Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Better Method of Authentication


Published on

Organizations need highly secure authentication under IT’s control, coupled with an access method that is very easy for users – especially users on mobile devices. This executive brief discusses the problems with current authentication systems and offers an overview of a more advanced and more secure system of authentication.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

A Better Method of Authentication

  1. 1. EXECUTIVE BRIEF A Better Method of AuthenticationSPON An Osterman Research Executive Brief Published June 2012 sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • •
  2. 2. A Better Method of AuthenticationEXECUTIVE SUMMARYConventional authentication using passwords based on alphanumeric characters andpunctuation is fraught with difficulties and security risks:• Users often will write down passwords and/or use the same password on multiple systems, increasing the risk to corporate application and data security.• When left to determine their own level of password strength, users often will opt for short or simple passwords that are easy to remember, increasing the likelihood that systems can be hacked.• Users forget passwords, prompting them to call a help desk or use password- reset systems, which can increase support costs and reduce user productivity.• The Bring-Your-Own-Device (BYOD) phenomenon is making the problem worse Conventional because IT has even less control over access to corporate systems and data – and the authentication methods used to access them. authentication using passwordsOrganizations need highly secure authentication under IT’s control, coupled with anaccess method that is very easy for users – especially users on mobile devices. This based onbrief discusses the problem with current authentication systems and offers an alphanumericoverview of a more advanced and more secure system of authentication. characters and/or punctuation isTHE NEED FOR IMPROVED AUTHENTICATION fraught withTRADITIONAL AUTHENTICATION WORKS REASONABLY WELL difficulties andFOR TRADITIONAL SYSTEMS security risks.The wide range of authentication methods currently used in most organizations runsthe gamut from simple, inexpensive and relatively insecure to complex, expensiveand highly secure:• Usernames and passwords are the most common approach and often used for relatively low-security systems. Although inexpensive to deploy and familiar for users, this method provides a fairly low level of security. This executive• Challenge/response systems that require answers to security questions that have brief offers an been previously populated in the system are often used as a second layer of authentication or for a higher level of access. overview of a more advanced• Even more secure systems may use one-time password tokens, out-of-band authentication, seals, and certificate-based authentication. and more secure system of• The highest security solutions may employ multiple factor or biometric authentication, such as a user’s fingerprint, face, iris, or some other physical authentication. attribute to grant access.The level of security that an organization selects for a particular system or applicationwill depend on several factors, including the sensitivity or confidentiality of the databeing accessed, the trustworthiness of the individual accessing the information, thevenue from which the accessor is attempting to enter the system, the device fromwhich the user is accessing a system, and other factors.For traditional access of a corporate system from a desktop or laptop computer frombehind a corporate firewall using a standard keyboard, these access methods workreasonably well.©2012 Osterman Research, Inc. 1
  3. 3. A Better Method of AuthenticationEVEN SO, THERE ARE PROBLEMSDespite the relative ease with which users can access traditional systems using theseauthentication methods, there are problems with them:• Users often forget passwords and need to contact a help desk or automated system for a password reset, which increases support costs within the organization.• Users will typically employ the same passwords on multiple systems so they do not have to remember a unique username/password combination for each system they access, thereby degrading the overall security of access to corporate data.• Users will often remain permanently logged in to various systems to avoid the difficulties associated with traditional login procedures.• Many users write down passwords because they are too difficult or too numerous to remember.• Static, text passwords are susceptible to keylogger malware and dictionary style brute-force attacks.• Finally, a perennial problem is that users employ passwords that are far too Although users simple so that they can remember them more easily, making life for hackers that much less difficult. of traditional authenticationDATA BREACHES ARE A SERIOUS PROBLEM find passwords toThere have been numerous data breaches in which usernames and passwords havebeen stolen. According to the 2011 Data Breach Investigations Report by the US be a burdenSecret Service and Verizon, the exploitation of default or guessable authentication when usingcredentials is one of the most common causes of corporate data breaches and was afactor in nearly 35% of the data breaches investigated in the report.i For example, desktopLinkedIn suffered a breach of 6.5 million passwords in mid-2012, hackers computers orcompromised the account credentials and information for 24 million Zapposcustomers in early 2012ii, and in mid-2011 Sony suffered a leak of more than 100 laptops, themillion user passwords and account information in a series of data breaches. It’s problems areestimated that the data breach cost Sony at least $171 million to clean up and usersdid not have access to their accounts for more than one month. much worse for mobile users.The Sony password breach, in particular, underscored one of the fundamentalproblems with a large proportion of current login credentials: weak passwords thatare easy for hackers to guess. For example, an analysis of the Sony breachiii revealedthat among the most commonly used passwords were “123456”, “password”,“seinfeld”, “winner” and “michael”. Moreover, the analysis found that some of thebreached passwords had as few as four characters, with the two most commonpasswords lengths being six and eight characters.THE PROBLEMS ARE MUCH WORSE FOR MOBILE DEVICESAlthough users of traditional authentication find passwords to be a burden whenusing desktop computers or laptops, the problems are much worse for mobile users.Entering long strings of text and numbers using a mobile keyboard is not easy,particularly when a combination of upper and lower case characters must be entered.When “strong” passwords are required – involving eight or more characters includingupper and lower case letters, numbers and symbols -- the problems for mobile usersmultiply, including mistakes entering characters that may lock users out after alimited number of retries. When authentication becomes too burdensome, users optinstead for weak passwords or they leave their devices permanently logged in, whichputs data security at risk.©2012 Osterman Research, Inc. 2
