More Related Content Similar to A Better Method of Authentication (20) More from Osterman Research, Inc. (20) A Better Method of Authentication1. EXECUTIVE BRIEF
A Better Method
of Authentication
SPON An Osterman Research Executive Brief
Published June 2012
sponsored by
SPON
sponsored by
Osterman Research, Inc.
P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com
www.ostermanresearch.com • twitter.com/mosterman
2. A Better Method of
Authentication
EXECUTIVE SUMMARY
Conventional authentication using passwords based on alphanumeric characters and
punctuation is fraught with difficulties and security risks:
• Users often will write down passwords and/or use the same password on
multiple systems, increasing the risk to corporate application and data security.
• When left to determine their own level of password strength, users often will opt
for short or simple passwords that are easy to remember, increasing the
likelihood that systems can be hacked.
• Users forget passwords, prompting them to call a help desk or use password-
reset systems, which can increase support costs and reduce user productivity.
• The Bring-Your-Own-Device (BYOD) phenomenon is making the problem worse Conventional
because IT has even less control over access to corporate systems and data –
and the authentication methods used to access them. authentication
using passwords
Organizations need highly secure authentication under IT’s control, coupled with an
access method that is very easy for users – especially users on mobile devices. This based on
brief discusses the problem with current authentication systems and offers an alphanumeric
overview of a more advanced and more secure system of authentication.
characters and/or
punctuation is
THE NEED FOR IMPROVED AUTHENTICATION fraught with
TRADITIONAL AUTHENTICATION WORKS REASONABLY WELL difficulties and
FOR TRADITIONAL SYSTEMS security risks.
The wide range of authentication methods currently used in most organizations runs
the gamut from simple, inexpensive and relatively insecure to complex, expensive
and highly secure:
• Usernames and passwords are the most common approach and often used for
relatively low-security systems. Although inexpensive to deploy and familiar for
users, this method provides a fairly low level of security.
This executive
• Challenge/response systems that require answers to security questions that have brief offers an
been previously populated in the system are often used as a second layer of
authentication or for a higher level of access. overview of a
more advanced
• Even more secure systems may use one-time password tokens, out-of-band
authentication, seals, and certificate-based authentication. and more secure
system of
• The highest security solutions may employ multiple factor or biometric
authentication, such as a user’s fingerprint, face, iris, or some other physical authentication.
attribute to grant access.
The level of security that an organization selects for a particular system or application
will depend on several factors, including the sensitivity or confidentiality of the data
being accessed, the trustworthiness of the individual accessing the information, the
venue from which the accessor is attempting to enter the system, the device from
which the user is accessing a system, and other factors.
For traditional access of a corporate system from a desktop or laptop computer from
behind a corporate firewall using a standard keyboard, these access methods work
reasonably well.
©2012 Osterman Research, Inc. 1
3. A Better Method of
Authentication
EVEN SO, THERE ARE PROBLEMS
Despite the relative ease with which users can access traditional systems using these
authentication methods, there are problems with them:
• Users often forget passwords and need to contact a help desk or automated
system for a password reset, which increases support costs within the
organization.
• Users will typically employ the same passwords on multiple systems so they do
not have to remember a unique username/password combination for each
system they access, thereby degrading the overall security of access to corporate
data.
• Users will often remain permanently logged in to various systems to avoid the
difficulties associated with traditional login procedures.
• Many users write down passwords because they are too difficult or too numerous
to remember.
• Static, text passwords are susceptible to keylogger malware and dictionary style
brute-force attacks.
