Two-factor authentication by dfsiopmhy6


									       Two-factor authentication

       Considerations for selection of a two-factor authentication system.
       Written by Duncan de Borde, Siemens Insight Consulting

       In order to provide trustworthy remote       If the correct decisions are made early in the project, there is a
       access to business services, secure          significantly greater chance that the inheritance will be an
       authentication systems need to be            authentication system that can reduce risk for the business, open
       used. Basic username and password            up further opportunities to enhance on-line capabilities, and can
       authentication is no longer considered       remain in operation for a longer period, continuing to provide
       secure enough to protect a companies         return-on-investment.
       computer based assets. Any organisation      Wherever a high level of risk is identified with the danger of
       looking into the introduction of a secure    invalid users gaining access to systems, the use of some form of
       authentication system will be faced with     authentication stronger than a simple username and password
       a variety of complex choices. Selection of   may need to be considered. Traditionally the use of “strong
       inappropriate technology, or failure to      authentication” has been largely associated with closed
       consider all the needs of the                communities, such as authenticating employee access to
       authentication system during the             corporate networks, though increasingly this is becoming a risk
       decision-making process, can prove an        that needs to be addressed for the wider on-line community, e.g.
       expensive mistake.                           in the case of online banking. As boundaries between businesses
       It is important to ensure that the system    become more blurred, with customers or suppliers being allowed
       as a whole, not just the choice of           access to corporate systems, this will also become a consideration
       technology, continues to meet the needs      for business to business relationships.
       of the business, its users, business
       partners and possibly online customers,
       both in the short and long terms.

Identity Management
Identity Management Two-factor authentication

                                   This article highlights some of the issues    of which may enhance the level of confidence in the
                                   that may need to be considered when           authentication process. At present the applicability of
                                   selecting the right authentication solution   biometric authentication to the on-line community
                                   for the business problem, which should        may be limited, with it being better suited to a more
                                   not only include the choice of                closed community. Not all biometric authentication
                                   authentication technology, but also           methods require dedicated or expensive hardware;
                                   consider the supporting systems,              however all do require some initial measurement to
                                   processes and how they will fit in with       be taken during registration.
                                   the business model.
                                                                                 Whilst biometrics will have a part to play in some
                                   Authentication factors                        situations, in most cases where the desire is to
                                   Authentication establishes a level of         increase the level of trust in the authentication
                                   confidence that the identification            process over passwords, the use of a token is often
                                   provided (e.g. username) is authentic.        the most appropriate choice. It is important to
                                   Most authentication methods today rely        consider that “something you have” also has its own
                                   on one or more of the following factors:      inherent weakness - it can be stolen. It is therefore on
                                   • Something you know                          its own not more secure that “something you know”,
                                                                                 but should be combined with “something you know”
                                   • Something you have
                                                                                 to form a “two-factor” authentication system, in
                                   • Something you are.                          which a compromise of either one of the factors on
                                   A password is an example of “something        its own would not be sufficient for an attacker to gain
                                   you know”. To establish a level of trust it   access.
                                   must be something that ONLY the user          Forms of token
                                   knows. Passwords that often get shared        There are a number of options on the market which
                                   or written down can be intercepted (e.g.      could fulfil (or be seen to fulfil) “something you have”
                                   over the network, or by key loggers) or       authentication. These forms of token can be broadly
                                   weak passwords can be cracked.                split into the following categories.
                                   Dependent on the level of risk identified,    • Paper tokens: At the simplest level this could be a
                                   this form of authentication on its own          distributed list of “one time passwords”, or could
                                   may no longer be sufficient. More               take the form of a “grid” of codes the user needs to
                                   innovative use of the “something you            enter in response to a form of challenge
                                   know” factor, such as selection of            • Soft tokens: These rely on a “software” component
                                   password/PIN characters from a                  present on the client’s computer, e.g. a cookie or a
                                   drop-down list or image selection may           software token application
                                   help to address part of the problem, such
                                                                                 • Hardware tokens: These are physical devices the
                                   as key logging, but still rely on the same
                                                                                   user needs to be in possession of. Typically
                                   basic principle.
                                                                                   hardware tokens will incorporate physical and
                                   The “something you have” factor requires        logical mechanisms to protect their data and
                                   the user to be in possession of something.      prevent copying.
                                   This “something” is usually referred to as
                                                                                 One question to ask is, does the token actually
                                   a token. A token is typically, but not
                                                                                 implement the fundamental principles of “something
                                   necessarily, a hardware device that has
                                                                                 you have” (and ONLY you have), i.e. Is the token
                                   been issued to the user for the purposes
                                   of authentication. There are various
                                   forms of token which are described later.     Does the token have inherent protection against
                                                                                 being copied, or if it was copied would this be
                                   The important attributes are that the
                                                                                 apparent to the user?
                                   token can be authenticated by the system
                                   and uniquely associated with the user.        If you cannot answer “Yes” to these questions, there
                                   The process of authenticating a token         can be no guarantee that ONLY you have that token.
                                   should use some form of “strong               It would then have to be argued if the token could be
                                   authentication” that is less easily           considered as “something you have” for the purposes
                                   compromised than a simple password, i.e.      of authentication.
                                   using some form of cryptographic process.
                                                                                 This effectively rules out any paper-based token,
                                   The “something you are” factor refers to      which can easily be copied. It may also eliminate any
                                   some form of biometric authentication,        soft token unless it is securely linked to the hardware
                                   based on a measurement of some                upon which it is installed (effectively making the
                                   personal characteristics (which may or        computer hardware the token), which limits
                                   may not be physical). It is important here    portability. Such token types may still have their
                                   to understand the difference between the      merits in enhancing authentication, but are
                                   use of biometrics for authentication and      discounted for this discussion of “two-factor
                                   identification, which may impose              authentication” that requires you to physically have a
                                   different requirements on the process         token.
                                   (biometric identification can spot a
                                                                                 For choice of a secure two-factor (token-based)
                                   known person in a crowd, whereas
                                                                                 authentication mechanism it is therefore suggested
                                   biometric identification validates a
                                                                                 that a hardware token is required.
                                   claimed identity). Multiple forms of
                                   biometric authentication are available, all
                                    Diagram 1 - Processes in the lifecycle of a token

