One Size Fits All

• By Thomas Varghese
• Nov 18, 2008

Most people already know what ‘authentication’ is and how closely it is tied to accessing resources on the network. After some form of authentication, users typically either access resources directly or via technologies like SSO (Single Sign-On), which are then relied upon by the IT and security management as a central management console for controlling and managing access to resources across the enterprise. Unfortunately, most of us, including certified security professionals, assume that these technologies are enough to thwart fraudulent attempts to steal sensitive information.

To make this clearer, I am going to start by rearticulating the basics so that we can clearly understand where the weaknesses in the current infrastructure, processes and assumptions go awry when it comes to security.

What is authentication?
Authentication is the process of determining if a user or identity is who they claim to be. Authentication is accomplished using something the user knows (e.g. password), something the user has (e.g. security token) or some part of the user (e.g. biometric).

The authentication process is based on a measure of risk. High risk systems, applications and information require different forms of authentication that more accurately confirm the user's digital identity as being who they claim to be than would a low risk application, where the confirmation of the digital identity is not as important from a risk perspective. This former process is commonly referred to as "stronger authentication." Stronger authentication certainly means higher trust of an authentication process with regard to an identity.

So what is an Identity?
Every individual has a unique identity in the real world, but in the digital world (the Internet or intranet), where we spend most of our time socially or otherwise, our digital identities cannot be guaranteed to be unique and are prone to misuse and theft. This is because we use and rely on technology that was designed and fostered for computation (computers) and communication (networks) but unfortunately is abound with security problems, since security was always an after-thought. Traditional stronger authentication methods include digital certificates, security tokens and biometrics, but unfortunately all of these types of solutions have been compromised of late.

Security-token authentication technologies are used to authenticate an identity (something that you have) during the login process, or if required by a single-sign-on system for a higher risk application, this identity can be further verified by entering numbers that appear on the token screen along with the user’s unique ID. Since the numbers change randomly to the user viewing the screen (but is understood by the central authentication server), there is a higher degree of trust associated with this form of authentication, but simple social engineering attacks like Phishing/Pharming can easily circumvent this authentication process and inject fraudulent transactions without the knowledge of the end user. Often, many enterprises use combinations of these security tokens in addition to passwords, to place a higher degree of trust for higher risk applications or information access.

On the other hand, using Public key infrastructure (PKI) authentication is yet another way of performing identity authentication. An identity is given a digital certificate by a Certificate Authority (CA). This is then presented during the authentication process to verify an identity is who they say they are. The level of authentication trust varies for digital certificates depending on the level of identity verification done during the identity registration process, as well as the digital certificate revocation process. Unfortunately, these digital certificates were designed to be used for encryption and not as an authentication tool, as these can easily be stolen from host machines or spoofed.

Smart cards are used as another form of an authentication token (something you have). Often they contain a digital certificate as well as additional identity attribute information. Smart card authentication is becoming wide spread but has the same weakness as tokens when it comes to compromising the PIN used to unlock the smartcard. These same smart cards that are used in an authentication process are now commonly used for access control mechanisms to enter physical facilities, buildings, floors and rooms.

On top of these security concerns, the operating costs for tokens, smart cards and biometrics are much higher since they must be physically issued, replaced and recovered.

In spite of the various options available for authentication, with its associated pros and cons, there is no authentication scheme which can claim to be 100-percent secure and this gets worse when our infrastructure and sensitive business applications simply rely on this Boolean process. This unfortunate assumption is why identity theft has become a silent crime that most people don't realize they are victims of until they apply for a loan or open a bank account. With mounting levels of identity fraud and authentication technologies not being able to overcome this, online organizations are faced with the challenge of how to improve protection of their end customers’ identities. This does not just come from the direct impact of fraud losses but, even more importantly, from the impact to consumer confidence. With phishing attacks appearing in the consumer’s inbox every day and new incidents of Man-in-the-Middle attacks, customers are increasingly wary of the safety of their identities while online, irrespective of the kind of identity verification solutions in place, including just passwords or tokens. The result has been a slowdown in the adoption of online products and services, and most recently, even banks have been forced to shut down some of their online ACH operations -- a real loss to organizations, given the expense of traditional delivery channels, and moreover, the direct pressure of the real bottom line due to the current downtrend in financial markets.

