Operations // Identity & Access Management
2/4/2014
05:15 PM
Garret Grajek
Garret Grajek
Commentary
Connect Directly
LinkedIn
Google+
RSS
E-Mail
50%
50%

The Problem With Two-Factor Authentication

The failure of corporate security strategies to protect personal identity information from hackers resides more with system architecture than with authentication technology. Here's why.

For too long, enterprises have been looking for the perfect two-factor authentication. First, it was X.509, then hard tokens, then SMS, and now Push and biometrics. And still, hackers keep winning. Just look at what happened with Target, Neiman Marcus, Living Social, Snapchat, and others.

The problem isn't the two-factor authentication technology. To be more specific, it's not just the two-factor authentication. It's the full integration, which includes the storage, accessing, validation, and assertion of identity throughout the authentication process.

But don't take my word for it. The forensics on most recent hacks reveal that hackers did not break the authentication mechanism itself. Rather, they broke the integration -- the identity passing and storage. That tells me websites (cloud or enterprise-based) that demand bulletproof security need to understand how authentication (single- or two-factor) is provisioned, conducted, validated from enterprise information, and asserted to the final resource -- and ultimately how the trust is reused at other resources.

How the authentication is provisioned
By this, I mean how the ID itself is granted to the user and how the credentials are provided to the users. The authentication process (single- or two-factor) should be quantified and scrutinized for weaknesses. One of the best ways to increase security in this procedure is to remove all human interaction (think: how to remove help desk interaction). You can validate users based on enterprise data or third-party social IDs and other data sources. You can then grant users reusable two-factor authentication credentials such as an X.509 certificate, an identity card, a mobile OATH token, or just the device itself.

Ideally, the registration process should be browser-based, which enables communication to match the client's native language automatically. Too often, however, each of these functionalities is siloed (e.g., coded after the two-factor product is purchased), and this is where the hacks occur. The hackers are breaching the architecture, not the authentication mechanism.

How and where the authentication takes place
Too often the validation algorithm is hosted or housed on servers or services that are beyond an enterprise's security control. These servers and services need to be scrutinized, because it is usually much easier for a hacker to breach the actual identity collection form (web or other form) than the actual authentication mechanism itself via cross-site scripting, SQL injection, or another attack vector against the form collector. Of course, this raises a raft of additional questions. Who wrote these collection forms? Are they housed on secure, enterprise servers? Have the forms been pen tested? Were they written by an outsourced contract service or hosted on insecure servers?

How the authentication is validated from enterprise PII
Most of the recent attacks have targeted enterprise-held personally identifiable information (PII), in which two-factor authentication methods prompted the company to sync up or migrate PII to other holders. As the Snapchat breach of 4.6 million users' phone numbers demonstrated, organizations need to secure their PII with the same security they use to keep passwords and other authentication information safe. Authentication information is, by its nature, PII, and allowing other services, especially authentication services, to use this data is simply asking for trouble.

How the authenticated identity is validated
Many authentication methods were created before resources like cloud and native mobile applications existed. As a result, common authentication mechanisms, such as tokens, were designed to use dated authentication protocols, like RADIUS, for resource-to-data-store validation. This type of authentication usually assumes that there is a proxy between the resource and the user, which is not always possible in the cloud and with mobile apps. In response, enterprises have implemented hackable integration methodologies that introduce vulnerabilities in the credential collection and identity-passing processes for these new resources.

Cloud resources should be secured with cryptographically signed assertions, like SAML or WS-Fed; similar mechanisms, including cryptographically validated web services, can be used for identity passing to native mobile apps. But these mechanisms are only as good as the services that encompass the identity passing. If the authentication system is separate from the identity-passing system, your enterprise needs to ensure that this transfer process is secure each and every time.

Don't ignore user fatigue
Ideally, all systems that users access (including network, cloud, enterprise, and mobile), should be set up to conduct some sort of identity validation. But if the enterprise forces a high-friction authentication such as SMS, token, or telephony, where the user has to re-enter credentials every session, it's pretty much guaranteed that the user will find a way to circumvent the best mechanisms and/or burden the help desk with repeated account lockouts or two-factor registration requests.

To alleviate this burden, SSO is the best solution. Look at consolidating enterprise resources into mechanisms that lend themselves to portal access where a single authentication (preferably, a strong one) allows access to multiple resources. Role-based is ideal, depending on what resources a particular user should see.

Organizations that demand bulletproof security must understand that true security is not in the authentication process alone. It's only when the entire system architecture -- from provisioning and validation through asserting identity -- is addressed from a security perspective that personal information will be truly safe from attack.