• Finally, a perennial problem is that users employ passwords that are far too Although users
simple so that they can remember them more easily, making life for hackers that
much less difficult.
of traditional
authentication
DATA BREACHES ARE A SERIOUS PROBLEM find passwords to
There have been numerous data breaches in which usernames and passwords have
been stolen. According to the 2011 Data Breach Investigations Report by the US be a burden
Secret Service and Verizon, the exploitation of default or guessable authentication when using
credentials is one of the most common causes of corporate data breaches and was a
factor in nearly 35% of the data breaches investigated in the report.i For example, desktop
LinkedIn suffered a breach of 6.5 million passwords in mid-2012, hackers computers or
compromised the account credentials and information for 24 million Zappos
customers in early 2012ii, and in mid-2011 Sony suffered a leak of more than 100 laptops, the
million user passwords and account information in a series of data breaches. It’s problems are
estimated that the data breach cost Sony at least $171 million to clean up and users
did not have access to their accounts for more than one month. much worse for
mobile users.
The Sony password breach, in particular, underscored one of the fundamental
problems with a large proportion of current login credentials: weak passwords that
are easy for hackers to guess. For example, an analysis of the Sony breachiii revealed
that among the most commonly used passwords were “123456”, “password”,
“seinfeld”, “winner” and “michael”. Moreover, the analysis found that some of the
breached passwords had as few as four characters, with the two most common
passwords lengths being six and eight characters.
THE PROBLEMS ARE MUCH WORSE FOR MOBILE DEVICES
Although users of traditional authentication find passwords to be a burden when
using desktop computers or laptops, the problems are much worse for mobile users.
Entering long strings of text and numbers using a mobile keyboard is not easy,
particularly when a combination of upper and lower case characters must be entered.
When “strong” passwords are required – involving eight or more characters including
upper and lower case letters, numbers and symbols -- the problems for mobile users
multiply, including mistakes entering characters that may lock users out after a
limited number of retries. When authentication becomes too burdensome, users opt
instead for weak passwords or they leave their devices permanently logged in, which
puts data security at risk.
©2012 Osterman Research, Inc. 2
4. A Better Method of
Authentication
The BYOD phenomenon that is prevalent in just about every organization today is
exacerbating the problem. Because users often employ their own devices to access
corporate data, IT has less control over the devices and, in some cases, the
authentication methods that are used for access. Among the problems introduced by
the BYOD phenomenon are:
• Few users – only about 30% according to a Sophos studyiv – employ passwords
on their mobile devices because typing multiple, non-alphanumeric characters on
a miniature keyboard introduces yet another difficulty when using the device.
• A large number of mobile devices are lost or stolen – two million per year
according to one sourcev. Adding to the problem of lost devices is the propensity
of those who find lost devices to search through them. For example, the
Symantec Smartphone Honey Stick Project found that when a phone is lost, 89%
of those recovering it will search through the phone for the owner’s personal
informationvi.
Tablets, in particular, represent another problem because these devices are
•
increasingly becoming multi-user devices, often shared among the employee’s
Organizations
family members. This emphasizes the critical importance of protecting corporate need a better way
applications or data using password protection to ensure that family members do
not inadvertently access, delete or modify important information or unknowingly
to authenticate
introduce spyware or key loggers onto the device. users to corp-
orate systems.
THE RISKS OF POOR AUTHENTICATION ARE SIGNIFICANT
Cumbersome authentication methods for mobile access tempt users to choose weak They need an
passwords or stay logged into corporate systems. This creates some potentially approach that is
serious consequences, including a greater likelihood of losing intellectual property if
someone loses a device or if a hacker can determine one’s username/password much easier for
combination. Data breaches can also result, triggering expensive mitigation efforts users to
as a result of statutory notification requirements: 46 of the 50 US states now have
data breach notification laws that require notification of affected parties in the event remember than
personal data is lost or stolen. traditional
passwords, and
A NEW APPROACH TO AUTHENTICATION easier to enter on
Organizations need a better way to authenticate users to corporate systems and mobile devices,
applications in order to protect against the problems discussed above. They need an one that is
approach that is much easier for users to remember than traditional passwords, and
easier to enter on mobile devices, one that is inherently more secure than text inherently more
passwords, and one that will motivate users to follow best practices for strong secure than text
authentication on every device and for every application.
passwords.