  4. 4. A Better Method of AuthenticationThe BYOD phenomenon that is prevalent in just about every organization today isexacerbating the problem. Because users often employ their own devices to accesscorporate data, IT has less control over the devices and, in some cases, theauthentication methods that are used for access. Among the problems introduced bythe BYOD phenomenon are:• Few users – only about 30% according to a Sophos studyiv – employ passwords on their mobile devices because typing multiple, non-alphanumeric characters on a miniature keyboard introduces yet another difficulty when using the device.• A large number of mobile devices are lost or stolen – two million per year according to one sourcev. Adding to the problem of lost devices is the propensity of those who find lost devices to search through them. For example, the Symantec Smartphone Honey Stick Project found that when a phone is lost, 89% of those recovering it will search through the phone for the owner’s personal informationvi. Tablets, in particular, represent another problem because these devices are• increasingly becoming multi-user devices, often shared among the employee’s Organizations family members. This emphasizes the critical importance of protecting corporate need a better way applications or data using password protection to ensure that family members do not inadvertently access, delete or modify important information or unknowingly to authenticate introduce spyware or key loggers onto the device. users to corp- orate systems.THE RISKS OF POOR AUTHENTICATION ARE SIGNIFICANTCumbersome authentication methods for mobile access tempt users to choose weak They need anpasswords or stay logged into corporate systems. This creates some potentially approach that isserious consequences, including a greater likelihood of losing intellectual property ifsomeone loses a device or if a hacker can determine one’s username/password much easier forcombination. Data breaches can also result, triggering expensive mitigation efforts users toas a result of statutory notification requirements: 46 of the 50 US states now havedata breach notification laws that require notification of affected parties in the event remember thanpersonal data is lost or stolen. traditional passwords, andA NEW APPROACH TO AUTHENTICATION easier to enter onOrganizations need a better way to authenticate users to corporate systems and mobile devices,applications in order to protect against the problems discussed above. They need an one that isapproach that is much easier for users to remember than traditional passwords, andeasier to enter on mobile devices, one that is inherently more secure than text inherently morepasswords, and one that will motivate users to follow best practices for strong secure than textauthentication on every device and for every application. passwords.One way to do this is to use dynamic, image-based authentication instead of staticalphanumeric characters. Confident Technologies offers a unique authenticationtechnology in which users pre-select authorization categories that will be used togenerate a one-time password. For example, a user may select “dogs”, “fish” and“cars” as the categories they will have to identify. When a user needs to authenticate– on a mobile phone, in a desktop application or on an iPad, for example – arandomly generated grid of images is presented to the user. The user simply selectsthe appropriate images that correspond to his or her pre-determined categories,which only he or she knows, and access is granted as if a conventional password hadbeen entered. The specific pictures presented to the user are different every time,which allows the technology to create a unique, one-time access code. Although thepictures are different every time, the user will always look for their same categories(dogs, fish and cars, in this example).THE BENEFITS OF USING IMAGESUsing dynamic, image-based authentication offers a number of advantages over theuse of conventional passwords:©2012 Osterman Research, Inc. 3
  5. 5. A Better Method of Authentication• Because humans think in pictures, it is far easier for people to remember categories and recognize images than remember passwords, particularly complex passwords consisting of long strings of alphanumeric characters and symbols. For example, one studyvii found that image-based authentication resulted in 100% recall even after 16 weeks, compared to lower recall for Personal Identification Numbers (PINs) or passwords after the same length of time. This reduces password resets and eliminates the motivation for people to choose weak passwords or use the same password on multiple systems.• When users are presented with a grid of images, the display can jog users’ memories of which categories they initially selected as their authentication categories. In essence, the authentication secret is hidden in plain sight and only the user knows how to recognize it.• Authentication using images is much easier than entering characters on a mobile device keyboard, particularly a smartphone. With images, the user can simply tap a few pictures – no need to type on a tiny keypad or switch back and forth among multiple keypads.• The level of authentication required can easily be matched to the security or sensitivity of the application or data being accessed without the problems inherent in making users remember multiple passwords. For example, a system or data repository that requires minimal security might present a user with a grid of nine images from which he or she must identify two of their predetermined categories. A more secure system might require the user to identify three of their categories on a grid of 16 images, while a highly secure system might Authentication require identification of four categories on a grid of 25 images. using images is• An image-based authentication system is more resistant against dictionary much easier than attacks and keystroke-logging malware. Because the specific images and their entering location on the grid are different each time, keystroke-logging malware is not useful to potential hackers, and because text passwords are not used, dictionary characters on a attacks simply don’t apply. mobile device• The creation of a one-time password – more difficult in conventional password keyboard, schemes, but much easier with an image-based system – provides a greater level particularly a of security than any static password. smartphone.