Endpoint // Authentication
7/24/2014
12:00 PM
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

Passwords Be Gone! Removing 4 Barriers To Strong Authentication

As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.

Everyone knows that passwords are the weakest security for authentication, yet Internet services persist in making consumers use a password as the primary method for online access. For consumers, there are too many passwords to remember, they are difficult to type (particularly on mobile devices), and they are insecure.

More secure authentication options will require users to submit one or two extra “factors,” which may be any combination of something a user (1) knows, (2) has, or (3) is -- the classic definition of "multifactor" or "strong" authentication. Extra factors provide better protection, yet the usual reason against using them is: “Strong authentication has too many barriers.”

New technical protocols developed by the FIDO Alliance are designed to remove the barriers to strong authentication. The main principle behind FIDO is that there doesn’t have to be any tradeoff between ease-of-use and security. The protocols ensure that users receive strong security and the authentication experience is easy to use.

The following describes four major barriers to strong authentication practices and how the FIDO approach can help alleviate the significant burdens they currently place on business.

Barrier 1: Cost
Application providers face a huge business challenge authenticating a mass audience with heterogeneous devices. Scaling a solution for millions of customers with diverse PCs, smartphones, and tablets is often cost-prohibitive.

Even for a cloud-based solution that boasts a lower up-front cost, recurring expenditures can quadruple total cost of ownership (TCO). Its calculation depends on many variables: acquisition, integration, deployment, support, and annual maintenance. Internal costs swell when integrating multiple solutions for strong authentication.

The largest variable is supporting strong authentication for millions of consumers. For example, a physical USB token may cost $30 to $60. Its distribution requires packaging, postage, and support. Physical tokens must be maintained and damaged or lost tokens replaced. Consumers may also need assistance configuring credentials on their smartphones for automatic two-factor authentication via cloud-based solutions. Many calls to help desks are for password resets. Supporting resets for traditional authentication factors on a mass scale could be enormous.

Use of biometrics for authenticating consumer applications could dramatically reduce TCO because these factors are already “deployed,” and sensors for capturing biometrics are rapidly appearing in new-model smartphones.

Barrier 2: Ease of Use
Most consumer applications use simple passwords for authentication due to their ease of use. The business logic for this choice is that ease of use is a higher priority than security, and if the authentication process is too difficult consumers won’t use the provider’s application in the first place.

Most consumers, however, are wise to security risks, according to a recent survey by Ponemon Institute. Consumers do not trust systems or websites that only rely on passwords or do not require frequent password changes.

Source: Ponemon Institute
Source: Ponemon Institute


When consumers feel uncomfortable with online security, they withdraw. For example, a Jumio study showed the abandonment of mobile shopping carts is very high. Of the 66% of smartphone and tablet users who have tried but failed to complete a transaction, 51% were uncomfortable entering credit card information. Offering consumers strong authentication is validation of an application provider’s concern for securing personal information -- it’s the way to earn consumers’ trust. Toward this end, a wave of leading consumer applications such as DropBox, Twitter, and Evernote are now offering two-factor authentication (also called “two-step”) to help assure consumers that their data is safe.

Biometrics hold great promise because consumers are already familiar with access that is activated by a voice command, looking into an eye scanner, or pressing a fingertip or palm to a scanner. Fingerprint sensors are becoming more prevalent on mobile devices. In fact, according to Apple, just 49% of its customers used a passcode to log into their iPhones before Touch ID. Now, on the iPhone 5S, 83% of people use Touch ID or a passcode.
 
Barrier 3: Access Security
Strengthening access security is a key function of strong authentication. The choice of using strong authentication depends on the level of assurance required for a particular use case. Applications requiring a high confidence in user identity must use strong authentication. Applications requiring moderate-to-low confidence in user identity may deploy a single-factor solution.

By definition, strong authentication uses more than one factor -- but that does not automatically make it more secure. The characteristics related to quality of an authentication factor include: 1) The factor is not forgettable; 2) the authentication codes generated are not guessable; 3) the factor is unfeasible to replicate; 4) the factor is not prone to be surreptitiously stolen via the Internet; and 5) the factor is tamper-resistant. Adding higher-quality factors like biometrics or smartcards strengthens the authentication solution.

Barrier 4: Privacy
The privacy barrier relates to the ability of a strong authentication solution to secure factors stored in a user’s authentication profile. The user’s profile may include personally identifiable data such as name, address, birth date, birthplace, mother’s maiden name, Social Security number, credit card information, or biometric information.

All of these are stored somewhere in digital format and are at risk of a breach just like any other data. If centrally stored authentication data is breached, it can be duplicated, modified, and used to the great detriment of the consumer application provider and its users.

Biometric data is especially critical because if compromised in a server breach, the data can potentially be extracted. There are two classes of biometrics pertinent to authentication: anatomical/physiological factors and behavioral factors. Providers that centrally store biometric templates must ensure the safety of this sensitive data. Cloud solutions for strong authentication must include safeguards to preserve privacy.