Hardware tokens                                            community a disconnected token may be
Hardware tokens can take many physical forms, e.g.         the best fit.
a token that is (from the user’s perspective) little
                                                           Contactless tokens have all the
more than a simple LCD display, a token that
                                                           advantages of connected tokens, with the
connects to a USB port, or a smart card. These tokens
                                                           additional benefit that no physical
can operate in either a disconnected or connected
                                                           connection is required. There is still the
manner. In general terms hardware tokens can be
                                                           need to have the appropriate contactless
further sub-divided into the following categories:
                                                           card/token reader.
• Disconnected tokens: These hardware tokens have
   no physical or logical connection to the client         There is no single right answer to what is
   computer. Instead they generate authentication          the best choice of token technology. The
   information which the user can manually enter as        choice of token will vary according to
   part of the authentication process                      application specific requirements,
• Connected tokens: These are hardware tokens that         including usability, cost, and level of
  need to be physically connected to the clients           security. In some cases there may even be
  computer                                                 the need to support different token
                                                           technologies for different users.
• Contactless tokens: These are hardware tokens that
  logically connect to the client computer (like           Supporting systems and processes
  connected tokens), but do not require a physical         Traditionally a lot of the focus on
  connection.                                              “two-factor authentication” systems has
                                                           been on the tokens themselves, however
Most disconnected tokens rely on a “one-time-              the implementation of supporting
password” (OTP) technique, i.e. on each use, they          systems and processes can have as much
generate a new “one-time-password” password (PIN)          of an impact on the user experience and
that is valid only for that session and is derived         the total cost of ownership of the system
cryptographically (i.e. cannot be easily predicted).       as the tokens themselves.
These OTP values may be derived based on time or           Any supporting systems and processes
sequence based information. More complex                   will need to securely manage a number of
disconnected tokens may also use a “challenge-             services which form part of the
response” mechanism, if they have a keypad on              authentication system, throughout its
which to enter a challenge presented from the web          lifecycle, which can include:
page before generating the response.                       • User registration
Connected tokens may make use of similar principles        • Token production and registration
but with some added benefits:
                                                           • Token distribution
• User interaction may be reduced, thus making the
  process simpler for users and reducing the               • User and token authentication
  likelihood of human error                                • Password changes and resets
• It is possible to use more cryptographically secure      • Token renewal
  authentication of the token
                                                           • Contingency for temporarily mislaid
• Enhanced functionality may be provided in the              tokens
  token, e.g. digital signature capability or additional
  functionality to combat phishing.                        • Replacement of permanently lost or
                                                             broken tokens
The issue with connected tokens is generally one of
connectivity. Not all computers have smart card            • User and token revocation.
readers, and though most do have USB connectors            The diagram at the top of this page
these days, they cannot be guaranteed to be free to        summarises the processes in the lifecycle
use or easily accessible. In a closed community, a         of the token.
connected hardware token, such as a smart card, is
often an appropriate choice, but for the on-line
Two-factor authentication
These processes have to be managed in a               issuance of tokens on the organisations
way that is scaleable for the target number           behalf or can the system supplier provide
of users (and beyond), meeting targets for            any help-desk facilities?
performance and availability. For any large
                                                      Future proofing
community it is likely that this will require
                                                      To implement a two-factor authentication
a robust directory service to maintain the
                                                      system, it can be a major investment. To
registration and authentication
                                                      gain a return on that investment it is
information. This may already be present
                                                      important that the system will not become
for an existing user population, but may
                                                      out-dated soon after it goes live. Any
need some extension to support new
                                                      implementation should have one eye on
authentication and token data. It should
