How Much Authentication Is Right For You?

• By Chris Harget
• Jan 10, 2011

For years, organizations have relied primarily on username and password mechanisms to control access to data, networks, and applications. Recent studies suggest this approach is no longer tenable. 

The Verizon Business 2010 Data Breach Investigations Report found almost 50 percent of network breeches exploited stolen or weak credentials. A Price Waterhouse Coopers study showed 92 percent of firms surveyed had experienced a malicious security breech in 2009, with the average cost for large firms ranging from $440,000 to more than $1 million.

Business 2.0 is good for hackers, too it seems. While a spectrum of increasingly stronger authentication methods are available, each with attendant tradeoffs of security, cost and complexity, many organizations have struggled to find the right solution for their needs. In this article, we will review the state of the art, and attempt to illuminate where the most likely spots are for getting the most risk mitigation value.

Admit it. You feel like your organization could be more secure. You’ve covered the basics with a firewall, desktop AV, spam filter, VPN and some kind of password policy, but you sense that’s not enough.

You know key stroke loggers can be inserted by zero-day attacks and steal passwords. You know website downloads, email attachments, smart phones, thumb drives, nosy coworkers, insecure public WLANs and such are just a few of the ways that passwords can be compromised.  Your organization depends on your network’s dependability and security to keep things running, protect corporate and customer data, and the brand. Unfortunately, your organization also has tight budgets and your team has limited cycles, so your choices are not exactly unlimited. What to do?

The best you can, basically. Let’s examine a continuum of secure authentication choices to see if any can be found that offer a natural sweet spot on the risk-mitigation-bang-for-the-buck meter.

First, let’s define terms. In general, our continuum measures “identity assurance.”  This is the likelihood that the authenticating party is who they say they are. It is not an absolute term, but rather a rough gauge of increasing probability. Given cost and cumbersomeness considerations, most organizations will choose some point along the continuum to meet their individualized needs based on compliance, brand risk, competitive environment, diversity of network user types and such.

Secondly, let’s also assume that an organization may need differing levels of identity assurance for different user populations. Partners who log on to your network to get technical information may not need much identity assurance at all.

Conversely, partners who access your supply chain management system probably need to be strongly authenticated. VIP employees (e.g., Finance, HR, IT) whose credentials offer “keys to the kingdom” should require or justify very strong authentication and extra measures. Consequently, many organizations will seek an identity assurance approach that allows them to segment their user communities according to needs and cost considerations.

The Identity Assurance Continuum
So, let’s take a look at this continuum. It used to be static passwords were the “norm.” Then, when dictionary attacks showed many users had opted for weak or easily-guessed passwords, password policy evolved to require longer, stronger passwords, not found in common password dictionaries, and changed regularly. This helped. Then, as users began to have to track dozens of credentials for professional and personal accounts, password reuse became an issue. In essence, if you used the same password for the corporate network, eTrade and Facebook, and Facebook was hacked…the other accounts could be compromised as well.

One of the responses to this is to track unique hardware or behavior of the end user, and to check at the instantiation of a session to confirm those known hardware or behavioral traits are again present. These techniques are software-based, and therefore relatively affordable. This may be done by using device ID (MAC numbers, hard drive serial numbers and such).

This may track geolocation traits (are you logging in from Poughkeepsie again, or suddenly from Nigeria). This may track the millisecond timing rhythm of how you input your password, almost like handwriting analysis. Notice none of these are foolproof. Legitimate users sometimes change hardware or login from a different machine. Legitimate users sometimes travel. Legitimate users sometimes login one-handed while eating a sandwich. Consequently, most device ID or behavior tracking identity assurance has to have a back up method to increase identity assurance when they can’t confirm the user.

Knowledge-based identity assurance seeks to get the user to type or click something other than a password to reduce the odds of fraud. It may be the proverbial mother’s maiden name, or “What was the name of your first pet?” It may be presenting a set of GIFs and requiring the user to select the particular GIF they previously associated with their credential. These systems tend to be used by online merchants and banks because they require no hardware costs, and in theory users are less likely to forget personalized details.

However, users do forget, bad guys do find the answers to mother’s maiden name, and tech support often gets called up anyway. These systems are less appropriate for frequently accessed accounts because each access increases the chances that the information can be captured just as a password can be logged, learned or guessed. Also they lengthen the login process.

For robust, frequent authentication, one-time password (OTP) tokens are popular. There are several subcategories with their own tradeoffs. All of them require a prompt from the user, and generate a PIN code which is valid for a limited time. Some require the user to press a button. Others require the user to first input a PIN. Some are software-based, thus less costly and easier to distribute, residing on a device the user already owns, but also slightly more vulnerable to compromise. Most OTP tokens are hardware based. Their most common usage today is with VPN authentication.

While it is more difficult to steal an OTP token than just a password, it can and has been done. Rarely are OTP tokens used to authenticate onto Windows itself, or onto networks from inside the building. Once the session is initiated, OTP tokens do not provide additional authentication for transactions within the session, and some experts are concerned about malware and man-in-the-middle attacks possibly exploiting them.

