The hidden dangers of "good enough" authentication

By David Hald, co-founder and chief relation officer, SMS PASSCODE

 While it's human nature to make comparisons, not all comparisons are helpful or accurate. When comparing a Porsche and a Volkswagen, for example, the most you can say is that they are both vehicles. They have wheels and doors and engines, and will get you from Point A to Point B, but that is where the comparison ends.

In a similar vein, not all multi-factor authentication approaches are the same. The variances can mean the difference between true security and susceptibility to phishing, between timeliness and late arrival of authentication codes, and between user-friendly and hard-to-use applications.

The first thing to beware of when considering multi-factor authentication tools is pre-issued passcodes. Many authentication platforms operate similar to token-based technologies with pre-issued one-time-passcodes that are based on a seed file. If codes are pre-issued then they are vulnerable to hacking, i.e. through unauthorized usage or theft of seed files. This is not just a theoretical risk but has actually happened before, requiring the replacement of millions of hardware tokens. If the authentication code is pre-defined before the login, then it can be stolen and used for another login meaning the system's security can be significantly compromised and the code can be exploited by phishing.

A second important factor is the significant benefit that challenge-and session-based security brings to the table. Being challenge-based enables organizations to set up systems that make employee remote logins even more secure. With this approach, when a code is generated it's only after the user session has been confirmed. By waiting to generate the code, instead of relying on a pre-set bank of existing codes, administrators can see which computer workstation the login request is coming from. A code is then created and linked to the computer so the code can only be used from the same machine from which the request was originally initiated. If for any reason the code is intercepted, it cannot be used on any other device. This helps protect against sophisticated attacks such as man-in-the-middle attacks.

Next, it's important to look past the shiny surface of authentication apps. Certainly mobile apps are cool and most users are familiar with using them on their smartphones. But as an authentication mechanism, the "coolness" of the mobile app will quickly fade once an organization starts deploying it in the real world. Making sure an app is successfully deployed to everyone in an organization can be a challenge, as is the chore of maintaining compliance so that everyone is using the most up-to-date version.

If an organization opts for an approach that requires user-deployed software, then it drastically increases user dependency since the success of the implementation relies on all users having the software deployed and up-to-date. In addition, the technology relies on all users having a smart phone, which is not always the case. The mobile app (unless it uses a basic soft token) also requires a data connection to work and this can be impractical and expensive to use for employees while traveling.

1  2  Next Page