Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Two-Factor Authentication and Swivel Secure Platform
1. Two-Factor Authentication
and Swivel
Abstract
This document looks at why the username and password are no
longer sufficient for authentication and how the Swivel Secure
authentication platform can provide a strong, cost-effective
authentication solution that is easy to use and to manage.
2012
2. White Paper Heading 2
Contents
Introduction .............................................................................................................................3
Single-Factor Authentication............................................................................................4
Threats against Usernames and Passwords............................................................4
Malware Attack ..................................................................................................................5
Guess the Password .........................................................................................................5
Steal the Password ...........................................................................................................5
Shoulder Surfing ................................................................................................................5
Phishing.................................................................................................................................5
Dual-Factor Authentication...............................................................................................6
Attacks against Dual Factor Authentication...........................................................6
Steal the Token ..................................................................................................................6
Phishing.................................................................................................................................6
Dual-Factor Authentication and Swivel....................................................................6
Tokenless..............................................................................................................................7
One-Time Code Extraction............................................................................................7
Attacks against Swivel ........................................................................................................8
Stealing the token .............................................................................................................8
Phishing.................................................................................................................................8
Conclusion................................................................................................................................9
3. White Paper Heading 3
Introduction
The increasing use of remote access and web-based commerce has
increased the need for convenient, cost-effective, yet strong authentication
models. Relying on a single factor of authentication, i.e. username and
password, is no longer appropriate for many applications.
This has led to the increasing use of multi-factor authentication; whereby
authentication requires the user to know something (e.g. a password) and
possess something (e.g. some form of authentication token).
Swivel’s approach to two-factor authentication has the advantage that the
user does not need a dedicated authentication token. Add to this PINsafe,
our patented one-time code extraction protocol, Swivel can provide a
strong, cost-effective authentication solution that is easy to use and to
manage.
4. White Paper Heading 4
Single-Factor Authentication
When a user authenticates they need to present credentials to the
authentication server. A credential maybe based on:
Something they know, e.g. a password
Something they have, e.g. a security string provided by a token
Something they are, e.g. a finger print or retina scan.
Each one of these is a factor of authentication.
In the early days of authentication (and in many systems still today)
authentication is based upon just a single factor of authentication,
specifically a combination of a username and a password (UNP). There is an
increasing awareness that this is not sufficient for many systems. This
realisation is showing itself not only in the increasing number of
organizations that are moving to multi-factor authentication but also in
more regulations and legislation that are mandating multi-factor
authentication.
There are three driving forces are behind this. Firstly the increasing value of
the systems being protected by authentication systems, secondly the
increasing availability and variety of tools that can be used effectively
against simple UNP authentication, and thirdly the increase in cybercrime.
Threats against Usernames and Passwords
One of the weaknesses of UNP is the fact that the password is static; i.e. it
does not change from one authentication attempt to the next.
Administrators may insist that passwords are changed every 3 months, or
even every month, however that still gives an attacker a significant amount
of time to aim at a stationary target.
Another issue with passwords is that users and helpdesk administrators
want them to be easy to remember but IT managers and security managers
want them to be difficult to guess. These requirements tend to work
against one another. It is much easier to remember words than it is a series
of random characters, but it is much easier to guess a word than a series of
random characters.
Or order for users to help themselves remember more complex passwords
they are more inclined to re-use the same password for different
applications and interfaces.
One final weakness of UNP as an authentication model stems from the fact
that username and passwords have been around for so long. This means
there are many software-based attacks out there that are, thanks to the
internet, widely available.
So what are the threats against username and password? The following list
is not meant to be exhaustive; it focuses on technical attacks against the
5. White Paper Heading 5
client rather than attacks against server or social engineering based attacks
such as con-tricks, blackmail etc.
Malware Attack
Deploy malicious code on target’s computer, for example, a key logger that
records a user’s keystrokes. By looking at the details of the keys pressed
so the password can be determined. Searching the log for a username and
the password is likely to follow. Some software attacks are more
sophisticated and look for specific actions before starting to log, e.g.
accessing banking URL. The static nature of passwords means that this
form of attack can be very effective.
Guess the Password
There are a range of guessing attacks against passwords which are based
on how much or how little information the attacker has about the target.
On one extreme there is a brute force attack whereby an attacker just
guesses different possibilities until they succeed; not very effective but can
be used if the attacker can gain access to the file of encrypted passwords.
Slightly more targeted is a dictionary attack, where rather than just guess
random values, the attacker restricts the attack to words or phrases that
are likely, as most people choose passwords that are words. Finally, if the
attacker knows personal information about the target, they may try their
favourite sports teams or their children’s names as password. The need to
make passwords memorable makes this kind of attack an option.
Steal the Password
One way of satisfying the IT security manager’s insistence on a complicated
password is to write it down somewhere; in an envelope in the desk drawer
etc. Whereas this form of attack requires physical access, it is surprisingly
common practice for people to write passwords down unencrypted.
Shoulder Surfing
To find out what someone’s password is you just watch them type it in.
