1208 wp-two-factor-and-swivel-whitepaper

  • 139 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
139
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Two-Factor Authenticationand SwivelAbstractThis document looks at why the username and password are nolonger sufficient for authentication and how the Swivel Secureauthentication platform can provide a strong, cost-effectiveauthentication solution that is easy to use and to manage.2012
  • 2. White Paper Heading 2Contents Introduction .............................................................................................................................3Single-Factor Authentication............................................................................................4Threats against Usernames and Passwords............................................................4Malware Attack ..................................................................................................................5Guess the Password .........................................................................................................5Steal the Password ...........................................................................................................5Shoulder Surfing ................................................................................................................5Phishing.................................................................................................................................5Dual-Factor Authentication...............................................................................................6Attacks against Dual Factor Authentication...........................................................6Steal the Token ..................................................................................................................6Phishing.................................................................................................................................6Dual-Factor Authentication and Swivel....................................................................6Tokenless..............................................................................................................................7One-Time Code Extraction............................................................................................7Attacks against Swivel ........................................................................................................8Stealing the token .............................................................................................................8Phishing.................................................................................................................................8Conclusion................................................................................................................................9
  • 3. White Paper Heading 3IntroductionThe increasing use of remote access and web-based commerce hasincreased the need for convenient, cost-effective, yet strong authenticationmodels. Relying on a single factor of authentication, i.e. username andpassword, is no longer appropriate for many applications.This has led to the increasing use of multi-factor authentication; wherebyauthentication requires the user to know something (e.g. a password) andpossess something (e.g. some form of authentication token).Swivel’s approach to two-factor authentication has the advantage that theuser does not need a dedicated authentication token. Add to this PINsafe,our patented one-time code extraction protocol, Swivel can provide astrong, cost-effective authentication solution that is easy to use and tomanage.
  • 4. White Paper Heading 4Single-Factor AuthenticationWhen a user authenticates they need to present credentials to theauthentication server. A credential maybe based on: Something they know, e.g. a password Something they have, e.g. a security string provided by a token Something they are, e.g. a finger print or retina scan.Each one of these is a factor of authentication.In the early days of authentication (and in many systems still today)authentication is based upon just a single factor of authentication,specifically a combination of a username and a password (UNP). There is anincreasing awareness that this is not sufficient for many systems. Thisrealisation is showing itself not only in the increasing number oforganizations that are moving to multi-factor authentication but also inmore regulations and legislation that are mandating multi-factorauthentication.There are three driving forces are behind this. Firstly the increasing value ofthe systems being protected by authentication systems, secondly theincreasing availability and variety of tools that can be used effectivelyagainst simple UNP authentication, and thirdly the increase in cybercrime.Threats against Usernames and PasswordsOne of the weaknesses of UNP is the fact that the password is static; i.e. itdoes not change from one authentication attempt to the next.Administrators may insist that passwords are changed every 3 months, oreven every month, however that still gives an attacker a significant amountof time to aim at a stationary target.Another issue with passwords is that users and helpdesk administratorswant them to be easy to remember but IT managers and security managerswant them to be difficult to guess. These requirements tend to workagainst one another. It is much easier to remember words than it is a seriesof random characters, but it is much easier to guess a word than a series ofrandom characters.Or order for users to help themselves remember more complex passwordsthey are more inclined to re-use the same password for differentapplications and interfaces.One final weakness of UNP as an authentication model stems from the factthat username and passwords have been around for so long. This meansthere are many software-based attacks out there that are, thanks to theinternet, widely available.So what are the threats against username and password? The following listis not meant to be exhaustive; it focuses on technical attacks against the
  • 5. White Paper Heading 5client rather than attacks against server or social engineering based attackssuch as con-tricks, blackmail etc.Malware AttackDeploy malicious code on target’s computer, for example, a key logger thatrecords a user’s keystrokes. By looking at the details of the keys pressedso the password can be determined. Searching the log for a username andthe password is likely to follow. Some software attacks are moresophisticated and look for specific actions before starting to log, e.g.accessing banking URL. The static nature of passwords means that thisform of attack can be very effective.Guess the PasswordThere are a range of guessing attacks against passwords which are basedon how much or how little information the attacker has about the target.On one extreme there is a brute force attack whereby an attacker justguesses different possibilities until they succeed; not very effective but canbe used if the attacker can gain access to the file of encrypted passwords.Slightly more targeted is a dictionary attack, where rather than just guessrandom values, the attacker restricts the attack to words or phrases thatare likely, as most people choose passwords that are words. Finally, if theattacker knows personal information about the target, they may try theirfavourite sports teams or their children’s names as password. The need tomake passwords memorable makes this kind of attack an option.Steal the PasswordOne way of satisfying the IT security manager’s insistence on a complicatedpassword is to write it down somewhere; in an envelope in the desk draweretc. Whereas this form of attack requires physical access, it is surprisinglycommon practice for people to write passwords down unencrypted.Shoulder SurfingTo find out what someone’s password is you just watch them type it in.Another attack that requires physical access, but as passwords are static,you have plenty of attempts at watching the user type in their password tomanage to discern the whole thing. This form of attack has become morerecognised since the use of Chip and PIN technology with people beingasked to hide their fingers as they type in their PIN.PhishingIt is particularly difficult to defend against phishing attacks, partly becauseit is so easy to mount such an attack. You can get all the corporate imageryyou need from the real website to build a mocked-up site then you canmass email a mock email to any valid email address. The user goes to themock site and enters their username and password. The attacker then hasthe password that they need and they can do what they will with it.
