Two-factor authentication

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Two-factor authentication (TFA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security. From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.


[edit] Background

Two-factor authentication is commonly found in electronic computer authentication, where basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication seeks to decrease the probability that the requestor is presenting false evidence of its identity. The number of factors is important as it implies a higher probability that the bearer of the identity evidence indeed holds that identity in another realm (ie: computer system vs real life). In reality there are more variables to consider when establishing the relative assurance of truthfulness in an identity assertion, than simply how many "factors" are used.

Two-factor authentication is often confused with other forms of authentication. Two factor authentication implies the use of two independent means of evidence to assert an entity, rather than two iterations of the same means. "Something one knows", "something one has", and "something one is" are useful simple summaries of three independent factors. In detail these factors are,

It is generally accepted that any independent two of these authentication methods (e.g. password + value from a physical token) is two-factor authentication. The accepting identity may use these facts (among other criteria) as a truth upon which to grant or deny the requestor's access to a sensitive data set or physical area. The requestor may be a person or computer system agent acting on behalf of a person.

Another independent means that is becoming more practiced in computer systems is "how one behaves", although it is more often used as a decision point for transactions or to de-authenticate an entity than to establish initial truth in identity.

[edit] Improvement with two factor authentication

Two factors: password used with hardware token

Two-factor authentication is not a new concept. Two-factor authentication has been used throughout history by having a known person utter a password. The first factor is the password, and the second would often be the presentation and demeanor of the requestor as reasonable given the circumstances of his arrival. When a bank customer visits a local ATM, one authentication factor is the physical ATM card the customer slides into the machine. The second factor is the PIN they enter. Without one of these, authentication cannot take place. This scenario illustrates the basic parts of most two-factor authentication systems; the "something you have" + "something you know" concept.

[edit] Qualified authentication factors

An authentication factor is a piece of information and synonymic for the process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) or (2FA) is a system wherein two different factors are used in conjunction to authentication. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Two-factor authentication typically is a signing-on process where a person proves his or her identity with two of the three methods: "something you know" (e.g., password or PIN), "something you have" (e.g., smartcard or token), or "something you are" (e.g., fingerprint or iris scan).

Using more than one factor is sometimes called "strong authentication", however, "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."[1]

[edit] Regulatory Definition

Details for authentication in USA are defined with the Homeland Security Presidential Directive 12 (HSPD-12).[2]

Existing authentication methodologies involve the explained three types of basic “factors”. Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods.[1]

According to proponents, TFA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief permanent access to their information. However, many TFA approaches remain vulnerable to trojan controlled websites and man in the middle attacks.[3]

[edit] Types of Authentication that can be used as a second factor

[edit] Tokens

One form of 'something you have' is the smart card and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area.

[edit] Wireless Tokens

A new quality of tokens has been developed to ease the authentication process without keying character sequences and with automatic pairing of authentication factors[4]. Presumed the bearer of the authentication factors prepares himself in good separation from other similar entities, the achieved pairing status may be maintained for all the daytime and especially during worktime without repetition of the pairing process. Then the problem of lost laptop or left phone may be prevented by automatic alarm in case of unwanted access of arms length. However the wireless communication of the authentication factors involved defines other threats to be considered according to Common Criteria.

[edit] Virtual Tokens

Virtual tokens are a new concept in multi-factor authentication first introduced in 2005 by the security company Sestus. Virtual tokens reduce the costs normally associated with implementation and maintenance of multi-factor solutions[citation needed] by utilizing the user's existing internet device as the "something the user has" factor. Also, since the user's internet device is communicating directly with the authenticating website, the solution does not suffer from man-in-the-middle attacks and other forms of online fraud.[citation needed]

[edit] Masking

Two factors: a PIN used as a mask to extract a One Time Code The Security String changes with every transaction.

A variation on "something you know", that is resistant to keystroke logging and shoulder surfing, is the ability to use a mask to extract a One Time Password or Code. This method was patented[5] by Swivel Secure Limited in 2000. One implementation of this is PINsafe[6]. Masking can be used in conjunction with "something else you know" or in combination with a token - thus negating the security risk associated with device theft or borrowing typically associated with token devices or SMS delivered passwords or codes.[7]

[edit] Biometrics

A human thumbprint - a common type of biometric data used in authentication.