The FIDO standards are intended to be used by Internet services, component and device makers, and providers of software and stacks. A key enabler for this is the latest generation of smartphones and tablets where biometric factors can be securely stored, and a strong authentication solution can leverage FIDO protocols without centrally stored authentication profiles.

By using FIDO protocols, businesses can lower costs, ensure consumer privacy, enforce stronger assurance of identity, and make strong authentication solutions easier to use.

Phillip M. Dunkelberger is President and CEO of Nok Nok Labs. He has spent more than 30 years in the technology field. From the advent of the local area network and PCs to the creation of the standalone security market, he has seen the impact of "big ideas" that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
8/6/2014 | 10:28:35 PM
Re: What lies at the root of the problem?
You do not have to remember UNKNOWN pictures afres, which is not easy for everyone, if not as difficult as difficult as remembering meaningless texts.  You will only have to find KNOWN picutres.  What you already remember is what you do not have to re-remember.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 1:42:51 PM
Re: What lies at the root of the problem?
@HAnatomi,I'm not sure my visual memory is any better than my textual memory. I'd much prefer to rely on my thumbprint...  
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
7/30/2014 | 8:37:12 AM
Re: biometrics - a bad idea from the start
Great point about not being able to recreate authentication for your Biometrics.  It's not like you can go out and get a new set of finger prints and like any other digitzed technology is can be compromised and repurposed.
Arshad Noor
50%
50%
Arshad Noor,
User Rank: Apprentice
7/28/2014 | 2:34:01 PM
Biometrics + Cryptographic Keys
What makes FIDO different is that it does NOT rely on biometrics to authenticate you to the web-site; the biometric authentication is (optionally) required to authenticate you to an authenticator that is local to you.  The local authentication unlocks an ECDSA private-key that digitally signs a challenge sent by a FIDO server.  So, the web-site actually sees only a signed challenge, with some meta-data that confirms this came from a certified FIDO authenticator.  This is analogous to using a smartcard with a digital certificate to do SSL-ClientAuth - a far more robust authentication protocol than just biometric authentication.  The biometric part of FIDO is purely for user-convenience when dealing with FIDO authenticators.


Take a look at this paper - Identity Protection Factor (http://middleware.internet2.edu/idtrust/2008/papers/01-noor-ipf.pdf); it describes the relative strengths of different types of authentication credentials; while biometrics by themselves might come in at level 3 or 4, FIDO would come in at level 6 or 7.


Arshad Noor
SttrongAuth, Inc.


Note: Full disclosure: We are a FIDO Alliance member and are planning to release an open-source FIDO server in the next few weeks.
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
7/26/2014 | 10:30:53 PM
What lies at the root of the problem?
2 is larger than 1 on paper, but in the real world two weak boys may well be far weaker than one toughened guy.  A truly reliable 2-factor solution requires the use of the most reliable password.

Biometrics, whether static or behavioral, cannot displace passwords UNLESS it stops relying on a password for self-rescue against the false rejection while retaining the near-zero false acceptance. A dog which depends on a man cannot be an alternative to the man.

At the root of the password problem is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 4:31:53 PM
Re: biometrics - a bad idea from the start
Happy to oblige!
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Strategist
7/25/2014 | 4:29:43 PM
Re: biometrics - a bad idea from the start
Thanks for the assist, Marilyn!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 4:03:34 PM
Re: biometrics - a bad idea from the start
The article you are referring to @JonNLakeland is by David Kearns in:

How The Math Of Biometric Authentication Adds Up . You pretty much got his point across. He also noted: "Most of us have ten fingers – or eight fingers and two thumbs -- which is (for biometric purposes) the same thing. Changing from one to another is no more difficult than changing from one password to another."}

 
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Strategist
7/25/2014 | 3:27:07 PM
Re: biometrics - a bad idea from the start
You can't change biometrics as *often* as some people change passwords, but that doesn't mean it can't be done. I'm certain I read another article either on InformationWeek or DarkReading that points out 1) Most people have ten fingers to choose from and 2) Who says it has to be only one fingerprint? What about a pattern of 5 fingerprints, that allows using the same finger more than once and both hands, or a system that allows you to scan more than one finger at a time? This week it's the middle and ring finger on your left hand scanned at the same time, and next week it's fore finger and thumb on your right hand in sequence...

It seems like a lot of the hatred for biometrics can be easily solved if you want it to be solved.
macker490
50%
50%
macker490,
User Rank: Ninja
7/25/2014 | 8:47:54 AM
biometrics - a bad idea from the start
on occasion systems are compromised and we need to change our passwords.

biometrics is just a means of creating a digital pattern -- that acts as a password.   this, by digitizing your fingerprint, or iris scan -- voice -- what have you.

trouble is: you can't come up with a new one once yours is compromised.

this is fully evident to everyone, particularly security technicians.   so why the push for bio-metrics?   could be an effort to eliminate anonymity

there are some bad actors on the net. anonymity is important to everyone.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.