Embed Size (px)
DESCRIPTION
The extra factors are implemented to prove the user’s identity beyond a simple password. The definition states that to be two-factor authentication it must require the user to provide at least two of the factors listed above. http://www.portalguard.com
Citation preview
Avoiding Two-factor Authentication? You’re Not Alone Understanding How to Overcome Two-factor Hurdles
© 2013, PistolStar, Inc. d/b/a PortalGuard All Rights Reserved.
Table of Contents
A Recent Spike in Two-factor Authentication Interest 3
What is Two-factor/Multi-factor Authentication? 6
What’s the Hold-up? Organizations are Facing Major Hurdles 9
Experts Say “Two-factor is the Bare Minimum!” Or is it? 13
Knock Down the Barriers: What does a Solution Need to Have? 16
A Look at Two-factor Solutions: Benefits & Shortcomings 19
Conclusion 23
2
Avoiding Two-factor Authentication? You’re Not Alone
A Recent Spike in Two-factor Authentication Interest
3
Avoiding Two-factor Authentication? You’re Not Alone
An eye-opener, this hacking example created buzz around two-factor authentication and the need for it. The Google Trend for “two-factor authentication” shows a clear spike in August and new level of continuing interest ever since. The search term “two-factor authentication” is now being searched in Google on average 49,500 times per month. Predictions about the global two-factor and multi-factor authentication markets are also showing substantial growth. In a recent report from TechNavio the global two-factor authentication market is expected to grow by 20.8% over 2011-2015, driven primarily by regulatory requirements2.
The multi-factor authentication market is set to reach $5.45 billion by 2017 according to MarketsandMarkets research. 3
Why the push for two-factor beyond regulatory compliance? Verizon’s Data Breach Investigations Report shows an increase in corporate data breaches. In 2012 there were 855 incidents of corporate theft with 174 million records being compromised. 98% of those came from hackers using various hacking methods to break in. 4
“In the space of one hour, my entire digital life was destroyed.” It’s August of 2012 when Matt Honan, editor at WIRED, reports on his recent attack where it took hackers a mere 60 minutes to hack into his Google account and from there proceed to wipeout his digital identity, all with the goal of gaining access to his sought after Twitter account.1
4
Avoiding Two-factor Authentication? You’re Not Alone
So with all of the evidence showing that there is an everyday threat to our digital identities and data…why is two-factor authentication not widely implemented?
Even Google has declared war on passwords with its recent implementation of two-step authentication, a recommended feature for securing your Google account. Partnerships with hardware token vendors such as Yubico show that Google is looking for a way to avoid their own data breaches as was seen in 2012 5. Other major websites are following suit including Facebook, Twitter, Dropbox, PayPal, and more. So with all of the evidence showing that there is an everyday threat to our digital identities and data…why is two-factor authentication not widely implemented? Why is it that every organization has passwords but has not taken the next step towards strengthening authentication? The following chapters take a look at the arguments for and against two-factor authentication. Two-factor authentication or not? That is the question.
References: 1 http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ 2 http://www.prbuzz.com/technology/95904-new-research-on-two-factor-authentication-market.html 3 http://www.marketsandmarkets.com/PressReleases/multi-factor-authentication.asp 4 http://blog.pistolstar.us/blog/data-breach-investigations-report-great-data/ 5 http://blog.pistolstar.us/blog/declaring-war-on-passwords/
“
”
5
Avoiding Two-factor Authentication? You’re Not Alone
What is Two-factor/Multi-factor Authentication?
6
Avoiding Two-factor Authentication? You’re Not Alone
According to Wikipedia6 the high-level definition of multi-factor authentication is an approach to authentication which requires presentation of two or more of the following authentication factors: • A knowledge factor (something the user “knows”) • A possession factor (something the user “has”) • A inherence factor (something the user “is”)
The extra factors are implemented to prove the user’s identity beyond a simple password. The definition states that to be two-factor authentication it must require the user to provide at least two of the factors listed above. So for example, the user would be required to enter in their username, their password (something they know), and a hardware token generated one-time password (proving they have something). The use of two distinct authentication factors helps eliminate an organization’s security concerns around granting access based on a single, knowledge-based factor, the password. A common example of authentication which is mistaken for two-factor authentication is knowledge-based authentication where the user is asked to provide their username, password, and answer to a knowledge question. This does not meet the definition because the password and answer are both factors the user knows.
