—By: Raj Gopalakrishna, Vice President, Arcot Systems.

Access of sensitive information in an enterprise should be restricted and it is possible only if strong authentication is in play. Multifactor authentication is already in business to strengthen protection of crucial information. This article here discusses challenges and different technologies of authentication solutions.

The Internet and Web have changed everything. People can now do many things on the Web including checking their bank balances; buying items online or paying their utility bills.

A customer need not be in the same city to shop and store hours are no longer a constraint. While this is unprecedented convenience for the consumers it is also good news for the fraudsters and hackers in the world.

No longer does the fraudster forced to choose a victim one at a time but instead throw the bait (e.g.: Phishing email) to millions of customers. The fraudster need not be in the same city to steal the credentials of a User. Organized online crime is here and therefore time and money are no longer constraint for the fraudster.

Purpose of Authentication

Authentication means reliably identifying the parties involved in an online transaction like Consumer and online Bank. Users need to be reliably authenticated before getting access to protected assets. In the early Internet days, a shared secret like static password was sufficient to identify the customer.

Similarly the golden lock on the browser status bar and the brand logo on the webpage were sufficient to tell the customer his interaction with a website was secure. While passwords are convenient to use they are proven insecure. Even Sarah Palin’s email account was recently broken into. Authentication of Users and websites might sound simple but it is a challenge.

The Authentication Challenge

Any technology that replaces the password on the Web needs a good balance of security, cost and convenience. Here are some constraints that any popular authentication technology needs to meet:

1. User Convenience is everything: Internet and Web are all about User convenience and strong authentication cannot kill this convenience in the name of security. Asking Consumers to carry new hardware gadgets will kill the User convenience. If the authentication process is too painful then Users may stop using the Web.

2. Provide a cost effective solution: While some Users may be willing to pay extra for security but most Users will not be willing to pay for something they expect as part of the online service.

3. Avoid training millions of Users: The simplicity of passwords is why it is so popular. The Users on the Web have different backgrounds and ages including kids, grandparents, IT professions and doctors. Millions of Internet Users cannot be trained to look inside SSL certificates, interpret color coding or watch toolbars. Any approach that relies on browser warnings is bound to fail as the fraudster can often mimic those chrome changes. Web users cannot be trained to detect the absence of something like image or interpret warnings. In other words the security should be under-the-cover and hence transparent to the User.

4. Avoid social behavioral changes: It is very hard to force social behavioral changes like carrying additional handheld gadgets like tokens, bingo cards and smartcards.

5. Need self-provisioning of new credential: It is very hard, expensive and an administrative nightmare to provision new credential especially if they take the form of hardware gadgets. Self provisioning software credentials are easier.

6. Need to scale: While almost any authentication technology may work in small settings, few technologies in the market can scale to millions of Users on the Web.

7. Need good distribution and support of desktop software: Distribution and support of desktop or mobile phone software is hard given the variety of client platforms (OS, hardware, Browsers, bandwidth) on the Web. In order to avoid a huge increase in helpdesk calls there is a need for a proven distribution mechanism. Equally important is a proven patching mechanism.

Hence finding a new authentication technology that is a “better password”, which is cost effective, transparent to the Users and secure is the challenge. Most importantly the new solution needs to address the emerging online threats.

The Threat landscape

The threat landscape has completely changed over the last few years. Any of the following threats can capture the User credential:

• Phishing is now an everyday event.
• Phishing 2.0 (aka MITM) is a natural evolution to the Phishing 1.0 threat. These attacks make the detection of a Man-In-The-Middle phishing site harder. Most authentication technologies cannot stop or detect this threat.
• Keylogger is a popular malware capturing every User keystroke including the password.
• Mouse-click loggers help capture mouse clicks even on virtual keyboards. Companies like Arcot offer patented technology to counter such threat.
• Man-in-the-Browser (MITB) is another emerging threat wherein both the customer and the website cannot detect tampering of transaction (e.g.: wire transfer) details.
• Pharming is a lethal variation of the phishing attack. The User cannot detect a fake website being displayed within the browser despite providing the correct URL.
• Malware: Sophisticated malware generation tools have the potential to make anyone a hacker.

State-of-the-art Authentication technologies

Here is a quick survey of the authentication technologies used on the Web:

• Static Passwords are dead: Risk based authentication is complementary to other authentication technologies like password authentication. This technology works under the covers and hence is convenient to the Users. Websites continuing to rely on long static passwords, multiple static passwords or forced frequent password changes is like trying to rearranging the chairs on the sinking Titanic.

• Dynamic Passwords (aka One Time Password  or OTP Token) are a band-aid: While OTPs are better than static passwords they do not protect against the latest threats like MITM and MITB. Secondary channel based OTP solutions (e.g.: SMS) are unpopular as:
• User may be traveling / roaming and hence unreachable when s/he is trying to use an online service.
• Maintenance of up-to-date User contact information is hard.
• Neither is SMS a secure platform nor can it display rich content like transaction details.

Hardware based solutions kill User convenience. Imagine an online wire transfer now suddenly requiring you to have a gadget in the pocket or phone with roaming in order to complete an online wire transfer. Finally hardware devices are not cheap while software OTP generators are not secure.

• PKI (aka Certificate based authentication) is secure: Public Key Infrastructure (PKI) has been around for decades and accepted as secure. Even HTTP/SSL is based off it. PKI was designed to stop MITM besides providing mutual authentication. PKI is typically implemented using smartcards. This technology has gotten some traction in European countries but they are expensive besides being inconvenient to the Users. Lack of card readers is another challenge. There are innovative security vendors like Arcot, who have breakthrough technology, avoid the need for costly hardware while retaining the strength of PKI. Using software smartcards make the technology more convenient and cost effective. Moreover they can stop current threats like MITM and MITB.

• Biometric Authentication are expensive: This authentication technology is relatively secure but it is typically deployed to control physical access to an area. This is largely because the biometric readers are not widely available.  Imagine every computer having fingerprint readers— it is a long way off. Biometric systems are relatively expensive.

Summary

Organizations have recognized the limits of passwords as User authentication mechanisms and are moving to strong multi-factor alternatives. Security is not just a product but a mindset. Given this is going to be a cat and mouse game, there is a need to continuous innovate and evolve the defenses. To meet this reality, some security vendors are now offering dedicated Online Authentication Services in a SaaS model.

Some websites try to use a simple password for the login page at the portal and another password for a transaction. This is a flawed strategy. Why let the bad guy in and then try to secure every room? Use of multiple passwords adds questionable security value while being inconvenient to the consumer. Secondly it is easy to miss locking some doors when new rooms are being added all the time. It is often better to lock upfront with a good secure lock.

Versatile Authentication Service (VAS) is gaining traction in large enterprises as the reality points to coexistence of authentication technologies. There is need for a strong authentication technology which is secure, convenient and cost effective. Most authentication products on the market fail to meet one or more of these criteria.

The good news is that many innovative companies are actively working on this authentication challenge and it is only a matter of time before the online world stops using password as the de facto authentication technology.