Traditionally, we have logged into online systems using a username and password. These credentials are often being compromised, however, when databases containing them are breached or we are tricked into providing the information to fraudulent individuals or websites (often through phishing or other social engineering attacks). Once these credentials are compromised, attackers can use them to log into the associated online services. Even worse, because people often reuse their usernames and passwords, the attackers can access multiple services.
In order to better verify that it is actually you submitting the username and password, organizations are increasingly turning to multi-factor authentication (MFA). MFA requires you to present multiple types of authenticating information, such as, for example, a username and password along with a unique code displayed on a token or smartphone. MFA can stymie attempts to log into a service by guessing your password or using stolen usernames and passwords. A related, less powerful technique is two-step verification which requires two pieces of information of the same kind of factor, such as two pieces of information that you know, while MFA requires you to present multiple types of authenticating information.
The ‘factors’ most typically used for authentication include something that you know (knowledge, e.g., a PIN or password), something you have (hardware or software, e.g., RSA token or Google Authenticator application), and something that you are (biometric, e.g., fingerprint or iris scan). These factors are often required in addition to the traditional usernames and passwords.
By requiring you to present multiple factors service providers try to limit the likelihood of other persons or parties accessing the service without your consent. This is based on the assumption that although an attacker may be able to access and present one factor, they are less likely to be able to present all of the required factors.
Something That You Know
Knowledge-based authentication requires that you possess (and present) either static or dynamic private information. Static authentication can include a username and password or some unique personal information that is often used in account recovery questions, such as your mother’s maiden name, your favorite pizza toppings, or the name of your first pet.
Dynamic knowledge-based authentication entails providing information concerning past use of the service. As an example, banks can use dynamic authentication by asking you to list your most recent purchases. This type of authentication works when there is an ongoing and persistent relationship between you and the service provider.
Services can also transmit temporary, one-time codes by sending an email, SMS text message, or phone call to a smartphone you have registered with the service. Only after inputting this time-sensitive code would you gain access to the requested service.
Something That You Have
Device-based authentication comes in two dominant flavours: dedicated hardware tokens or software applications installed on smartphones. Dedicated tokens often appear as key fobs that display pseudo-random numbers that change periodically (e.g., the RSA SecurID token). The key fobs contain an algorithm and a ‘seed record’ that is used to calculate a pseudo-random number. You enter this unique number and the service you are accessing confirms that the entered numbers correspond with the expected input. More recent hardware tokens involve inserting the token into or putting it near a computing device and tapping a button. In some sectors, such as banking, a hardware token might be an ATM card or smartcard.
Software-based authentication, on the other hand, is usually done with applications installed on smartphones, and a well-known example is the Google Authenticator app. Rather than carrying a separate piece of hardware, such as a key fob, the smartphone application calculates the pseudo-random numbers from the ‘seed record,’ along with the smartphone’s clock and an algorithm included in the application.
Something That You Are
Biometric-based authentication requires you to register a biometric characteristic that is subsequently presented to access a given service. For example, you might register your fingerprints with your smartphone operating system such as Apple’s iOS or Google’s Android.
In some instances, biometric systems will be used to access a single service or site, such as a secured building. In other cases, you may register your biometrics with a service platform that will use the captured biometric to authenticate you to a variety of applications.
Once the biometric has been registered, you are asked to present your biometric, for example, by pressing the Home button to access Touch ID. This biometric is compared to the one you registered earlier to rapidly sign into your applications or to authorize purchases.
Other Methods of Authentication
Two additional types of authentication are worth noting. With proximity-based authentication you carry a token that enables automatic access to a device when the token and device are close to one another. As an example, when you have authenticated yourself to your smartphone or smartwatch, the presence of either of the phone or watch may be sufficient to automatically log you into your computer.
With context-based authentication, your current behaviour and habits are examined and compared with your known or expected behaviour. When the behavior significantly deviates from that which is expected, you will be challenged to present other credentials. Banks sometimes use this method to present challenge questions when people attempt to access their accounts from a different computer than the one they usually use or from a different geographic location.
Limitations of Multi-Factor Authentication
Some authentication factors are less effective than others and perhaps should be avoided altogether. As an example, common knowledge-based questions like mother’s maiden names are being used frequently and the answers may be guessable based on other information, and the correct answers cannot be changed.
Moreover, systems that use SMS text messages to send one-time codes have recently been criticized by the United States’ National Institute of Standards and Technology (NIST) because attackers can redirect SMS messages by manipulating aspects of the global smartphone network and intercept the one-time codes. Alternately, the same attackers could register a new SIM to the phone number and direct the one-time code (and all other communications) to a device controlled by them. Both of these tactics have been used by criminal and state-level actors.
Hardware tokens rely on the integrity of the seed material and security of the algorithm that is used to generate the one-time numbers. Some tokens’ integrity have been violated in the past, such as when RSA suffered a data breach and the material used to generate one-time codes was stolen from the company. As a result, the company offered to replace all of the 40 million SecureID tokens that were in global use.
Software tokens are often preferred over hardware tokens because they are less likely to be lost (people have a strong attachment to their phones) and are easier to distribute when compared to shipping or mailing physical tokens. However, where this token is used to access services on the smartphone, such as using the Google Authenticator app token to log into an email account on the smartphone, the placement of both factors (i.e., login and password and software token) on the same device may undermine the security provided by the two factor system. Best practices call for various factors to be presented on ‘different channels’ so that all the information is not available on the same device and vulnerable to attackers.
Finally, biometric authentication is susceptible to being tricked when scanners are presented with seemingly-valid, yet fake, biometrics. For example, fake fingerprints have been created and presented to fingerprint readers and authenticated as the legitimate fingerprint. There is also a risk that, should the algorithm for how the fingerprint is stored be compromised, attackers might be able to extract core characteristics of the fingerprint or determine how to provide false biometrics that are accepted as legitimate. Also, while some factors can be relatively easily replaced, such as usernames and passwords or even hardware and software tokens, humans typically have only ten fingerprints and two eyes and cannot add new ones.
Christopher Parsons is a Research Associate at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto.
- Two Factor Auth: https://twofactorauth.org
- Hard, Soft, or Smart? Evaluating the Two-Factor Authentication Options: http://www.infosecurity-magazine.com/magazine-features/hard-soft-or-smart-evaluating-the-two-factor/
- @Deray’s Twitter Hack Reminds Us Even Two-Factor Isn’t Enough: https://www.wired.com/2016/06/deray-twitter-hack-2-factor-isnt-enough/
- Forget Two-Factor Authentication, Here Comes Context-Aware Authentication: http://www.computerworld.com/article/3105866/application-security/forget-two-factor-authentication-here-comes-context-aware-authentication.html
- Draft NIST Special Publication 800-63B Digital Authentication Guide: https://pages.nist.gov/800-63-3/sp800-63b.html
- London Calling: Two-Factor Authentication Phishing From Iran: https://citizenlab.org/2015/08/iran_two_factor_phishing/
- After Hack, RSA Offers To Replace SecureID Tokens: http://www.computerworld.com/article/2509027/security0/after-hack–rsa-offers-to-replace-secureid-tokens.html