Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

The Limits Of Multifactor Authentication

The security industry has developed a number of workable, if imperfect, supplemental authentication factors to tack onto the user name-password schema.

The most basic is a challenge question system that requires users to answer questions that strangers wouldn't likely know, such as "What is your mother's maiden name?" and "What street did you grow up on?" While this approach increases the barrier to entry into a site or a system, the answers are possible to steal or find out with Internet searches.

More secure are biometric readers that tie in fingerprints, retinal images or voice prints with a user's identity. There also are hardware-based one-time-password tokens, such as those RSA sells. A user gets a key-chain-sized hardware fob that generates a multiple-number PIN created by an algorithm using some variable like the time of day combined with an additional value stored on the device called the seed. That seed is tied to the user's identity on the back-end system that controls access to whatever software or online site needs protecting. Each time the user logs in, he presses a button on the fob to get a PIN that's created on the spot using the algorithm, the variable and the seed value. The person then enters a user name, password and PIN into the system, which crunches the PIN algorithm based on that user's mutually shared seed with an additional variable that can be tied to that user's identity.

Hardware tokens and biometrics have worked reasonably well in business environments that require people to sign on to an internal network, hardware device or software system. However, they haven't translated well online, because the cost of providing tens of thousands of people with the hardware is prohibitive. Two-factor systems based on tokens are difficult to use since people must have the PIN-generating device any time they log on. For online authentication to be widely used, people would have to carry numerous fobs to authenticate into multiple websites. It's an unwieldy process and still based on shared secrets -- though admittedly more complicated ones.

Crooks can't steal the shared secret directly, but they can steal a person's hardware token and log on as that user. In 2011, thieves attacked RSA and gained access to the token seed data for many customers in one fell swoop, forcing the company to reissue tokens with new shared secrets.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
3 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.