Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

Multifactor Authentication Within Reach

The financial industry has been a proving ground for two-factor authentication. That push came from the Federal Financial Institutions Examination Council, a government auditing body that works on behalf of several financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Office of Thrift Supervision. The FFIEC released its "Authentication In An Electronic Banking Environment" guidance in 2005, requiring banks to augment passwords with additional risk-mitigation mechanisms. The group started auditing banks for compliance at the end of 2006.

The mandate spurred banks to experiment with various forms of second-factor authentication. Many banks instituted question-and-response systems. They also set up fraud-prevention systems that trigger an additional form of authentication if a high-risk event occurs, such as if someone logs in from an unfamiliar computer. That form could be asking a person to enter a code sent via email, text or phone call for an address or number the bank has on file. For high-net-worth customers, some banks invested in hardware tokens. The FFIEC guidance pumped money into development of new forms of authentication, as vendors chased the financial industry's burgeoning compliance market.

But other industries haven't faced these sorts of regulatory requirements, and the costs and inconvenience, along with complacency, have kept them from embracing multifactor authentication. It doesn't make business sense for companies to buy expensive authentication if the accounts they're protecting aren't worth as much as the protections themselves.

Larger online companies, like Google, Twitter and PayPal, see risks to their brands if people get hacked. So all three Internet giants are working on two-factor authenticators. They've each hired authentication experts and are sharing their research on bolstering Web authentication techniques.

Advancements in mobile technology are helping drive multifactor authentication. Putting software tokens on mobile phones could eliminate the need for people to carry around many hardware-based token devices. But this approach continues to use shared secrets -- algorithmic code shared between the user's phone and the relying party's server. Plus, often people are using smartphones to access a website, so they're receiving their tokens on the same devices they're using to log in -- referred to as "in-band" authentication. The in-band approach is only secure as long as the device itself isn't compromised.

An alternative to shared-secrets approaches to authentication is to use mobile devices and asymmetric cryptography. This approach relies on digital signatures signed by encryption keys that are held on a person's devices. The user's identity information is encrypted and stored on her computer using public key cryptography. The keys to unlock that system sit on the computer browser, the mobile device and the identity service provider's cloud server. When the user signs in to a site enabled with the identity provider's software, she must use digital signatures from at least two of these keys to log in. From the user's point of view, it's simple -- done with a click, says Steve Kirsch, founder and CTO of OneID, an identity provider. Another positive is that the relying parties aren't maintaining central repositories for the bad guys to steal from, Kirsch says.

factoid: 6 in 10 computer users reuse passwords across the WebThis system doesn't pose an in-band problem because it uses encryption and because all of the key information isn't located on the same device that the user is using to login. And if attackers were to steal the key information held in the server-side repository, they wouldn't be able to commit a mass breach because they wouldn't have the key information that each individual user holds. This model doesn't stop a motivated attacker from potentially breaking it on a case-by-case basis, but it's the difference between "retail hacking and wholesale hacking," says Jon Callas, co-founder of encrypted mobile communications vendor Silent Circle.

Biometric applications incorporated into mobile devices also have potential as authentication mechanisms of the future. Online companies could find ways to use smartphones equipped with cameras, microphones and even built-in fingerprint readers to authenticate accounts. It will depend on how well these methods are deployed within a wider authentication framework, because consumer device providers will have to enable federated authentication protocols, says Darren Platt, CTO of cloud identity provider Symplified. Done right, this would let carriers provide authentication to third-party apps and services, including e-commerce websites and financial services providers, he says.

chart: Preferred Credentialing: How do you prefer to manage a multipurpose identity credential?

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
4 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web