7
Avoiding Two-factor Authentication? You’re Not Alone
Increasing in popularity, the one-time password or OTP is becoming a preferred second factor as it is only valid for one login session or transaction. OTPs avoid the shortcomings with static passwords, including being unsusceptible to replay attacks. If a hacker records an OTP which was already used, they will not be able to reuse it since it is no longer valid. OTPs can be delivered via SMS, email, printed, hardware tokens, phone call, or transparently using a browser plug-in. Regulatory compliance is one of the driving factors behind two-factor authentication and is forcing organizations to implement stronger authentication. For example the largest division of the FBI, the Criminal Justice Information System (CJIS) has an Advanced Authentication compliance requirement which is making law enforcement and local governments take action. Effective September 30, 2013 Advanced Authentication will be a requirement for all law enforcement personnel accessing NCIC criminal justice information outside of a secure location.
Other regulatory compliance standards such as the FFIEC, PCI DSS, and HIPAA are also driving the market towards two-factor authentication. However, what if your organization does not have these regulatory compliance standards pushing you towards implementing two-factor? Do you still feel like your data is sensitive enough to protect with stronger authentication? Or do you take on an “it’s not going to happen to me” attitude?
8
Avoiding Two-factor Authentication? You’re Not Alone
References: 6 http://en.wikipedia.org/wiki/Multi-factor_authentication
What’s the Hold-up? Organizations are Facing Major Hurdles
9
Avoiding Two-factor Authentication? You’re Not Alone
…the negative side effects of implementing two-factor outweigh the benefits.
There are numerous two-factor authentication discussions occurring in the blogosphere. After compiling comments from these conversations, it is clear there are major hurdles to implementing two-factor preventing a widespread adoption. All too common today are TV advertisements for various medications where they definitely solve an ailment but have a laundry list of side effects. For example, the antidepressant Zoloft solves a severe problem many suffer from. However the side effects are extreme and potentially life threatening. 8 Although some patients may suffer from depression enough to risk the side effects, this will most likely deter those who are only mildly affected. “Two-factor medication” can be seen in the same light. Some have taken it because they have been attacked, see themselves as potential targets for large hacking attacks, or are being forced to by regulatory compliance. However the rest of the market has decided the negative side effects of implementing two-factor outweigh the benefits.
“ ”
10
Avoiding Two-factor Authentication? You’re Not Alone
Many organizations have an “it’s not going to happen to us” attitude and don’t feel the everyday threat which is present. IT security professionals are also reluctant to “rock the user boat” and do not have a 100% sure-fire way to solve their authentication challenges without having to overcome the major hurdles such as: • I can’t distribute tokens • I cannot justify the expense • My ACLs aren’t properly configured anyway • It’s too difficult for my users to use • I have no buy-in from management • My data isn’t sensitive enough These hurdles come directly from the organizations evaluating whether to implement two-factor authentication. With such strong opinions, it is clear that there is a barrier keeping two-factor from being widely implemented.
As one commenter stated “I love the idea of two-factor but it is the least of my concerns. If you do not have security configured once you are authenticated – how hard it is to get there is of little consequence. Our organization is not the NSA so I do not have a huge potential for disaster vs. the complexity of implementing additional authentication. I just cannot justify the expense and would find it difficult to get buy-in from management”. 9
From the executive or business side of most organizations there is a lot of resistance unless they have experienced the direct effects of an attack or compliance audit. Many times the IT security team is saying “Yes” while the business side is saying “No”, citing the following factors: • Exorbitant costs for the tokens and support
software • It is an infrastructure add-on so there is little
skill in-house to implement and maintain it • Provisioning the tokens is seen as a nightmare • There are few examples of TRUSTED two-factor
authentication solutions which organizations support and are not just vendors “tooting their own horns”
11
Avoiding Two-factor Authentication? You’re Not Alone
These barriers exist due to the lack of a solution the market can feel confident in. While recent news and reports are heavily advocating two-factor authentication, the “big guys” are having issues with implementation and security. Facebook recently had a security hole found related to the storage of phone numbers used for two-factor “Login Approvals”. A hacker proved he could use readily available reverse lookup functionality to find the associated Facebook profiles;10 truly an invasion of privacy and open door for hackers.
Twitter is also one struggling to implement two-factor authentication with some controversy. Although recent hacks of Burger King and Jeep’s Twitter accounts 11 show a need for stronger security, some reports are claiming that the data is not sensitive enough to protect and it would just hurt the user experience. 12
With reports in the news like this, it is difficult to know which direction to go in. However, if you had a solution which removed most of the hurdles and made it easier to implement two-factor authentication, would you? With such a solution available in the market, would two-factor authentication become the new bare minimum?