One way to do this is to use dynamic, image-based authentication instead of static
alphanumeric characters. Confident Technologies offers a unique authentication
technology in which users pre-select authorization categories that will be used to
generate a one-time password. For example, a user may select “dogs”, “fish” and
“cars” as the categories they will have to identify. When a user needs to authenticate
– on a mobile phone, in a desktop application or on an iPad, for example – a
randomly generated grid of images is presented to the user. The user simply selects
the appropriate images that correspond to his or her pre-determined categories,
which only he or she knows, and access is granted as if a conventional password had
been entered. The specific pictures presented to the user are different every time,
which allows the technology to create a unique, one-time access code. Although the
pictures are different every time, the user will always look for their same categories
(dogs, fish and cars, in this example).
THE BENEFITS OF USING IMAGES
Using dynamic, image-based authentication offers a number of advantages over the
use of conventional passwords:
©2012 Osterman Research, Inc. 3
5. A Better Method of
Authentication
• Because humans think in pictures, it is far easier for people to remember
categories and recognize images than remember passwords, particularly complex
passwords consisting of long strings of alphanumeric characters and symbols.
For example, one studyvii found that image-based authentication resulted in
100% recall even after 16 weeks, compared to lower recall for Personal
Identification Numbers (PINs) or passwords after the same length of time. This
reduces password resets and eliminates the motivation for people to choose
weak passwords or use the same password on multiple systems.
• When users are presented with a grid of images, the display can jog users’
memories of which categories they initially selected as their authentication
categories. In essence, the authentication secret is hidden in plain sight and
only the user knows how to recognize it.
• Authentication using images is much easier than entering characters on a mobile
device keyboard, particularly a smartphone. With images, the user can simply
tap a few pictures – no need to type on a tiny keypad or switch back and forth
among multiple keypads.
• The level of authentication required can easily be matched to the security or
sensitivity of the application or data being accessed without the problems
inherent in making users remember multiple passwords. For example, a system
or data repository that requires minimal security might present a user with a grid
of nine images from which he or she must identify two of their predetermined
categories. A more secure system might require the user to identify three of
their categories on a grid of 16 images, while a highly secure system might Authentication
require identification of four categories on a grid of 25 images. using images is
• An image-based authentication system is more resistant against dictionary much easier than
attacks and keystroke-logging malware. Because the specific images and their entering
location on the grid are different each time, keystroke-logging malware is not
useful to potential hackers, and because text passwords are not used, dictionary characters on a
attacks simply don’t apply. mobile device
• The creation of a one-time password – more difficult in conventional password keyboard,
schemes, but much easier with an image-based system – provides a greater level particularly a
of security than any static password.
smartphone.
• As with conventional authentication systems, a lockout feature can be enabled if
the user enters the wrong images in a certain number of attempts. A
“KillSwitch” feature can also be enabled, where a user can designate a specific
image category as an automatic lockout. If a hacker or a bot selects an image
associated with the KillSwitch category, the account would be immediately locked
and/or it would trigger a security alert. These features prevent brute-force
attacks and can dramatically reduce the impact of losing a mobile device or
having an unauthorized user attempt to hack into the corporate network to steal
data.
USE CASES
There are a number of use cases for image-based authentication of the type
discussed above. For example:
• Physicians and clinicians can use image-based authentication as a secondary
form of authentication for single sign-on systems when accessing patient records
or hospital records on their personal iPads or other mobile devices they bring into
the organization. This is much easier and faster than using passwords on mobile
devices and allows access to be compliant with the Health Insurance Portability
and Accountability Act (HIPAA). Because a physician or clinician may need to log
into patient or other records 50 or more times per day as they make their
rounds, the speed and convenience offered by image-based authentication is
very beneficial.
©2012 Osterman Research, Inc. 4
6. A Better Method of
Authentication
• Users who must access corporate systems frequently – salespeople, police
officers, warehouse managers, etc. – can use image-based authentication as
their primary authentication system, as a secondary method for single sign-on
systems, or as a means of easily regaining access to a system after it has timed
out.