Biometric authentication also satisfies the regulatory definition of true multi-factor authentication. Users may biometrically authenticate via their fingerprint, voiceprint, or iris scan using provided hardware and then enter a PIN or password in order to open the credential vault. However, while this type of authentication is suitable in limited applications, this solution may becomes unacceptably slow and comparatively expensive when a large number of users are involved. In addition, it is extremely vulnerable to a replay attack: once the biometric information is compromised, it may easily be replayed unless the reader is completely secure and guarded. Finally, there is great user resistance to biometric authentication. Users resist having their personal physical characteristics captured and recorded for authentication purposes.

For many biometric identifiers, the actual biometric information is rendered into string or mathematic information. The device scans the physical characteristic, extracts critical information, and then stores the result as a string of data. Comparison is therefore made between two data strings, and if there is sufficient commonality a pass is achieved. It may be appreciated that choice of how much data to match, and to what degree of accuracy, governs the accuracy/speed ratio of the biometric device. All biometric devices, therefore, do not provide unambiguous guarantees of identity, but rather probabilities, and all may provide false positive and negative outputs. If a biometric system is applied to a large number of users - perhaps all of the customers of a bank, the error rate may make the system impractical to use.

Biometric information may be mechanically copied and they cannot be easily changed. This is perceived as a key disadvantage since, if discovered, the compromised data cannot be changed. A user can easily change his/her password, however, a user cannot change their fingerprint. A bio-identifier can also be faked. For example, fingerprints can be captured on sticky tape and false gelatine copies made, or simple photos of eye retinas can be presented. More expensive biometrics sensors should be capable to distinguish between live original and dead replicas, but such devices are not practical for mass distribution. It is likely that, as biometric identifiers become widespread, more sophisticated compromise techniques will also be developed.

Historically, fingerprints have been used as the most authoritative method of authentication. Other biometric methods such as retinal scans are promising, but have shown themselves to be easily spoofable in practice. Hybrid or two-tiered authentication methods offer a compelling solution, such as private keys encrypted by fingerprint inside of a USB device.

[edit] Magnetic Cards

Magnetic cards (credit cards, debit cards, ATM cards, gift cards, etc) combined with secure, encrypting card readers provide a possible solution for two-factor/strong authentication. Each magnetic stripe card has unique characteristics much like the card's own fingerprint called a magnetic fingerprint. The advantage is that a magnetic fingerprint already exists on every magnetic stripe card because it is an intrinsic characteristic and no cards would need to be re-issued. Each swipe of the card provides a correlative number called a dynamic digital identifier that can be scored and "matched" to the originating value to determine the cards authenticity. Since the number changes each time, it cannot be re-used as long as all processing is authenticated. It does require a special reader that can read the magnetic fingerprint value, but these readers can be swapped out incrementally as old readers wear down. So the actual investment could be incorporated as an incremental increase (due to licensing, increased equipment complexity, etc.) of current business cost expectations.

[edit] Mobile Phones

VeriSign Identity Protection Access for Mobile Credential

There is presently only limited discussion on using wired phones for authentication, most applications focus on use of mobile phones instead.

A new category of T-FA tools transforms the PC user's mobile phone into a token device using SMS messaging, an interactive telephone call, or via downloadable application to a smartphone. Since the user now communicates over two channels, the mobile phone becomes a two-factor, two-channel authentication mechanism.

A Recent example is Google's 2-step verification option.[8]

[edit] Vulnerability to Attacking

Any authentication process which utilizes an out-of-band method such as email data link or phone voice or data link is inherently vulnerable to man-in-the-middle (MITM) attacks. In such MITM attack, a fraudster is actually interacting with the legitimate website, and the victim is interacting with the fraudster's counterfeit website. A victim who is lured to a fraudulent website then triggers the attack by entering the normal login credentials on the counterfeit website. The counterfeit website then would transmit these stolen credentials to the legitimate website using scripts or other protocols and the legitimate website then would initiate a telephone call to the victim. Believing he would be communicating with the legitimate website, the victim would push the appropriate buttons on the phone, not realizing that he would have just permitted the fraudster to complete entry into the victim's account for complete access.

[edit] Assignment to the bearer

One basic limitation associated with relying exclusively on mobile phones for authentication is the fact that the respective user must have access to a mobile phone when he wishes to authenticate. The user may have registered the mobile phone number, for example, and when attempting to authenticate from home, there has to be the very same registered mobile phone. That converts the mobile phone from an office appliance to a personal appliance for usage out of the premises. However, as soon as the mobile phone gets lost, the bearer loses physical control over the mobile authentication factors.