References: 8 http://www.zoloft.com/ 9 http://blogs.technet.com/b/steriley/archive/2006/04/20/425824.aspx 10 http://www.pcworld.com/article/2012084/facebook-removes-twofactor-authentication-mobile-numbers-from-search.html 11 http://www.csoonline.com/article/729193/jeep-joins-burger-king-on-twitter-hacked-list-inspires-mtv-bet-to-fake-breaches 12 http://www.zdnet.com/two-factor-authentication-wont-protect-twitter-google-oneid-7000011358/
12
Avoiding Two-factor Authentication? You’re Not Alone
Experts Say “It’s the Bare Minimum!” Or is it?
13
Avoiding Two-factor Authentication? You’re Not Alone
What do the experts recommend? They help confuse the matter further by offering varying opinions about whether two-factor should be the new bare minimum when it comes to security or if passwords alone are enough. Some experts argue that two-factor authentication is the bare minimum to improve security even though it may cause some disruption in your organization and user experience. The proof for this argument is simply looking at the advanced attack techniques hackers are implementing such as man-in-the-middle and keystroke logging attacks.
Primary reasons experts as well as vendors are pushing two-factor authentication include compliance standards, increasing risks, users having too many passwords to remember, an uptick of private information on the internet, and solutions on the market are becoming easier to use. In a recent LinkedIn discussion, one expert put the blame on the organizations’ IT departments claiming “Two-factor is the minimum but IT is taking the easy way out and not wanting to rock the boat. There is a lack of leadership in taking the reins and saying this is a must have. It seems that organizations do not fully understand the very real threat that every organization is under each and every day. Organizations need to rock the boat.”
14
Avoiding Two-factor Authentication? You’re Not Alone
…whether two-factor should be the new bare minimum when it comes to security or if passwords alone are enough.
“ ”
Other experts say that passwords, the single factor, are enough. Two-factor in their eyes is not required in all situations and should not become the new “bare minimum”. In their opinion it does not make sense for many organizations to spend money on two-factor authentication before using passwords properly or doing a risk assessment to determine how strong their authentication needs to be. A strong alpha-numeric password could take months to crack and this is often where malicious attacks are focused, on the password file versus the login prompt. So measures such as a stronger firewall or intrusion detection system are much more important than locking down complex passwords. Organizations seem to be being pushed towards more complex authentication solutions when their issue is simply
a bad implementation of passwords or inaccurate risk assessments. These experts argue it doesn’t make sense to take a “more controls no matter what” attitude but instead implement the single factor, the password, properly in the first place. Discussions are split when it comes to which data needs to be protected. One opinion is that the authentication only needs to be as strong as the data it is protecting. However, many times it is the benign data, such as a timesheet application, which can create an unexpected backdoor into the organization.
15
Avoiding Two-factor Authentication? You’re Not Alone
Going back to Matt Honan’s story, he blatantly disagrees that passwords are enough stating, “Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.”13
Having been a victim of an attack himself he speaks directly from that point of view. Matt had implemented strong passwords with multiple characters, symbols, upper and lowercase letters, and more which was still not enough.
The issue comes from the fact that his accounts were all linked and the password recovery process was flawed. Once the hackers had access to one account they had access to all of them. Experts who often discuss implementing passwords forget that a password can be a single point of failure in the age of hyper-connectivity. Which opinion do you agree with? Are passwords enough? Or do you agree with the public victim, Matt Honan? Should two-factor authentication be the bare minimum?
16
Avoiding Two-factor Authentication? You’re Not Alone
References: 13http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/
Knock Down the Barriers: What Does Two-factor Authentication
Solution Need to Have? 17
Avoiding Two-factor Authentication? You’re Not Alone
At the recent RSA Conference 2013 in San Francisco, one of the resounding themes was the expansion of authentication solutions. The idea of replacing the old password as a login method is one that is feverishly being worked on by many vendors. However the main struggle for vendors is handling the tradeoff between usability and security. 14 Matt Honan identified this after explaining that security has two tradeoffs, convenience and privacy. For example, if you implement a password policy which is unusable, the security solution fails and is abandoned or circumvented. Privacy also limits what an organization can leverage for two-factor authentication. Many organizations are terrified of alienating their users and like the idea of offering a simple, private solution versus a secure one. Overall there is a lack of confidence in the marketplace as some of the leading solutions
have experienced major hacks leaving behind doubts about the authentication methods being secure. There is no “holy grail” solution for people to feel good about purchasing. It is unfortunate to see many organizations take the “it will not happen to us” approach because there is no simple answer to two-factor authentication.
