Username and password has been with us for a long time, and has served us well. It is however no longer a guarantee of security or confidentiality. It is too simple and easy to just get someone’s username and password, and once you have these you have full access to their systems. You can also only ask your users to be careful with their password choices and how to remember them, but you can’t prevent them from writing it on the proverbial Post-it note.
While this is a problem for things like your Facebook account, it could be outright disastrous for things like your banking or corporate Active Directory account. The solution is to require an additional factor of authentication. Common terms for this is Two Step Authentication, Two Factor Authentication or 2Fac. But what exactly constitutes two factors?
Identification and authentication
The username and password method is a great example of simple identification, where you prove your identity (username) by providing a password for authentication. This however, is only considered a single factor of authentication because both elements come from a single class of authentication methods. Authentication methods are classified as one of the following three:
- Something you know (username + password combination)
- Something you have (tokens, smart-cards, certificates)
- Something you are (biometrics)
Having a username and password for gaining access to a system does not constitute two factors. You cannot simply repeat one method and count it as a second factor. Using multiple methods makes for very strong authentication that is very difficult to imitate or circumvent.
There are various metrics you need to consider when choosing a second factor for authentication. Not all of them are initially obvious. Key things to consider are:
- User resistance and acceptance rates
- Cost of hardware or software
- Enrolment process and cost
- Revocation process and cost
- Systems to be protected
To illustrate how these considerations come into play let’s look at some Two Factor Authentication options and their pros and cons:
Something you are – Biometrics
One of the factors that has recently been widely adopted is biometrics, specifically fingerprint scanning. This is largely due to it being the default authentication method on mobile phones such as the iPhone 5s onwards.
Biometrics are great for a number of reasons:
- You don’t have to issue users with anything. They are who they are.
- Users cannot really lose themselves like they could with a token or access card.
- Depending on the biometric you choose the security can be extremely difficult to circumvent. Retina or Iris scans are good examples.
There are however also some drawbacks:
- Any system the user needs to access needs to be able to scan or process the person biologically and that means sensors, like a finger print scanner or palm reader.
- The system can also be prone to two error types: 1) False negative rate, and 2) False positive rate.
The first error is where the system fails to effectively identify the person. If you’ve ever tried to unlock your iPhone with even a tiny amount of water on your hands you would know what I am talking about. This is annoying on a phone, but a more serious issue on corporate systems. False positive is even worse, it incorrectly identifies the wrong person and gives access. Biometrics systems are rated and graded by their accuracy and the false rates they provide. It should come as no surprise that an iPhone fingerprint reader is probably not as accurate as a high-end, dedicated fingerprint or palm scanner.
The other consideration when deploying biometrics is resistance of the user base to adopt and use a method. Factors that may lead to resistance are invasion of privacy, your employees may not want you to record and use their biometric information such as fingerprints. Unlike tokens or passwords, these cannot be changed or revoked by the user. A user may also simply be opposed to it for other reasons such as not wanting to use an uncomfortable retina scan 15 times a day to enter a leave a secure room.
Of course biometrics on their own do not give you Two Factor Authentication, even if you use both a fingerprint and a retina scan. An iPhone for example, using TouchID is only a single factor. If however you have a system requiring a retina scan followed by a PIN, you have two factors.
Something you have – Tokens, Smart-cards and Certificates
Having something with you to validate your identity is another factor. The scope, abilities and range of these items vary greatly. A police officer’s badge is an example of a token that validates their identity. As shiny and impressive as it is, it does not have nearly the same technical abilities as even a simple magnetic swipe card (like “old-school” credit cards), a proximity access card, or a smart-card with an embedded chip (like cellular SIM cards). In the same way that retina scans are more secure than fingers prints some tokens are better than others.
There are many different flavours of these but basically it comes down to two options:
- Physical tokens, or
- Soft tokens
Physical tokens such as your chip and PIN credit card, or USB Certificate Smart card are deemed very secure because they are difficult to replicate. They are however static and cannot be changed. They also need to be physically issued and revoked. Because they need to be physically manufactured they also tend to have a higher cost.
Soft tokens are typically an application installed on a smartphone or digital device. It often replaces the need for a separate physical device to be distributed and managed. Unlike certificates, most soft tokens provide you with an ephemeral value. It generates a character sequence, normally numbers, that is valid only for a single log in or for a short duration of time. These are generally referred to as a One Time PIN or OTP. When you combine a OTP with a username / password combination you have Two Factor Authentication.
Why I like OTP as a second factor in Two Factor Authentication:
Since systems that require OTPs typically only need to have a username and password/PIN entered on screen or with a keyboard, no additional hardware is required. This makes it more versatile and cost effective to deploy.
Users look after their own phones and keep them safe, you don’t have to convince them to do this with a separate token. This addresses user acceptance and token loss.
Phones are protected by a PIN or biometric scan to add yet another layer of security. You can then also make use of the smart device’s ability to do things like remotely wipe or destroy the token should it be lost. This addresses token security and revocation concerns.
Soft token are also generally associated with a lower TCO, since smartphone based OTPs leverage existing infrastructure they generally have a significant cost advantage.
Because OTPs can effectively only be used once they are deemed temporary and even if the authentication traffic is captured in transit it is almost immediately invalid. It’s like a user changing their password every thirty seconds.
With Two Factor Authentication you don’t have to ask your users to please keep the gate closed (with good passwords). You can technically enforce something much stronger.
Before you can decide on a Two Factor Authentication solution you need to understand the security requirements, use case, user base and budgets for your situation. These metrics can influence which two factors you choose. Knowing the strengths and weaknesses of the various methods allows you to make the correct choice for your usage scenario.
In the follow up articles we will show how to deploy OTP on the Sophos UTM. We will demonstrate how it is used to secure the UTM itself but also how it can be used to add Two Factor Authentication to applications that do not support it natively.