Addressing these challenges has represented an ambitious undertaking for online organizations given the conventional options available to improve identity security. Traditional methods like tokens and smart cards are expensive and significantly impact the user experience. Couple this with the known security weaknesses of these methods and we often end up making the cure worse than the disease. These challenges are clearly visible due to the low rate of implementation of such solutions.

So is there a cost effective way to authenticate consumers without the need to burden the end users with physical gadgets? Is there a solution that can address security and usability at the same time?

Fortunately there has been substantial innovation recently in how customer authentication can be improved without the cost and usability impacts of traditional methods. These solutions were designed in the form of real-time proactive fraud prevention platforms (unlike the traditional detection solutions) with open standards-based multi-factor authentication security. These solutions are designed to enhance and secure traditional authentication schemes, thereby plugging the weakness associated with them. Ultimately deployed together, organizations can start with one or the other, depending on their specific requirements, and move to the complete solution over time.

Real-time fraud prevention represents an attractive approach as it can be used to detect identity attacks proactively in real time and stop suspect transactions. This approach does not require any change to the user experience -- eliminating much of the work to roll out a solution. This means a fraud prevention solution can be put in production and be used almost instantly to reduce fraud by detecting anomalous activities. The solution can be deployed within the customer’s existing enterprise environment, including identity and access management infrastructures or by layering it as a proxy in front of their existing business applications to monitor all online transactions without impacting the business application. The proxy-based integration approach monitors online traffic and extracts each user action allowing for a complete picture of the online session. By monitoring all traffic, rather than substantial modification of business applications, production deployments can be done in weeks, not months.

These platforms are developed using open standards, so fraud prevention rules can be quickly updated, and all transaction info necessary to detect new patterns is available instantly.

For some organizations, it may be more attractive to provide a confidence factor to their end users with secure mutual authentication, as it provides more visible protection that may be desirable from a marketing perspective. Such mutual authentication systems sometimes take the form of requiring end users to pick a personally recognizable image during the account registration process, so users will only enter their credentials on future visits to the website if they see their previously selected image. In pursuing this path, it is important that any technology be open and support a spectrum of authentication methods. From transparent techniques such as machine fingerprinting, to the variety of interactive approaches such as one-time-password tokens, authentication requirements will change over time and be varied for different user groups and applications. For example, in large retail environments customers may answer preselected questions when logging in from a risky profile location (example: anonymyzing networks, airport kiosks or strange and foreign geographies), ensuring that this challenge / response process also does not succumb to the phishing / pharming / Trojan-based attacks, while a corporate customer may perform authentication during sensitive document access with a one-time-password token. At the start of an online session, transparent recognition of the end user’s geography and desktop can provide an initial authentication. When the user’s online behavior suggests the potential of fraud, a more interactive authentication can be triggered.

If the solution does not support a spectrum of authentication methods in a single platform, nor is it able to influence session management with their user based on a centralized policy, then the platform is no longer flexible and open to support various end-user business and security needs. In such cases, organizations will end up deploying a variety of different silo technologies that will make it expensive to integrate, operate and maintain. Regardless of where organizations start, multifactor mutual authentication security or real-time fraud prevention will be deployed together or over time as a single strategic solution to protect customer identities. Proactive real-time fraud prevention and detection will be used to determine risk levels from assessing the probability of fraud and drive user authentication from the open multifactor authentication platform. When derived risk levels reach certain thresholds, users can be prompted for additional authentication from an open-authentication platform.

With the need to move quickly to restore customer confidence, it becomes important to seek out solution providers that provide complete capabilities. Organizations need to look for a strategic consumer-authentication platform that combines real-time, proactive fraud prevention with multifactor authentication security, architected and developed from the ground up to be able to prevent fraud, rather than point solutions, or solutions with integration challenges due to acquisition of disparate technologies, to provide this platform. By working with providers that have deployed these capabilities in live production environments, organizations can successfully deploy confidence in the near term while ensuring, in the long run, the security of customers’ identities and their confidence in the online channel.

This article originally appeared in the issue of .