  • 6. White Paper Heading 6Dual-Factor AuthenticationAdding another factor of authentication adds another task for the attackerto complete before their attack is successful. The basic model is that thetoken provides the user with a one-time code that they must enter in orderto authenticate; the security string is dynamic in that it is different for eachauthentication. We can see that there are many and varied ways of gainingone factor, the password, but having succeeded in that what does anattacker need to do in addition to succeed in defeating two-factorauthentication systems?Attacks against Dual Factor AuthenticationThere would appear to be two obvious approaches:Steal the TokenAn attacker may be lucky in that the token may be kept in the same draweras the user’s password! But clearly an attack that combines a softwareattack determining the password and physically obtaining the token couldbe a successful attack. The first element being straightforward, the secondone less so, however in an e-commerce B2C scenario with many tokensbeing physically distributed; there may be vulnerabilities that could beexploited.PhishingPhishing can still have some success even against dual factorauthentication as the attacker obtains the users password and one-timecode and can therefore use those credentials to fraudulently authenticateas the user. Unlike the phishing attack for single factor this does not allowthe attacker to steal the user identity as the user still has the token. Thismeans the attacker cannot re-authenticate without re-phishing the requiredone-time code. This means that a web application that requires repeatedauthentication provides a good defense against phishing attacks. Forexample a banking website that requires authentication for every monetarytransaction.Dual-Factor Authentication and SwivelSwivel authentication platform is a dual factor authentication solution withsubtle but important differences. As with many dual factor authenticationsystems, Swivel sends a security string to the user that the user needs toauthenticate but security strings are sent to the user’s mobile phone eitherin the form of a voice call, SMS or via a mobile app; therefore there is noneed for dedicated security tokens.
  • 7. White Paper Heading 7The received security string is not entered by the user; it is combined bythe user with a PIN to extract the one-time code which is then entered.The advantages of these differences are described below.TokenlessThe fact that Swivel does not require a dedicated security token (it usesthe mobile phone as a token) has a number of advantages.There is nothing that needs to be physically distributed; therefore you arenot at the mercy of postal systems etc. to provision users. Users can beprovisioned instantly.Just as importantly there is nothing to physically reclaim once a user nolonger requires access. This is particularly relevant where you have apopulation of users that has a high churn rate such as an academicinstitution.People treat their mobile phone as something vital; they need it forbusiness but also to keep in contact with their friends and families whenthey are at work. They are less likely to leave it behind; or leave it in apocket of a garment destined for the laundry. They are also more likely tonotice when they have lost it or it has been stolen.As Swivel reuses an existing device as a security token there is noadditional cost. If someone loses of damages their mobile phone areplacement is borne by the telecoms budget; not the security budget!One-Time Code ExtractionThe use of the Swivel one-time code extraction protocol means that bothfactors of authentication can be combined into a single credential. Thismeans:
  • 8. White Paper Heading 8The user only needs a 4 digit one-time code to authenticate; (Swivel can beconfigured to use PINs of 4 to 10 numbers long and it can also be used inconjunction with a password).As the PIN is never entered the attacks described earlier, such as keyloggers, cannot be used to ascertain one of the two factors ofauthentication.So the use of Swivel Dual Factor solution makes some of the attacksdiscussed before even harder. There is no physical token to distribute, theloss of a mobile phone is likely to be noticed and reported sooner than asecurity token. In the event that an attack gains access to a mobile phone,security is still not compromised as the attack still needs the PIN, and thePIN cannot be ascertained by key- logging attacks as it is never entered bythe user.Attacks against SwivelStealing the tokenIn the Swivel example this attack still leaves the attacker the problem ofthe PIN, as the PIN is never entered it cannot be obtained via key loggingtype attacks.PhishingNo authentication product is immune from attack. Forms of phishingattacks may have some success against Swivel; it is very difficult to stopusers entering credentials onto a mock web site as discussed before. Onceentered these valid credentials can be used by the attacker; as before thisdoes not allow the attacker to steal the account as they cannot re-authenticate without the mobile phone.A mock web site can send a user a false security string and by examiningthe returned one-time code ascertain the user’s PIN. However this requiresknowledge of the target’s mobile phone number and the means to send anSMS. Once the PIN is known, physical access to the mobile phone is stillrequired.
  • 9. White Paper Heading 9ConclusionTwo-factor authentication is a much stronger form of authentication thansingle-factor. Swivel’s implementation of two-factor authentication, with itsunique one-time code extraction protocol and its use of the mobile phoneas a security token, provides a number of advantages including increasedstrength of authenticated and decreased running costs.