Do factors really factor anymore?

Posted by:

admin 12 years, 2 months ago

In the old days, two-factor authentication was quite simple. It was defined as using more than one of 1. Something you know; 2. Something you have or 3. Something you are. This definition seemed to work well for us for some time. Now, however, it is seriously fraying. Why? Consider this:

• What if the "what you have" uses a shared secret that is in more than two places? The RSA breach demonstrated this weakness.
• Biometrics are digitized and sent over the network. What happens when they are compromised? Are other biometrics required?
• Long considered the Gold standard of two-factor authentication, smart cards are now being actively targeted by malware

In addition, today there are many new types of authentication. At WiKID, we use asymmetric encryption and rely on communication with a server behind the corporate firewall. There are a number of new two-factor players that offer authentication as a service. Then there are companies using SMS as method to deliver one-time passcodes to a cell phone. The list goes on...

So how are prospective purchasers supposed to evaluate different two-factor authentication systems today? I have been chewing on this for a long time. We've always thought that two-factor authentication has been too expensive and that if the costs were reduced and ease-of-use increased, the market would expand - reducing password use and making the world more secure. Eve Mahler's post on BYOT and Gal Shpantzer's tweet about "1.5 factor authentication" sent me blogging. Perhaps it is time to move beyond counting factors when considering two-factor authentication? What should augment it?

Here is my list:

• Convenience - How usable is the system for end-users and administrators. Yes, I put this one first.
• Control - How much control do you maintain and how much do you give up? This goes for shared secret systems as well as authentication as a service. If you give up that control, is your security increased? (I think this is often the case, btw.)
• Collateral damage - If you go with an outside service, chances are they a bigger target than you. If an attacker breaches them, thssey may target you opportunistically. The same now can be said for anyone using the same smart card system as the DoD. The effort that went into attacking it will surely be reused to attack other smart-card deployments.
• Incentives - The numerous breaches at Certificate Authorities demonstrate that we ignore incentives at our own peril. I have often pointed out that the wireless carriers are dis-incented to secure SMS. If the CAs are in the security business and have shown a lack of, shall we say, focus, how will the wireless carriers do? If possible, you should tie your
• Extensibility - WiKID offers mutual https authentication with our PC tokens, thwarting network-based MiTM attacks. I expect many two-factor authentication providers will be talking about additional features and solutions.

What have I missed?

It should be clear to buyers that there is a difference between a shared-secret system and a public key system that generates keys on the device.  Just as it should be clear that a system like SMS that uses no encryption and passes through a number of systems and servers out of your control is different.  All three are better than static passwords, but which one is right for your organization?

• Tags:
• Information Security,
• Mutual Authentication,
• Phishing and Fraud,
• Two Factor Authentication,
• WiKID

• ← Single-site browser
• Authentication isn't strong without encryption →