[edit] SMS One Time Password

SMS One time password uses information sent in an SMS to the user as part of the login process. One scenario is where a user either registers (or updates) their contact information on a website. During this time the user is also asked to enter his or her regularly used telephone numbers (home, mobile, work, etc). The next time the user logs in to the website, they must enter their username and password; if they enter the correct information, the user then chooses the phone number at which they can be contacted immediately from their previously registered phone numbers. The user will be instantly called or receive an SMS text message with a unique, temporary PIN code. The user then enters this code into the website to prove their identity, and if the PIN code entered is correct, the user will be granted access to their account. This process provides an extra layer of online security beyond merely a username and password. These solutions can be used with any telephone, not just mobile devices. As with any out-of-band authentication method, SMS one time password methods are also vulnerable to man-in-the-middle attacks.

[edit] Additional Phone Token

There is a newer method of using the mobile phone as the processor and having the Security Token reside on the mobile as a Java ME client. This method does not include data latency or incur hidden costs for the end user. While such method can simplify deployment, reduce logistical costs, and remove the need for a separate hardware token devices, there are numerous trade-offs.

Users will incur fees for text/data services or cellular calling minutes. In addition, there is a variable latency involved with SMS services especially during peak SMS usage periods like the holidays. Finally, as with telephone-based processes, these processes are also vulnerable to MITM attacks, such as a victim visiting a counterfeit website where he/she supplies login credentials. The counterfeit website would pass these to the legitimate website using scripts or other protocols. The legitimate website then would initiate an SMS text message delivery of a one-time-password to the victim's mobile device or would simply wait for the Java token value to be generated. The victim would enter the one-time-password onto the counterfeit website, which then could forward this to the legitimate website, where the waiting fraudster may use it to complete their access.

[edit] Mobile Signature

Mobile signatures are digital signatures created on a SIM card securely on a mobile device by a user's private key. In such a system text to be signed is securely sent to the SIM card on a mobile phone. The SIM then displays the text to the end-user who checks it before entering a PIN code to create a signature which is then sent back to the service provider. The signature can be verified using standard PKI systems.

Mobile Signature systems have been in use for several years, however, as with magnetic card and client digital certificate solutions, they are vulnerable to malware, are costly to deploy and support, and are strongly resisted by consumers.

[edit] Smart cards

Smart cards are about the same size as a credit card. Some vendors offer smart cards that perform both the function of a proximity card and network authentication. Users can authenticate into the building via proximity detection and then insert the card into their PC to produce network logon credentials. They can also serve as ID badges. The downside of smart cards is that they are not the smallest form factor, and the card reader is an extra expense.

In some countries, notably in Europe and Asia, banks and financial institutions have implemented Chip Authentication Program technology which pairs a banking smart card with an independent, unconnected card reader. Using the card, reader and ATM PIN as factors, a one-time password is generated that can then be used in place of passwords. The technology offers some support against transaction alteration by facilitating Transaction Data Signing, where information from the transaction is included in the calculation of the one-time password, but it does not prevent man-in-the-middle attacks or man-in-the-browser attacks because a fraudster who is in control of the user's internet or is redirecting the user to the legitimate website via a hostile proxy may alter the transaction data "in-line" before it arrives at the web-server for processing, resulting in an otherwise valid transaction signature being generated for fraudulent data.

[edit] Universal Serial Bus

A USB token has different form factor; it can't fit in a wallet, but can easily be attached to a key ring. A USB port is standard equipment on today's computers, and USB tokens generally have a much larger storage capacity for logon credentials than smart cards.

As with smart cards, magnetic card readers, and mobile signature methods, they are costly to deploy and support, are vulnerable to numerous forms of theft and fraud, and have been resisted by consumers.

[edit] Digital Certificates

Digital Client certificates are a PKI solution for enabling the enhanced user identification and access controls needed to protect sensitive online information. Digital certificates can also be stored and transported on smart cards or USB tokens for use when traveling. Each certificate can only be used to authenticate one particular user because only that user’s computer has the corresponding and unique private key needed to complete the authentication process. Client certificates are delivered electronically, however, deployment and support of digital certificates have proven problematic. In a 2008 study published by the Credit Union Journal, digital certificates were noted as averaging very high support costs and very low rates of user acceptance due to difficult technical implementation requirements. Some companies such as Microsoft, Multifa and TrustAlert have created commercially available technology to automatically deploy digital client certificates, overcoming the problematic deployment of certificates and the high support cost.

