered by the user. Attacks against Swivel Stealing the token In the Swivel example this attack still leaves the attacker the problem of the PIN, as the PIN is never entered it cannot be obtained via key logging type attacks. Phishing No authentication product is immune from attack. Forms of phishing attacks may have some success against Swivel; it is very difficult to stop users entering credentials onto a mock web site as discussed before. Once entered these valid credentials can be used by the attacker; as before this does not allow the attacker to steal the account as they cannot reauthenticate without the mobile phone. A mock web site can send a user a false security string and by examining the returned one-time code ascertain the user s PIN. However this requires knowledge of the target s mobile phone number and the means to send an SMS. Once the PIN is known, physical access to the mobile phone is still required.

White Paper Heading 9 Conclusion Two-factor authentication is a much stronger form of authentication than single-factor. Swivel s implementation of two-factor authentication, with its unique one-time code extraction protocol and its use of the mobile phone as a security token, provides a number of advantages including increased strength of authenticated and decreased running costs.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information