Garret Grajek is a CISSP-certified security engineer with more than 20 years of experience in the information security and authentication space. As Chief Technical Officer and Chief Operating Officer for SecureAuth Corp., Garret is responsible for the company's identity ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
anon2405478111
50%
50%
anon2405478111,
User Rank: Apprentice
2/4/2014 | 6:01:03 PM
Duo Security
I think Duo Security's two-factor authentication may do things differently. However, I have yet to see an true expert write a review on this service, so I would definitely be interested in reading what the author has to say about it. https://www.duosecurity.com
Li Tan
100%
0%
Li Tan,
User Rank: Apprentice
2/4/2014 | 8:01:00 PM
Re: Duo Security
The new approach looks good. Furthermore, the core concept behind is important - the security lies mainly with architecture from design perpsective instead of single piece of authentication technology. I am willing to see more articles describing it in more detail.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/5/2014 | 1:51:45 PM
Security is more than authentication
I totally agree, Li, that the Garret raised an issue that too often overlooked in the  discussions of biometrics, tokens and passwords and other mutlficactor authentication technologies.  You can have the best authentication in the world, but if the architecture isn't designed properly you're still vulnerable. 
Ariella
100%
0%
Ariella,
User Rank: Apprentice
2/5/2014 | 5:33:57 PM
Re: Security is more than authentication
And wouldn't you know it? Maxine has just the right picture for this topic: 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/6/2014 | 7:55:37 AM
Re: Security is more than authentication
Funny -- and not just Maxine. I can see the cartoon on my phone but not on my laptop. Anyone else having that problem?
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/5/2014 | 9:52:23 PM
Re: Security is more than authentication
You got my point, Marilyn. Furthermore, I am a little bit pessimistic regarding security. You can improve security all the time by implementing new architectures and techniques but you will never caulk the gap - there is always cavity for the hackers.:-(
aaronAshfield
50%
50%
aaronAshfield,
User Rank: Apprentice
2/12/2014 | 12:33:01 AM
Two-Factor Authentication is OBSOLETE
Two-factor authentication is an old concept that applies well to workstations, however, fails to protect data on mobile devices... A simple device left un-attended while open will compromise enterprise data. Presence-based real-time security offered by Secure Access Technologies provides breakthrough security and breakthrough user experience. www.SecureAccessTechnologies.com
GGRAJEK
100%
0%
GGRAJEK,
User Rank: Apprentice
2/7/2014 | 3:11:32 PM
Re: Duo Security
>  the security lies mainly with architecture from design perpsective instead of single piece of authentication technolog

Exactly.   I will be writing more about this.  If you want any more immediate readings, please go to:

http://blog.secureauth.com/cto

 
GGRAJEK
100%
0%
GGRAJEK,
User Rank: Apprentice
2/7/2014 | 3:07:20 PM
Re: Duo Security
Duo has very nice PUSH authentication - but as I stated - relying on a single form factor for authentication is setting the enterprise up for failure.    THe key is too abstract the authenticaiton and then be able to select the form factor most appropriate, PUSH Notification being one of the choices.   (THe others being  SMS, Telephony, X.509, OATH MObile tokens, Hard Tokens,  Gov't Issue  Credentials, Smart Cards, Social IDs, etc.)

And most importantly - construct a solution - that allows rapid (and secure) delivery/deployment of these authentication methodologies.   E.G. - as stated - this is where the hacks are occruing. 

