Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

Multifactor Authentication Within Reach

The financial industry has been a proving ground for two-factor authentication. That push came from the Federal Financial Institutions Examination Council, a government auditing body that works on behalf of several financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Office of Thrift Supervision. The FFIEC released its "Authentication In An Electronic Banking Environment" guidance in 2005, requiring banks to augment passwords with additional risk-mitigation mechanisms. The group started auditing banks for compliance at the end of 2006.

The mandate spurred banks to experiment with various forms of second-factor authentication. Many banks instituted question-and-response systems. They also set up fraud-prevention systems that trigger an additional form of authentication if a high-risk event occurs, such as if someone logs in from an unfamiliar computer. That form could be asking a person to enter a code sent via email, text or phone call for an address or number the bank has on file. For high-net-worth customers, some banks invested in hardware tokens. The FFIEC guidance pumped money into development of new forms of authentication, as vendors chased the financial industry's burgeoning compliance market.

But other industries haven't faced these sorts of regulatory requirements, and the costs and inconvenience, along with complacency, have kept them from embracing multifactor authentication. It doesn't make business sense for companies to buy expensive authentication if the accounts they're protecting aren't worth as much as the protections themselves.

Larger online companies, like Google, Twitter and PayPal, see risks to their brands if people get hacked. So all three Internet giants are working on two-factor authenticators. They've each hired authentication experts and are sharing their research on bolstering Web authentication techniques.

Advancements in mobile technology are helping drive multifactor authentication. Putting software tokens on mobile phones could eliminate the need for people to carry around many hardware-based token devices. But this approach continues to use shared secrets -- algorithmic code shared between the user's phone and the relying party's server. Plus, often people are using smartphones to access a website, so they're receiving their tokens on the same devices they're using to log in -- referred to as "in-band" authentication. The in-band approach is only secure as long as the device itself isn't compromised.

An alternative to shared-secrets approaches to authentication is to use mobile devices and asymmetric cryptography. This approach relies on digital signatures signed by encryption keys that are held on a person's devices. The user's identity information is encrypted and stored on her computer using public key cryptography. The keys to unlock that system sit on the computer browser, the mobile device and the identity service provider's cloud server. When the user signs in to a site enabled with the identity provider's software, she must use digital signatures from at least two of these keys to log in. From the user's point of view, it's simple -- done with a click, says Steve Kirsch, founder and CTO of OneID, an identity provider. Another positive is that the relying parties aren't maintaining central repositories for the bad guys to steal from, Kirsch says.

factoid: 6 in 10 computer users reuse passwords across the WebThis system doesn't pose an in-band problem because it uses encryption and because all of the key information isn't located on the same device that the user is using to login. And if attackers were to steal the key information held in the server-side repository, they wouldn't be able to commit a mass breach because they wouldn't have the key information that each individual user holds. This model doesn't stop a motivated attacker from potentially breaking it on a case-by-case basis, but it's the difference between "retail hacking and wholesale hacking," says Jon Callas, co-founder of encrypted mobile communications vendor Silent Circle.

Biometric applications incorporated into mobile devices also have potential as authentication mechanisms of the future. Online companies could find ways to use smartphones equipped with cameras, microphones and even built-in fingerprint readers to authenticate accounts. It will depend on how well these methods are deployed within a wider authentication framework, because consumer device providers will have to enable federated authentication protocols, says Darren Platt, CTO of cloud identity provider Symplified. Done right, this would let carriers provide authentication to third-party apps and services, including e-commerce websites and financial services providers, he says.

chart: Preferred Credentialing: How do you prefer to manage a multipurpose identity credential?

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
4 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web