Lawrence Ang, Vice President, APAC Sales, Datablink Inc.
As the threat landscape constantly evolves and especially more rapidly in the last 5 years over the internet highway, the Authentication Industry need to constantly redefine with urgency what stronger authentication means and what new features needto be incorporated into the hardware and software tokens with affordability in mind so that its purpose can still stand relevant in the 21st Century.
Back in the 90s, the first concept of strong authentication is that a one-time password is proven to be more secure than a static password, especially a user-created password, which is typically weak.
A one-time password (OTP) token, which is a key fob that flashes a new number every few seconds that acts as a password.
The Authentication Industry soon learnt that a key fob can be subjected to social engineering hack where the hacker (for example pretends to be a bank officer) asked you to read the OTP from your key fob to verify your account.
PKI Tokens or Smart card tokens or Certificate-based authentication employs public key cryptography to generate public and private keys. Private keys may be stored on a portable device, such as a USB drive, or stored safely on a user’s computer.
Most people have heard that 1024 bit RSA keys have been hacked and not used any more for websites or PGP. So, there is a need for 4096 bits and above. Also, there are issues with certificate expiration.
From security point of view, USB PKI-based tokens can also introduce all kinds of security issues as USB can be used to introduce Trojans into the network or laptop. Also, there can be the weakness in client software that circumvent the token’s security and diminishes their effectiveness.
In addition, the cost of implementing certificate-based authentication (PKI or Smart Card Tokens) is multiple times more (single digit dollar times at least) expensive than OTP tokens making it difficult for large scale deployments like in internet banking.
Transaction Signing is a term used in Internet Banking that requires customers to digitally “sign” transactions in order to preserve the authenticity and integrity of the online transaction.
Context Based Tokens
Context-based authentication uses information about a user, such as geographical location to authenticate them. Context-based authentication is generally used in conjunction with other authentication methods. For highly secure environments, for example, a user may be required to provide a username, password, OTP and pass verification on the geographical location of the device initiating the session. Other techniques include device registration or fingerprinting, source IP address reputation and behavioral analysis.
Context Based Tokens especially Biometric Scanners are the most expensive as a high end processor is needed as the base of such a scanner. The cost of implementing Biometric Token solutions will easily run into double digits dollars times per token.
Internet Based Attacks change Stronger Authentication Concepts
In recent years, there is some debate within the information security community about the reliability of OTP tokens, Certificate-based Tokens or Context-based Tokens for authentication. Critics claim a hacker can defeat the device with a man-in-the-middle (MITM) attack, which is when a hacker intercepts the token value (regardless of whether it is OTP tokens, PKI Tokens or Biometric) in real time, along with the user ID and password from a targeted phishing site.
In the latest draft version of its Digital Authentication Guideline in July 2016, the United States National Institute of Standards and Technology (NIST) is also discouraging companies from even using SMS-based authentication in their two factor authentication schemes.
The reason is that there has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. Security researchers have used weakness in the SMS protocol to remotely interact with applications on the target phone and compromising users. One example is that the malware can be implantedonto an Android Smartphone to redirect the SMS OTP to the hacker phone.
Major Features of Next Generation Advanced Authentication
Transaction Signing is a term used in Internet Banking that requires customers to digitally “sign” transactions in order to preserve the authenticity and integrity of the online transaction. While performing any of the above online transactions, you will obtain a challenge code.
So, the next generation strong authentication hardware token needs to incorporate a cost efficient and energy efficient optical sensor (as an example instead of a keypad type of hardware token) to change the dynamics of inputting the transaction data into the token so that it can be used to generate the Transaction Signature (like the OTP) without much hassle like when the keypad is locked.
The next generation strong authentication software tokens needs to incorporate at least one of these useful features like QR Code (in the event if there are no Telco connections at that instant); Push Technology that accepts or declines a transaction with a push of a button (with tokens verified and embedded with the push feature) and/or Secure Messaging (to provide enhanced user experience with much reliability and reliable online marketing to their client base compared to SMS).
Any vendor(s) that can incorporate these two types of next generation strong authentications for hardware and software tokens in their product portfolio will ultimately be the clear winner in this strong authentication space for the 21st century.