                                                      future trends on how they may impact.
also be considered whether a new,
dedicated, directory service could be                 Questions you may want to ask include:
required.                                                                                                     Summary
                                                      • Will the system scale if the number of
                                                                                                              A number of important decisions
Interfacing into this directory service will            users or transaction rate exceeds initial
                                                                                                              need to be made before embarking
be one or more systems for management                   forecasts?
                                                                                                              on a project to implement a two-
of user and token life-cycle. These systems           • How will the tokens or their lifecycle be             factor authentication system. One
need to ensure the consistency of the data              affected as cryptographic attacks are                 of these is of course the choice of
and as much as possible automate                        enhanced?                                             token, but this is not the only
processes. If other systems or directories            • How much of the system                                concern for the project. Of equal
need to be linked into these processes, an              implementation is standards-driven?                   importance will be factors such as:
identity management system may play an                                                                        • What supporting systems will be
important role in streamlining the overall            • Is there any potential for the system in                put in place to manage the
lifecycle management processes.                         the future to take advantage of any                     system?
                                                        shared authentication tokens, which
Finally, linking into the directory will be an          may help to amortise hardware token                   • How will the various lifecycle
authentication service to handle the                    costs?                                                  processes work?
authentication of the tokens. This will                                                                       • Will any parts of the process need
need to be integrated to the required                 • Is there any possibility to extend the
                                                        system to adopt external identity                       to be outsourced?
access control systems or web servers (e.g.
via the use of suitable plug-ins), and will             schemes (e.g. national schemes or EMV                 • Will any supplier be able to take
also need to meet targets for performance               CAP)?                                                   ownership for the entire system,
and availability. The diagram on the right            • Is there any capability to introduce new                or will we need to deal with
illustrates how these systems may link                  functionality to address new threats?                   multiple point suppliers?
together.                                                                                                     • What will the total cost of
                                                                                                                ownership of the system be,
Some important process decisions will
                                                                                                                taking into account all the above
need to be made including:
                                                                                                                factors as well as the token cost?
• What user registration processes are
  required, and how will these need to be                                                                     • How will the system cope with
  secured?                                                                                                      future trends?
• How are tokens to be issued (and
  re-issued) to end-users?
• What help-desk facilities will be required
  to deal with lost tokens and any
  authentication issues?
How will the above processes be secured
to ensure tokens are only supplied to valid
                                                         Diagram 2 - Systems linked together
In making these process decisions it should
be considered whether these are aspects
the organisation can take on-board
themselves, or will parts of this need to be
out-sourced? Does, for example, the token
supplier have any facility for handling the

Insight Consulting is the specialist Security,        Siemens Insight Consulting subscribes to the CESG   If you’d like to find out more about how we can
Compliance, Continuity and Identity Management        Listed Advisor Scheme (CLAS) and CHECK services.    help you manage risk in your organisation, visit our
unit of Siemens Enterprise Communications             We’re also certified against ISO 27001 and are a    web site at
Limited and offers a complete, end-to-end portfolio   preferred supplier of services to the UK            Siemens Insight Consulting
encompassing:                                         Government and are an accredited Catalist           Tel: +44 (0)1932 241000
• Security               • Compliance                 supplier.                                           Fax: +44 (0)1932 236868
• Continuity             • Identity Management
• Managed Services       • Training                                                             

To top