W H I T E PA P E RSecuring corporate assets withtwo factor authenticationPublished July 2012
Securing corporate assets with two factor authentication IntroductionOrganizations require users to enter their username and passwords in order tovalidate their identity. However, with the proliferation of applications, websites andservices that require authentication, users are under increasing pressure to maintaintheir passwords and it has become clear that the simple password scheme is nolonger sufficient. In fact there are multiple, high profile cases where passwords havefailed both the users and the organizations that provide services, leading to identitytheft and data loss. The impact of such breaches is more costly than ever withfinancial penalties associated to breach of regulatory compliance and the impact oflost business and loss of confidence.This white paper will explore how two-factor authentication can be consideredas an alternative to provide secure authentication in order to resolve the risks ofunauthorized access to corporate resources.Why static passwords are insufficient - “My password is 1234,and I wrote it down” –Passwords have long been used as a way to authenticate users and provide themservices. They rely on the simple fact that only the users know the password andno one else does. This was initially perceived as an effective solution but with theproliferation of systems and resources that require password entry prior to access,the model breaks down in a number of ways.Written down passwordsHuman memory is known to fail. If a user forgets their password, they typically haveto call the IT helpdesk, or reset the password before access is granted again. Sincethis disrupts a users’ workflow, many users write down passwords, and often leave itnext to their place of work, in their laptop bag, or on their laptop!This is a clear security risk as anyone with physical access to the office cubeor laptop has complete and unauthorized, access. A recent survey carried outamongst IT professionals confirmed that 29% of respondents knew a colleague’spassword details.The risk presented by written down passwords is even greater when considered incontext of the volume of connected devices that are lost every day. Surveys suggestthat as many as 15,000 laptops are misplaced at airports in Europe and the USAevery week. If any of these have an accompanying post-it note with a passwordattached then no amount of security can protect the organization from loss.Sharing of passwords with websitesSince users have to remember so many passwords, they tend to create a standardpassword and re-use it in multiple places. This means that if the password iscompromised in one place the hacker has access to multiple sites and services.Replay attacksEven if the user is extremely careful with their passwords, static passwordsare vulnerable to Replay Attacks. After the user enters the password on a siteor application, it has to be sent to an authentication server for validation. Anintruder can intercept this session or transmission and replay it later on togain unauthorized accessContentsIntroductionWhy static passwordsare insufficientIntroducing two-factorauthenticationForm Factors for OTP deliveryContact informationOTP generating mechanismsIntegrating Two-factorauthenticationAbout Celestix HOTPinAuthentication vs.AuthorizationAuthentication andauthorization are often,and mistakenly, usedinterchangeably.Authentication is theprocess of verifying that“you are who you say are”,while authorization is theprocess of verifying that“you are permitted to dowhat you are trying to do”.Authentication precedesauthorization.
Securing corporate assets with two factor authentication Social Engineering and PhishingCriminals have used deception for millennia in order to extract confidentialinformation from others. Deception can include face to face diversion tactics andbehavioral manipulation but in the computing age, it can also be carried out withoutthe need for in person interaction. Phishing attacks are extremely common andare a source of significant data theft. In a phishing attack, the phisher will send anemail that appears to come from a legitimate source such as a bank, requesting therecipient to log in to their account or to verify their account details. The email directsthe user to a fraudulent website where account details are captured and can be usedto commit fraud.With the evolving complexity and intelligence of fraudulent attacks, the increasein the number of systems requiring password access, and the fact that users willaddress this by standardizing their passwords and will then write them down, howcan organizations protect themselves against such a broad range of issues that canresult in attacks on their systems?Introducing two-factor authenticationAuthentication based on passwords is based on what a user knows. It is reasonableto augment security by enhancing it with what a user has. This simple concept is thebasis of two-factor authentication.• What you know – a password or Personal Identification Number (PIN)• What you have – a unique physical characteristic, or device, that only the user hasaccess toWith such a scheme, even if a users’ password or PIN is compromised, the attackerwill not be able to gain access to the site or service since they don’t possess thesecond factor required in order to gain access. Conversely, if the attacker gains accessto the device that provides the second factor authentication, they won’t know theusers’ password or PIN.ATM, or debit cards are the most common example of two-factor authentication. If thecard is ever lost or stolen, it still can’t be used without the PIN. Even if an unauthorizeduser knows the PIN of the bank account, they will still not be able to withdraw moneysince they don’t have the actual ATM card.One is rendered useless without the other.One Time PasswordsATM cards provide two-factor authentication in the tightly controlled environment ofATM machines, where each machine is equipped with a special card reader. It is notfeasible to equip every laptop, desktop or tablet with a special device to read a card.That would be cost-prohibitive, time-consuming and extremely impractical.To provide two-factor authentication for computer services and sites, users rely on aOne Time Password that is generated on a device that is uniquely assigned to a user.One Time Passwords (OTP) provides security in a number of ways.Always ChangingThe OTP changes after a fixed interval of time, commonly every 60 seconds. Even ifan unauthorized user noted the OTP, they won’t be able to use it since it would havechanged for the next session.
Securing corporate assets with two factor authentication Tied to a deviceOTPs are generated using a seed that is uniquely associated with a device. Thus,every user’s OTP will be different. Since the device is assigned to a user, the OTPuniquely authenticates a user.and a PC desktop client. By leveraging smart devices or text messaging, the OTP isdelivered ‘on demand’ to the user. And, of course, HOTPin easily integrates with AD.Security for IT and usersDirectAccess with HOTPin is actually a security tool masquerading as a userconvenience tool, a functional duality that, in other solutions, usually results in atrade-off.Form Factors for OTP deliveryOne Time Passwords can be delivered to end-users via a variety of methods, eachwith their own pros and cons.Hardware TokensHardware tokens, also commonly referred to as authentication tokens, are pocketsized, battery operated devices which are dedicated to generate OTPs. This isthe oldest method of generating OTPs. However, they come with their own set ofproblems. For remote users, the devices need to be shipped to their site, increasingcosts. The battery life of these devices is approximately three years. After that, thedevices have to be replaced. Larger organizations usually have to maintain stock fordevices that need to be replaced or are lost.A subtle, but important problem is that if these devices are lost or stolen, the usermight not notice for a few days. That gives an attacker a window of opportunity.Software TokenWith the increasing popularity of smart phones, users expect not to carry adedicated device for generating OTPs. Fortunately, smart phones can be leveragedto generate the OTP.Software tokens, or soft tokens, vastly increase the convenience for end users. If thesmart phone is ever lost, the end user will most likely notice that much quicker thanhardware token.Some software token apps, such as those from Celestix, can be configured torequire a PIN before displaying the OTP – further enhancing security.OTPs through text messages / emailsOne Time Passwords can also be delivered through a text message. This methodis convenient for users who might not have smart phones, but still don’t want tocarry a dedicated device. Receiving the OTP through text messaging means it iscompletely separated from regular authentication channels, or Out of Band (OOB),increasing security.OTPs can also be sent via emails. So if users have access to emails on their phones,they can opt to receive OTPs via email.