[edit] Other types of factors


Some manufacturers also offer a One Time Password (OTP) token. These have an LCD screen which displays a pseudo-random number consisting of 6 or more alphanumeric characters (sometimes numbers, sometimes combinations of letters and numbers, depending upon vendor and model). This pseudo-random number changes at pre-determined intervals, usually every 60 seconds, but they can also change at other time intervals or after a user event, such as the user pushing a button on the token. Tokens that change after a pre-determined time are called time-based, and tokens that require a user event are referred to as sequence-based (since the interval value is the current sequence number of the user events, i.e. 1, 2, 3, 4, etc.). When this pseudo-random number is combined with a PIN or password, the resulting passcode is considered two factors of authentication (something you know with the PIN/password, and something you have from the OTP token). There are also hybrid-tokens that provide a combination of the capabilities of smartcards, USB tokens, and OTP tokens.

Recently, it has become possible to take the electronic components associated with regular keyfob OTP tokens and embed them in a credit card form factor. However, because card thickness (.79mm to .84mm) prevents traditional components or batteries from being used, special polymer-based batteries must be used which have a much lower battery life than their traditional coin cell brothers. As well, extremely low-power semiconductor components must be used to conserve the amount of power being used during sleep and/or actual use of the product. Finally, as with traditional hardware tokens, the code values displayed by the cards can be solicited by fraudsters and re-used in man-in-the-middle attacks.[citation needed]

[edit] Challenges

[edit] Regulatory Compliance

Following the U.S. Federal Financial Institutions Examination Council's (FFIEC) publication advising the use of multi-factor authentication, numerous vendors began offering authentication solutions that are not compliant with the FFIEC's definition of "true multifactor authentication". Most notable of these approaches are the challenge / response approach, often coupled with a shared secret image. Soliciting personal information in response to challenge questions simply solicits more of "something the user knows", similar to a login, a password, or a PIN. All are multiple solutions from the same authentication category.

Regulators have repeatedly cautioned against the use of approaches that operate through the solicitation of personal information. On Jun 17, 2005, the U.S. Federal Deposit Insurance Corporation (FDIC) published supplement guidelines in which it strongly cautioned financial organizations against adopting authentication methods that use personal information for authentication purposes:

"Although consumers are worried about phishing and the trustworthiness of e-mail messages from their banks, they are also concerned about the security of their personal information more generally....When banks consider authentication methods for retail customers, they should be aware that these customers value security and the protection of confidential information... Consumers will require a clear explanation of any security mechanism and the use of any personal information required to implement that security mechanism....limitations on the use of personal information and the existence of privacy safeguards are important elements of consumer acceptance....Consumers are also concerned about the risk associated with large databases of personal information and the potential for the information that is used by authentication methods to be compromised, copied, or imitated. - FDIC"

The FFIEC clarified their position in their August 15, 2006 FAQ Supplement, rejecting such approaches outright:

"By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication. - FFIEC"

In September 2009, an Illinois district court issued a ruling allowing a couple to sue Citizens Financial Bank alleging that the bank failed to sufficiently secure their account with adequate multi-factor authentication security. (see Wired Article) The judge in the case pointed to the FFIEC's guidelines and ruled,

"In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access."

[edit] Cost effectiveness

There are drawbacks to two-factor authentication that are keeping many approaches from becoming widespread. Some consumers have difficulty keeping track of a hardware token or USB plug. Many consumers do not have the technical skills needed to install a client-side software certificate.

As a result, adding a second factor to the authentication process typically leads to increase in costs for implementation and maintenance. Most hardware token-based systems are proprietary and charge an annual fee per user in the $50–100 USD range. Deployment of hardware tokens is logistically challenging. Hardware tokens may get damaged or lost and issuance of tokens in large industries such as banking or even within large enterprises needs to be managed.

In addition to deployment costs, two-factor authentication often carries significant additional support costs. A 2008 survey of over 120 U.S. credit unions by the Credit Union Journal reported on the support costs associated with two-factor authentication. In their report, software certificates and software toolbar approaches were reported to have the highest support costs. Virtual tokens and geo-locations were reported to have the lowest support costs.