 
smptpus3r
100%
0%
smptpus3r,
User Rank: Apprentice
2/4/2014 | 6:44:17 PM
Great write up
Its a great approach... look forward for new articles on the subject from the Author.
GGRAJEK
100%
0%
GGRAJEK,
User Rank: Apprentice
2/7/2014 | 3:09:32 PM
Re: Great write up
Will do.   The Neiman Marcus, Living Social, Snapchat hacks have made us authentication guys "hip" again - and I thank InformationWeek for giving me the forum to write about what I love!
K.Sree
50%
50%
K.Sree,
User Rank: Apprentice
2/5/2014 | 2:01:48 AM
Effective Two-factor authentication
A best analysis on the two-factor authentication. However, a bidirectional approach (both from Server and Client communications) will give better solutions. VeriQR is such a solution addressing this - http://www.integritauk.com/veriQR.html
SaneIT
100%
0%
SaneIT,
User Rank: Apprentice
2/5/2014 | 8:45:37 AM
Beyond authentication
I live by the old saying that locks are for honest people.   If someone wants in badly enough a lock is not going to stop them.  The same goes for any authentication method.  If you lock down your application well enough someone will turn to social engineering to get in.  One thing I rarely see covered when talking about securing any assets is intelligent monitoring.  The recent attacks on Target and Niemen Marcus don't seem to have been detected until after millions of records were lost.  One thing I'd like to see addressed is how do you see the leak before the flood gates are fully open?
Ariella
100%
0%
Ariella,
User Rank: Apprentice
2/5/2014 | 9:41:14 AM
Re: Beyond authentication
@SaneIt In light of your comment, I wonder if we should regard locks and this kind of authentication as a positional good. Its value is derived from others not having it. It's rather like those steering wheel locks sold as anti-theft protection on cars. They won't prevent a truly capable thief form taking your car. But if your car is not particularly valuable and is among others of equal value that do not have the extra protection, the thief may just go for the easiest break-in. However, when every driver starts using these things, then they'll make no difference. 
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
2/6/2014 | 8:28:05 AM
Re: Beyond authentication
Yes I believe that we should view it as a good practice but we should not rely on authentication as the sole source of protection.  A majority of data loss/misuse comes from internal sources so part of the battle has to be monitoring and swift action when irregularities are detected.
smholloway
50%
50%
smholloway,
User Rank: Apprentice
2/5/2014 | 7:37:16 PM
Two factor is useful after the data breach
Overall, a good article. However, I take issue with two things: first, user fatigue. There are new 2FA offerings that are largely invisible (see, for example, Toopher). When users don't have to keep track of a separate single-use item and they don't have to manually approve every request, they will flock to two-factor. And that brings me to my second nitpick: two-factor is useful after the data breach--perhaps even more important after your usernames and passwords are public information. If your account details are leaked, multi-factor authentication helps reduce the damage that can be done with your hacked credentials. Ultimately, we need more high quality two factor implementations, and, as you said, securing logins will be easier when we start funnelling all logins through a single point, reducing the attack surface.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/6/2014 | 8:01:06 AM
Re: Two factor is useful after the data breach > User fatigue
When users don't have to keep track of a separate single-use item and they don't have to manually approve every request, they will flock to two-factor.

I hope you are right about this @smholloway. And agreed, that if TFA or MFA can substantially reduce damage from hacked PII after the breach that will be a big deal. (Not nitpick at all.)
Beck
50%
50%
Beck,
User Rank: Apprentice
2/7/2014 | 10:33:11 AM
Re: Two factor is useful after the data breach
What exactly do you mean by invisible? Does Toopher remember your credentials or cookies and automatically log you in on your mobile device? I could see a lot of holes in that security. Excellent point about the post-breach security though. I definitely agree that 2fa is an important step.
M_Gordon
100%
0%
M_Gordon,
User Rank: Apprentice
2/7/2014 | 10:41:17 AM
Re: Two factor is useful after the data breach
@BGordon1

I use Toopher with LastPass and absolutly love it! What they mean by invisible is their automation feature. Toopher uses location awareness of your smartphone to automate authentication so that you don't have to take any extra steps - like having to type in any passcodes to complete the authentication process. It is the most user friendly 2fa I have experienced. Check out this video... it helped me better understand what Toopher does. 