• As with conventional authentication systems, a lockout feature can be enabled if the user enters the wrong images in a certain number of attempts. A “KillSwitch” feature can also be enabled, where a user can designate a specific image category as an automatic lockout. If a hacker or a bot selects an image associated with the KillSwitch category, the account would be immediately locked and/or it would trigger a security alert. These features prevent brute-force attacks and can dramatically reduce the impact of losing a mobile device or having an unauthorized user attempt to hack into the corporate network to steal data.USE CASESThere are a number of use cases for image-based authentication of the typediscussed above. For example:• Physicians and clinicians can use image-based authentication as a secondary form of authentication for single sign-on systems when accessing patient records or hospital records on their personal iPads or other mobile devices they bring into the organization. This is much easier and faster than using passwords on mobile devices and allows access to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Because a physician or clinician may need to log into patient or other records 50 or more times per day as they make their rounds, the speed and convenience offered by image-based authentication is very beneficial.©2012 Osterman Research, Inc. 4
  6. 6. A Better Method of Authentication• Users who must access corporate systems frequently – salespeople, police officers, warehouse managers, etc. – can use image-based authentication as their primary authentication system, as a secondary method for single sign-on systems, or as a means of easily regaining access to a system after it has timed out.• Corporate IT departments could partition employee-owned mobile devices in order to separate corporate applications and data from personal apps and data, granting access to the former using image-based authentication. This would allow IT to manage access to the corporate partition and remotely wipe it if the device was lost, eliminating most of the consequences of a data breach.• The use of image-based authentication can be integrated with geolocation data, triggering the use of an image grid for authentication only when a user was in an insecure location, such as when accessing a corporate application via a public Wi-Fi hotspot or elsewhere beyond the corporate firewall.• Looking down the road a bit, image-based authentication could also be an effective method of preventing unauthorized purchases from a mobile device when used as an “e-wallet”, a practice increasingly common in Scandinavia and elsewhere. The use ofWHO SHOULD BE THINKING ABOUT THIS?Better authentication benefits everyone: image-based authentication• Users, who will find it easier to access corporate systems without having to remember complicated, strong passwords; and who will be more motivated not can be integrated to bypass secure access to corporate systems and data. with geolocation• Their employers, who will run less risk of users bypassing authentication data, triggering methods for the sake of convenience or otherwise engaging in poor security the use of an practices, such as choosing weak passwords, writing down passwords or using the same password on multiple systems. Stronger authentication practices help image grid for businesses to reduce the risk of security breaches, data loss, privacy violations, authentication etc. only when a user• Mobile application developers, who can build greater security into their was in an applications without imposing burdensome authentication processes on end users. insecure location.ABOUT CONFIDENT TECHNOLOGIESConfident Technologies, Inc. provides intuitive and secure, image-basedauthentication solutions for websites, Web applications, mobile applications andmobile devices. The company’s image-based authentication solutions enableorganizations to increase security without sacrificing ease-of-use.Using patented, image-based authentication technology, Confident Technologieshelps organizations:• Improve the ease-of-use for user authentication on websites, applications and enterprise systems.• Protect confidential data and online accounts.• Improve the customers online experience, driving loyalty and increased revenue.• Decrease IT costs and support costs related to authentication and password issues.©2012 Osterman Research, Inc. 5
  7. 7. A Better Method of Authentication• Meet compliance with regulatory requirements for strong authentication Image- based authentication can be used as a stand-alone replacement for traditional authentication methods including as passwords, tokens, smart cards and security challenge questions. Confident Technologies solutions can also be used in conjunction with other authentication tools to provide a layer of strong, multifactor authentication and out-of-band authentication.© 2012 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it bedistributed without the permission of Osterman Research, Inc., nor may it be resold ordistributed by any entity other than Osterman Research, Inc., without prior written authorizationof Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constituteslegal advice, nor shall this document or any software product or other offering referenced hereinserve as a substitute for the reader’s compliance with any laws (including but not limited to anyact, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,“Laws”)) referenced in this document. If necessary, the reader should consult with competentlegal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes norepresentation or warranty regarding the completeness or accuracy of the information containedin this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS ORIMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BEILLEGAL.i 2011_en_xg.pdfii breach-tips/52593484/1iii Related-Security-Issues.htmlvi honey-stick-project.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_ linkedin_2012Mar_worldwide_honeystickvii©2012 Osterman Research, Inc. 6