18
Avoiding Two-factor Authentication? You’re Not Alone
When the question was posed “What do YOU need out of two-factor authentication?”,15 the common themes were that a solution needs to be: Secure Simple to use to avoid resistance from users Inexpensive Seamlessly integrated with all systems Able to solve the provisioning/enrollment
problem of tokens Without the requirement of massive
infrastructure Easy to deploy and manage Combined with single sign-on (SSO) for
increased usability Reliable Using tokens which are easy to create,
deploy, revoke, and replace
19
Avoiding Two-factor Authentication? You’re Not Alone
References: 14http://bitzermobile.com/blog-musings-from-rsa-2013/ 15http://blogs.technet.com/b/steriley/archive/2006/04/20/425824.aspx
Luckily there are options emerging on the market which are attempting to provide the following. It is important to take a look at the options and be careful with vendor selection. Are you ready to take the next step and evaluate the vendors on the market?
A Look at Two-factor Solutions: Benefits and Shortcomings
20
Avoiding Two-factor Authentication? You’re Not Alone
Rounding out the information in this eGuide is a look at the benefits and shortcomings of two of the leading methods in the marketplace today. With numerous vendors to choose from, identifying a solution can feel like a daunting task. This information is offered to help you see both sides of a mobile phone one-time password solution and a USB hardware token solution.
Mobile Phone Two-factor Authentication: Leveraging the user’s mobile phone as the hardware token that is used to deliver the OTP has become increasingly popular. As most users already have mobile phones, this avoids the headaches of purchasing and distributing hardware tokens. The OTP can be delivered as an SMS text message, phone call, or provided through an application on the phone itself. On the downside, this changes the user experience and requires them to not only have a mobile phone, but also make sure it is available at the time of login, with available service, and fully charged and powered on. Often times this causes user frustrations as usability is impacted. There can also be charges incurred as each SMS message can generate an associated fee to be delivered. Although minimal, with larger user populations this can grow exponentially. Many of these solutions are hosted and cost anywhere from $10-$25 per user per year on a recurring basis.
21
Avoiding Two-factor Authentication? You’re Not Alone
USB Hardware Token: This new version of the hardware token is an effective alternative to the older styles, because it does not require batteries to operate. Instead it receives power from the USB port of the user’s computer, and requires just a touch of the user’s finger to enter the OTP into the desired field without requiring client-side software or drivers. This makes the solution portable and ideal for public computer usage. Solutions on the market are now smaller and more durable as well. Of course this still has the main issues of any hardware token which includes the purchasing, distribution, and management of the token as an extra piece of hardware the user is responsible for. Being required to constantly plugin a device interrupts the user’s experience especially when the token is lost or left behind at home. The other primary issue is the cost of these devices.
Initially tokens cost upwards of $50 each. Now even with a price tag of $25 per token, it is still an unacceptable cost for small organizations.
22
Avoiding Two-factor Authentication? You’re Not Alone
Ideal Solution: What would the ideal solution be? There are some key factors which make the ideal solution the use of a transparent browser plug-in to deliver the OTP. Being completely transparent to the user avoids any impact to the user experience and maintains usability. Looking at this type of solution compared to mobile phone or USB token solutions it is clear that it would:
• Require no infrastructure, or hardware other than the user’s computer
• Be easy to use as it requires no interaction from the user, eliminating the potential for user errors
• Install on separate machines so you can control which devices have access
• Remove the need to carry a separate device or token to authenticate
• Not dependent on a token or phone accessibility
• Not change the user experience
23
Avoiding Two-factor Authentication? You’re Not Alone
Just as there are multiple access scenarios in every organization, each of the described authentication methods may have a place in your organization. Flexibility is paramount when it comes to choosing the right solution. With vendors pushing their products in the market and gaining in popularity, the key is to choose a solution which allows you to easily deploy multiple authentication barriers while maintaining the balance between usability and security so as not to impact the user experience.
Conclusion 24
Avoiding Two-factor Authentication? You’re Not Alone
With the publicity around Matt Honan’s 2012 hacking incident and opinions that passwords are not providing adequate security, the market is buzzing about implementing two-factor authentication. Driven by the threats of attacks and regulatory compliance, many organizations are beginning to look into the two-factor market to see what solutions are available. However, two-factor authentication has not been widely implemented as it has major barriers for many organizations related to cost and usability. With the discussions of experts split, it is a confusing time to decide what is best. It is clear that there is not yet a popular “holy grail” solution available. Solutions need to be many things including inexpensive, secure, reliable, and easy to implement.
When choosing a solution, look at the options in the market, such as mobile phones or USB tokens, and weigh the pros and cons. A recommended solution would be one which is transparent to the user and is part of a platform which can offer you flexibility and options to handle all of your organization’s access scenarios. With a lack of confidence in the current two-factor authentication marketplace this is a space to watch as emerging vendors seize the initiative and battle to emerge as the next leader who will help shape the authentication landscape in the years to come.
25
Avoiding Two-factor Authentication? You’re Not Alone
For vendors, the success of their solution will come from the ability to balance both security and usability while delivering various two-factor authentication methods.
