Thursday 26 January 2012

Is Two-Factor Authentication a commodity?

The complexity with passwords

We all know we need secure passwords, or at least keep them secret.  The problem is that we are asked to increase the complexity of passwords, either with the addition or inclusion of upper case characters, lower case characters, special characters or numbers.    Making the passwords more complex must increase security… or does it lead to users writing the passwords down or recycling the same passwords for a number of environments?

“Something you know, Something you are given, Something you are”

Obviously one of the downsides with passwords is that they can be passed from person to be person, but you lose the accountability of the actions from the user who has logged in.  This is where the requirement for multi-factor authentication arose, so there would be a number of elements to confirm the validity of the person and action.

Multi-factor authentication is said to be made up with two of the follow three elements.  “Something you know”, such as passwords and PINs, “Something you are given”, such as one time passwords, and “Something you are”, such as iris and fingerprint scans.

Some people will such that using multiple of the same type of authentication, such as the use of multiple passwords and PINs, would make it multi-factor.  I disagree, and would call that “Strong authentication” or I’ve heard of it referred to as “1.5 factor authentication”. 

Two-Factor Authentication requires a specialist?

In the past, there was a high level of complexity associated with two-factor authentication and should only be tackled by specialists within the field.  In the past, there were complicated multi-server implementations to build resiliency, administering more databases, managing a variety of tokens and that even before anything is deployed or secured!!

Hacked… June 2011!

Undoubtedly, most people reading this will be aware of a compromise that was reported in June 2011, where one of the world’s largest token vendor had (reportedly) 40 million tokens compromised.  Suddenly all that hard works seems to have been for nothing.  What did all the complexity bring, other than complexity for complexities sake?

Commoditised market?

There are a number of vendors offering two-factor authentication, but most organisations see it as a must have, rather than a want to have.  The barriers to entry were not only complexity, but security, administration time and in the current economic climate, cost.

Cloud or On-premise?
A cloud service will reduce the hardware cost, the running cost, power, energy, and all the other benefits associated with moving to a host solution.  There is always a concern about physical security, so ensure the provider meets the right criteria and standards.  There will be concerns around uptime, so ensure there is a good SLA in place.  With data security, ensure data is encrypted and not sent to the internet in clear text.

If these concerns are insurmountable, then look at an on-premise solution, but ensure the solution is highly available, if the access is business critical.  Ensure that the administrators looking after the solution can manage it correctly, or have the relevant support contracts to provide this.

It would be useful to have a choice of platforms, whether it is cloud or on-premise.

Ease of use?
In most IT environments we have to manage multiple systems, so we all want an easy to use system.

An intuitive, simple to use management console, with good help features, as well platform parity between the cloud and on-premise solution would be the way forward.

Token options?
Some providers will only offer hardware tokens, some will offer software tokens, some will offer tokens to run on mobile devices, some will offer SMS and/or email tokens, some will offer OATH tokens, and some will offer grid tokens.

What does your user base need?  What mix of tokens is required?  Will there be a company policy to define the type of tokens that will be offered?  What sort of mobile phones need to run tokens?

The preference would be to have all the token types available, but have them at an attractive price point.

Event or Time-based?
To simplify the way a one-time password is generated.  With time based, it take the time, encrypts it using a seed and an algorithm, to generate the one-time password.  With event base, it takes a pseudo-random value encrypts it using a seed and an algorithm, to generate the one-time password.

There are arguments for both solutions, with the time-based potentially going out of sync, or event-based where the password is valid until it is used.  More of a concern is the seed that are pre-populated onto the token, as if that were compromised; someone with it can potentially generate your one-time password!

Ideally, you want to ability to choose either time-based or event-based authentication, and have the ability to generate your own seeds, so even the two-factor authentication vendor would not know it.

Authentication Methods?
Most solutions support RADIUS; some will support Windows logon; some will support integration with OWA, SharePoint, IIS, Apache; some will support Citrix; and occassionally support SAML.
You don't want to be limited with what you can authenticate with, but want a solution that will support standards such as SAML, as this will be used more and more as cloud application usage increases.

With so many new start-ups and small organisations now around, and the largest two-factor authentication vendor being compromised, it is difficult to know who to trust!

We want a vendor with a good security history, but with the foresight to innovate, develop and implement solutions for the future.

Offering a cost effective solution, with large variety of tokens, with the ability to choose either a cloud-based or on-premise platform, with an easy to use interface, the ability to have either time-based or event-based tokens, the ability to populate the tokens with your own seed, support a large number of applications and standards, from a company that has been around for over 21 years, makes Cryptocard the solution that should be considered first.

No comments:

Post a Comment