Another attack that requires physical access, but as passwords are static,
you have plenty of attempts at watching the user type in their password to
manage to discern the whole thing. This form of attack has become more
recognised since the use of Chip and PIN technology with people being
asked to hide their fingers as they type in their PIN.
Phishing
It is particularly difficult to defend against phishing attacks, partly because
it is so easy to mount such an attack. You can get all the corporate imagery
you need from the real website to build a mocked-up site then you can
mass email a mock email to any valid email address. The user goes to the
mock site and enters their username and password. The attacker then has
the password that they need and they can do what they will with it.
6. White Paper Heading 6
Dual-Factor Authentication
Adding another factor of authentication adds another task for the attacker
to complete before their attack is successful. The basic model is that the
token provides the user with a one-time code that they must enter in order
to authenticate; the security string is dynamic in that it is different for each
authentication. We can see that there are many and varied ways of gaining
one factor, the password, but having succeeded in that what does an
attacker need to do in addition to succeed in defeating two-factor
authentication systems?
Attacks against Dual Factor Authentication
There would appear to be two obvious approaches:
Steal the Token
An attacker may be lucky in that the token may be kept in the same drawer
as the user’s password! But clearly an attack that combines a software
attack determining the password and physically obtaining the token could
be a successful attack. The first element being straightforward, the second
one less so, however in an e-commerce B2C scenario with many tokens
being physically distributed; there may be vulnerabilities that could be
exploited.
Phishing
Phishing can still have some success even against dual factor
authentication as the attacker obtains the users password and one-time
code and can therefore use those credentials to fraudulently authenticate
as the user. Unlike the phishing attack for single factor this does not allow
the attacker to steal the user identity as the user still has the token. This
means the attacker cannot re-authenticate without re-phishing the required
one-time code. This means that a web application that requires repeated
authentication provides a good defense against phishing attacks. For
example a banking website that requires authentication for every monetary
transaction.
Dual-Factor Authentication and Swivel
Swivel authentication platform is a dual factor authentication solution with
subtle but important differences. As with many dual factor authentication
systems, Swivel sends a security string to the user that the user needs to
authenticate but security strings are sent to the user’s mobile phone either
in the form of a voice call, SMS or via a mobile app; therefore there is no
need for dedicated security tokens.
7. White Paper Heading 7
The received security string is not entered by the user; it is combined by
the user with a PIN to extract the one-time code which is then entered.
The advantages of these differences are described below.
Tokenless
The fact that Swivel does not require a dedicated security token (it uses
the mobile phone as a token) has a number of advantages.
There is nothing that needs to be physically distributed; therefore you are
not at the mercy of postal systems etc. to provision users. Users can be
provisioned instantly.
Just as importantly there is nothing to physically reclaim once a user no
longer requires access. This is particularly relevant where you have a
population of users that has a high churn rate such as an academic
institution.
People treat their mobile phone as something vital; they need it for
business but also to keep in contact with their friends and families when
they are at work. They are less likely to leave it behind; or leave it in a
pocket of a garment destined for the laundry. They are also more likely to
notice when they have lost it or it has been stolen.
As Swivel reuses an existing device as a security token there is no
additional cost. If someone loses of damages their mobile phone a
replacement is borne by the telecoms budget; not the security budget!
One-Time Code Extraction
The use of the Swivel one-time code extraction protocol means that both
factors of authentication can be combined into a single credential. This
means:
8. White Paper Heading 8
The user only needs a 4 digit one-time code to authenticate; (Swivel can be
configured to use PINs of 4 to 10 numbers long and it can also be used in
conjunction with a password).
As the PIN is never entered the attacks described earlier, such as key
loggers, cannot be used to ascertain one of the two factors of
authentication.
So the use of Swivel Dual Factor solution makes some of the attacks
discussed before even harder. There is no physical token to distribute, the
loss of a mobile phone is likely to be noticed and reported sooner than a
security token. In the event that an attack gains access to a mobile phone,
security is still not compromised as the attack still needs the PIN, and the
PIN cannot be ascertained by key- logging attacks as it is never entered by
the user.
Attacks against Swivel
Stealing the token
In the Swivel example this attack still leaves the attacker the problem of
the PIN, as the PIN is never entered it cannot be obtained via key logging
type attacks.
Phishing
No authentication product is immune from attack. Forms of phishing
attacks may have some success against Swivel; it is very difficult to stop
users entering credentials onto a mock web site as discussed before. Once
entered these valid credentials can be used by the attacker; as before this
does not allow the attacker to steal the account as they cannot re-
authenticate without the mobile phone.
A mock web site can send a user a false security string and by examining
the returned one-time code ascertain the user’s PIN. However this requires
knowledge of the target’s mobile phone number and the means to send an
SMS. Once the PIN is known, physical access to the mobile phone is still
required.
9. White Paper Heading 9
Conclusion
Two-factor authentication is a much stronger form of authentication than
single-factor. Swivel’s implementation of two-factor authentication, with its
unique one-time code extraction protocol and its use of the mobile phone
as a security token, provides a number of advantages including increased
strength of authenticated and decreased running costs.