[edit] Market acceptance

As a result of challenges with integration and user acceptance, true two-factor authentication is not yet widespread, although it can be found in certain sectors requiring additional security (e.g. banking, military). Faced with regulatory two-factor authentication guidelines in 2005, numerous U.S. financial institutions instead deployed additional knowledge-based authentication methods, such as shared secrets or challenge questions, only to discover later that such methods do not satisfy the regulatory definition of "true multifactor authentication". Supplemental regulatory guidelines and stricter enforcement are now beginning to force the abandonment of knowledge-based methods in favor of "true multifactor authentication".

A 2007 study published by the Credit Union Journal and co-sponsored by BearingPoint reported 94% of the authentication solutions implemented by U.S. financial institutions fail to meet the regulatory definition of true multi-factor authentication.

An increasing count of recent undesired disclosure of governmentally protected data [1] [2] or private data [3] [4] is likely to contribute to new TF-A requirements, especially in the European Union.

[edit] Product proliferation

Many TF-A products require users to deploy client software to make T-FA systems work. Some vendors have created separate installation packages for network login, Web access credentials and VPN connection credentials. For such products, there may be four or five different software packages to push down to the client PC in order to make use of the token or smart card. This translates to four or five packages on which version control has to be performed, and four or five packages to check for conflicts with business applications. If access can be operated using web pages, it is possible to limit the overheads outlined above to a single application. With other TF-A solutions, such as virtual tokens and some hardware token products, no software must be installed by end users.

[edit] User password management

Users have natural problems retaining a single authentication factor like a password. It is not uncommon for users to be expected to remember dozens of unique passwords. T-FA where one factor is a password or PIN code, does not eliminate this problem. One possible solution is to have the second factor be a biometric or a virtual token number that the user does not need to remember, instead of an entity that the user needs to memorize.

[edit] Interoperability of authentication mechanisms

Two-factor authentication is not standardized. There are various implementations of it. Therefore, interoperability is an issue. There exist many processes and facets to consider in choosing, developing, testing, implementing and maintaining an end-to-end secure identity management system, inclusive of all relevant authentication mechanisms and their technologies - this context is considered the "Identity Lifecycle"[9].

[edit] Password security

Another concern is the security of the T-FA tools and their systems. Several products store passwords in plain text for either the token or smart card software or its associated management server.

There is a further argument that purports that there is nothing to stop a user (or intruder) from manually providing logon credentials that are stored on a token or smart card. For example to show all passwords stored in Internet Explorer, all an intruder has to do is to boot the Microsoft Windows OS into safe mode (with network support) and to scan the hard drive (using certain freely available utilities). However, making it necessary for the physical token to be in place at all times during a session can negate this.

[edit] Software security

Another concern when deploying smart cards, USB tokens, or other T-FA systems is the security of the software loaded on to users' computers. A token may store a user's credentials securely, but the potential for breaking the system is then shifted to the software interface between the hardware token and the OS, potentially rendering the added security of the T-FA system useless.

[edit] Man-in-the-middle attacks

Traditional hardware tokens, SMS, and telephone-based methods are vulnerable to a type of attack known as the man-in-the-middle, or MITM attack (see above). In such an attack the fraudster impersonates the bank to the customer and vice versa, prompting the victim to divulge to them the value generated by their token. This means they do not need to be in physical possession of the hardware token or telephone device to compromise the victim's account, but only have to pass the disclosed value on to the genuine website within the time limit. Citibank made headline news in 2006 when its hardware token-equipped business customers were targeted by just such an attack from fraudsters based in the Ukraine. Such an attack may be used to gain information about the victim’s accounts, or to get them to authorise a transfer of a different sum to a different recipient than intended.

[edit] Market segments

Market segments in regards to two-factor authentication are:

[edit] Related technologies

Two-factor authentication solutions sometimes includes technologies to generate one-time passwords, a few solutions also include single sign-on (SSO) technology.

[edit] See also

[edit] References

  1. ^ a b "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment", August 15, 2006
  2. ^ US Security Directive as issued on August 12, 2007
  3. ^ The Failure of Two-Factor Authentication (Bruce Schneier, March 2005)
  4. ^ Wireless Two-Factor Authentication
  5. ^ Espacenet patent search: Embedded synchronous random disposable code identification method and system, September 7, 2000
  6. ^ PINsafe review by PCPro
  7. ^ Combining masking with tokenised mobile phones
  8. ^ Google. "2-step verification". google. Retrieved 3 June 2011. 
  9. ^ The Identity Lifecycle, Part 1 (Brent Williams, 2010)

[edit] External links

Personal tools