http://www.youtube.com/watch?v=k78xDTpy7PU
Beck
0%
100%
Beck,
User Rank: Apprentice
2/7/2014 | 12:10:23 PM
Re: Two factor is useful after the data breach
Woah, thanks for the quick response! I didn't realize how many users Toopher has. I've never used LastPass but I'll go ahead and check that out too, thanks for the info.
moarsauce123
100%
0%
moarsauce123,
User Rank: Apprentice
2/7/2014 | 2:49:27 PM
Re: Two factor is useful after the data breach
We tried Toopher here and it was a horrible waste of time...  Ended up looking elsewhere at the time, didn't know about Garret's concept which looks great.
CalistaHerdhart
100%
0%
CalistaHerdhart,
User Rank: Apprentice
2/7/2014 | 2:52:24 PM
Re: Two factor is useful after the data breach
Yea, we tried SecureAuth and it was great, transparent 2factor that worked with all of our cloud and internal apps, sso and password reset included.  Covered everything at a price point we could live with.  bye bye rsa securid tokens
smholloway
0%
100%
smholloway,
User Rank: Apprentice
2/7/2014 | 10:55:29 AM
Re: Two factor is useful after the data breach
@BGordon1 I think the concept of invisible authentication is a bit tricky because no one else is doing it. Toopher can automate authentication requests based on your location so that future requests from the same location are invisibly approved. For example, if you're logging into your bank's website from your home computer, the bank would ask Toopher to authenticate, Toopher would ping your phone, and your phone will respond for you (assuming you've chosen to automate the same request in the past); your bank logs you in without you having to type in a one time password or any of that nonsense. It's still a second factor--it's just invisible. The Toopher site might explain it better than I can: https://www.toopher.com/.
anon2284099262
100%
0%
anon2284099262,
User Rank: Apprentice
2/7/2014 | 1:18:09 PM
Re: Two factor is useful after the data breach
RE Toopher, What would happen if someone stole your phone and knew where you did business. I would think that is sort of a single point of failure. 
tstewart2k
100%
0%
tstewart2k,
User Rank: Apprentice
2/7/2014 | 3:11:13 PM
Re: Two factor is useful after the data breach
If someone stole your phone AND knew where you did business, they would also need your username and password, so that is more like 3 or 4 ppints of failure.  That is beside the point becuase you (person responsible for providing access to and protecting application(s) can add factors (1, 2, 3+...) and strength of those factors depending on the value of the data and the usability requirements.  By having the strong auth and SSO abstracted away form the guts of the app, there is flexibility to respond to threats and tweak auth methods in real without touching all the apps every time.  That is the beauty of what Garret is talking about.  It is a fundamentally better way in every way.  
capsaicin
50%
50%
capsaicin,
User Rank: Apprentice
2/7/2014 | 5:35:40 PM
Re: Two factor is useful after the data breach
I think that is exactly one of the points the author makes. Any authentication mechanism can be breached, thus it is imperative that their are options and flexibility available to easily move to another methodology. We should all accept and expect that over time there will be a breach of a given method, be it the Toopher method, or the Telephony / SMS / Push methods that have gained a lot of traction. When that happens, it needs to be simple to switch to a new methodology very quickly (click of a mouse?) without having to completely recode / rip and replace technology.
Auth_Pro
100%
0%
Auth_Pro,
User Rank: Apprentice
2/7/2014 | 3:07:47 PM
Preformed head to head with toopher,secureauth, okta, duo & securid
After a month long review of Toopher, Duo Security, Okta, SecureAuth and SecurID I can say that gartner was right about secureauth having the best customer service in the authentication space.  Toopher support was non existent, okta sales were pushy as heck, securid was a workable dinosaur which left duo and secureauth.  What secureauth put together was something that deployed quickly and worked for our use cases, duo deployed quickly too but only covered half of our use cases.
IMjustinkern
100%
0%
IMjustinkern,
User Rank: Strategist
2/7/2014 | 3:59:05 PM
Re: Two factor is useful after the data breach
I know our folks and customers are big fans of Toopher. Lots of people using LastPass or KeePass (more on the former). I think two-factor authentication has a great place as part of a "defense in depth" approach, which starts with the data. That's what the hackers are going for, after all. 
RobertW152
100%
0%
RobertW152,
User Rank: Apprentice
2/7/2014 | 4:39:09 PM
Re: Two factor is useful after the data breach
I agree with you completely, and think that the #1 hurdle for 2FA, is acceptance by the end user. I think most organizations gamble that productivity is more important than security until a hack occurrs. If you give your end users a technology that balances Productivity & Security, then organizations will adopt 2FA for themselves and for other user groups like contactors, customers, Before it's too late. Disclosure: I work for SecureAuth, the author of this post's company.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/10/2014 | 8:51:13 AM
Re: Two factor is useful after the data breach
I second your point about user acceptance of 2FA. Speaking as typical end-user, I for one, would welcome any relief from the tyranny (and ineffectiveness) of passwords.

(PS Thanks for the disclosure of your relationship with the author's company!)
WKash
50%
50%
WKash,
User Rank: Apprentice
2/10/2014 | 3:37:37 PM
NIST NSTICk
Garret, what's your take on the work being done at NIST and the National Strategy for Trusted Identities in Cyberspace  in coming up w/ better a better solution?
humlik
50%
50%
humlik,
User Rank: Apprentice
2/13/2014 | 8:42:28 AM
The problem is the authentication technology itself, not the outside architecture
First - thanks for the article, it's always good to open painful topics. I absolutely agree with Andrew's comment. Garret Grajek excellently identified and formulated several Achilles heels of authentication, bud I disagree with the formulation that "The problem is not in authentication"- I would formulate the main idea in the opposite way: "The problem is the authentication technology itself, not the outside architecture!"

Garret in his article correctly observed one architectural misconception. He uncovered that the authentication technology is not just composed of "identity verification act".

Many of you (does not matter if you are customer or developer) may already have noticed that the rest of Devils's hoof is being silently moved onto your shoulders.

And that's wrong. The authentication technology must offer a compact and unbreakable solution for entire life-cycle of your "cybernetic" identity – identity creation, validation/verification, deletion, lost, expiration and much more including ID provisioning!

That's why the US is coming with the NSTIC (National Strategy for Trusted Identities in Cyberspace - http://www.nist.gov/nstic/), why the European Union is coming with the SSEDIC activity (European eID - http://www.eid-ssedic.eu/).

Maybe one interesting information is coming for EU region – the SSEDIC has been completing work on formulating visions of future eID. This work is coming from 3-year SSEDIC analysis of existing authentication technologies and issues. Main principles of that future vision are incorporated into new strategy called DII – Distributed Identity Infrastructure. The final text of recommendation will be released soon.

Welcome to the new Matrix ;)
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.