While studies such as the 2010 Verizon Business Data Breech Investigation Report indicate that man-in-the-middle attacks are comparatively rare, they do seem to be increasing, as are spear phishing and other highly targeted threats that might compromise transactions within a session.

Out of band authentication uses a second challenge-response channel, typically an SMS-enabled smart phone, to send the user a temporary PIN to access the network. It can be used for primary authentication but is mostly used only as a backup method. It’s primary security advantage is that it is insular from the laptop, thus providing additional transactional defense when the laptop is compromised.

To authenticate into Windows and transactions within sessions, smart cards have been the gold standard for years. Smart cards (or smart USB keys) embed a tamper proof chip that holds a digital certificate and private key, which are used for authentication during the windows login process, and are almost impossible to hack.

The user inputs a PIN to trigger the process.. Smart cards can also use these keys to digitally sign transactions such as email, and to encrypt emails or contents of hard drives. This is literally military-strength security, but it has gotten much easier to own recently. It tends to cost more per-user to set up and manage without good management tools.

That’s a basic smart card. Smart cards can be packed with more techniques to heighten assurance. Smart cards can generate  OTP. Smart cards can contain an encrypted photo of the card holder, which appears when the card is presented at a checkpoint. Smart cards can contain biometric data such as fingerprint or retina scans, and applets that interface with biometric readers at the device or door at which the user is authenticating. Combined with SSO, smartcards can be used to protect access to enterprise applications.

How Secure? How Costly? How Easy?
As you can see there are many variations on the chestnut of authenticating by using, “…something you have, something you know, and something you are.” How do they stack up against each other? Let’s compare them using three main criteria: How secure? How costly? How easy? Since the ideal solution would be absolutely secure, free, transparent to users and trivial for IT, we’ll award 1 to 5 points on a relative scale for each of these subcriteria with 5 being best in each category.
 
Our continuum is designed to go from low identity assurance to high. In general lower security is less costly and less complex, but where are the natural sweet spots where security goes up faster than cost or complexity?

Since keystroke loggers can steal any typed password, the first meaningful step up in identity assurance comes when you employ device ID. For consumer applications this is a pretty good step, because it mostly limits risk to people with physical access to your machine, or the ability to remotely control your machine. 

It is relatively low cost and complexity, hence its use by some online banking sites. For Enterprises, it doesn’t do enough to reduce risk from inside threats. It may not meet compliance for PCI-DSS. Device ID scores Security 2, Cost 4 and Ease 4.

The next significant leap in security comes with OTP soft tokens. These couple some device ID to bind the token to a particular machine, but have the advantages of generating an OTP for authentication into VPN and such. These completely invalidate keystroke loggers and inhibit some forms of invasive malware.

Since they are downloaded by end users and self installed to laptops or smart phones (or web browsers for an employee’s home PC), they do not change costs much compared to simple device ID, behavior tracking or geolocation. They are however tied to the machine so if the machine is lost, the soft token goes with it. OTP Soft Tokens score Security 3, Cost 4 and Ease 3.

The next quantum leap up is for hardware OTP tokens. While these cost enterprises more to procure and disseminate, they provide a greater amount of flexibility (one token can facilitate login from multiple machines) and it is less likely both a laptop and OTP token will be lost or stolen at the same time. 

Smartphones can now double as an OTP token,  for one less device to carry. For corporate VPNs, OTP tokens have been the security sweet spot for some time. They are good as far as they go, although some users complain about having to re-authenticate in the middle of sessions from time to time, that is usually because of the VPN software itself. OATH-based open standard tokens have brought the price down, and batteries should last 5-8 years depending on treatment. OTP Hardware Tokens score Security 4, Cost 3 and Ease 3.

The next big step up is to smart cards or smart USB keys. These offer the closest thing to certainty in identity assurance, and when coupled with Enterprise Single Sign-On, can make hundreds of applications as easier, faster and more secure to authenticate into. In fact, entering a smart card PIN is faster than username and password, and generally creates fewer help desk tickets. They do require either a built-in card reader, an external reader, or the use of a USB smart key.

For organizations of medium to large size, they also require a credential management system (CMS) on the back end to automate the creation, updating and revoking of smart card credentials.  Fortunately, there are now CMS appliances that make deployment much faster, easier, and more affordable, so smart cards are heading in a favorable direction and expanding a new sweet spot. Smart Cards (with appliance) score Security 5, Cost 3 and Ease 4.

Few organizations go all the way to biometrics because of the considerable cost and difficulty of set up, and past reliability issues. People with brown eyes can be difficult to retina scan. People over 40 sometimes have worn down fingerprints which do not read well. Biometrics score Security 5, Cost 2 and Ease 2.

Identity Assurance Sweet Spots
Users for whom remote strong authentication is necessary, but where access to machines and budgets are limited may find OTP Soft Tokens provide a reasonable balance of cost, security and convenience.

Users for whom local and remote strong authentication are necessary may find smart cards or smart USB tokens provide excellent security, better ease of use, and improving cost per user with CMS appliance options. SSO also has positive synergies with smart cards.

Hopefully the above review helps you see that you have choices, and can mix and match some approaches to meet the needs of your specific user populations. Most IT managers have to rank whether security, cost, or ease of ownership is most important, and that will inform where you investigate in depth. Best of luck.