• Corporate IT departments could partition employee-owned mobile devices in
order to separate corporate applications and data from personal apps and data,
granting access to the former using image-based authentication. This would
allow IT to manage access to the corporate partition and remotely wipe it if the
device was lost, eliminating most of the consequences of a data breach.
• The use of image-based authentication can be integrated with geolocation data,
triggering the use of an image grid for authentication only when a user was in an
insecure location, such as when accessing a corporate application via a public
Wi-Fi hotspot or elsewhere beyond the corporate firewall.
• Looking down the road a bit, image-based authentication could also be an
effective method of preventing unauthorized purchases from a mobile device
when used as an “e-wallet”, a practice increasingly common in Scandinavia and
elsewhere.
The use of
WHO SHOULD BE THINKING ABOUT THIS?
Better authentication benefits everyone: image-based
authentication
• Users, who will find it easier to access corporate systems without having to
remember complicated, strong passwords; and who will be more motivated not
can be integrated
to bypass secure access to corporate systems and data. with geolocation
• Their employers, who will run less risk of users bypassing authentication
data, triggering
methods for the sake of convenience or otherwise engaging in poor security the use of an
practices, such as choosing weak passwords, writing down passwords or using
the same password on multiple systems. Stronger authentication practices help
image grid for
businesses to reduce the risk of security breaches, data loss, privacy violations, authentication
etc.
only when a user
• Mobile application developers, who can build greater security into their was in an
applications without imposing burdensome authentication processes on end
users.
insecure
location.
ABOUT CONFIDENT TECHNOLOGIES
Confident Technologies, Inc. provides intuitive and secure, image-based
authentication solutions for websites, Web applications, mobile applications and
mobile devices. The company’s image-based authentication solutions enable
organizations to increase security without sacrificing ease-of-use.
Using patented, image-based authentication technology, Confident Technologies
helps organizations:
• Improve the ease-of-use for user authentication on websites, applications and
enterprise systems.
• Protect confidential data and online accounts.
• Improve the customer's online experience, driving loyalty and increased revenue.
• Decrease IT costs and support costs related to authentication and password
issues.
©2012 Osterman Research, Inc. 5
7. A Better Method of
Authentication
• Meet compliance with regulatory requirements for strong authentication Image-
based authentication can be used as a stand-alone replacement for traditional
authentication methods including as passwords, tokens, smart cards and security
challenge questions. Confident Technologies' solutions can also be used in
conjunction with other authentication tools to provide a layer of strong,
multifactor authentication and out-of-band authentication.
© 2012 Osterman Research, Inc. All rights reserved.
No part of this document may be reproduced in any form by any means, nor may it be
distributed without the permission of Osterman Research, Inc., nor may it be resold or
distributed by any entity other than Osterman Research, Inc., without prior written authorization
of Osterman Research, Inc.
Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes
legal advice, nor shall this document or any software product or other offering referenced herein
serve as a substitute for the reader’s compliance with any laws (including but not limited to any
act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent
legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no
representation or warranty regarding the completeness or accuracy of the information contained
in this document.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR
IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE
ILLEGAL.
i
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-
2011_en_xg.pdf
ii
http://www.usatoday.com/tech/news/story/2012-01-16/mark-smith-zappos-
breach-tips/52593484/1
iii
http://flowingdata.com/2011/06/13/analysis-of-passwords-in-sony-pictures-security-breach/
iv
http://www.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1
v
http://www.infosecisland.com/blogview/13078-The-Rise-of-Smartphones-and-
Related-Security-Issues.html
vi
http://www.symantec.com/content/en/us/about/presskits/b-symantec-smartphone-
honey-stick-project.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_
linkedin_2012Mar_worldwide_honeystick
vii
http://www.netaro.info/~zetaka/publications/papers/awasee-UBICOMP2005.pdf
©2012 Osterman Research, Inc. 6