The hidden dangers of "good enough" authentication

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

While it's human nature to make comparisons, not all comparisons are helpful or accurate. When comparing a Porsche and a Volkswagen, for example, the most you can say is that they are both vehicles. They have wheels and doors and engines, and will get you from Point A to Point B, but that is where the comparison ends.

In a similar vein, not all multi-factor authentication approaches are the same. The variances can mean the difference between true security and susceptibility to phishing, between timeliness and late arrival of authentication codes, and between user-friendly and hard-to-use applications.

The first thing to beware of when considering multi-factor authentication tools is pre-issued passcodes. Many authentication platforms operate similar to token-based technologies with pre-issued one-time-passcodes that are based on a seed file. If codes are pre-issued then they are vulnerable to hacking, i.e. through unauthorized usage or theft of seed files. This is not just a theoretical risk but has actually happened before, requiring the replacement of millions of hardware tokens. If the authentication code is pre-defined before the login, then it can be stolen and used for another login meaning the system's security can be significantly compromised and the code can be exploited by phishing.

A second important factor is the significant benefit that challenge-and session-based security brings to the table. Being challenge-based enables organizations to set up systems that make employee remote logins even more secure. With this approach, when a code is generated it's only after the user session has been confirmed. By waiting to generate the code, instead of relying on a pre-set bank of existing codes, administrators can see which computer workstation the login request is coming from. A code is then created and linked to the computer so the code can only be used from the same machine from which the request was originally initiated. If for any reason the code is intercepted, it cannot be used on any other device. This helps protect against sophisticated attacks such as man-in-the-middle attacks.

Next, it's important to look past the shiny surface of authentication apps. Certainly mobile apps are cool and most users are familiar with using them on their smartphones. But as an authentication mechanism, the "coolness" of the mobile app will quickly fade once an organization starts deploying it in the real world. Making sure an app is successfully deployed to everyone in an organization can be a challenge, as is the chore of maintaining compliance so that everyone is using the most up-to-date version.

If an organization opts for an approach that requires user-deployed software, then it drastically increases user dependency since the success of the implementation relies on all users having the software deployed and up-to-date. In addition, the technology relies on all users having a smart phone, which is not always the case. The mobile app (unless it uses a basic soft token) also requires a data connection to work and this can be impractical and expensive to use for employees while traveling.

When implementing a multi-factor authentication security platform that leverages SMS as a delivery mechanism for the OTP (One-Time-Passcode), the reliability of the SMS arriving on-time becomes mission-critical. Users are waiting to log into critical business applications remotely and cannot proceed until the code arrives. There is a huge difference between the SMS arriving within 10 seconds or two minutes. If the code isn't effectively delivered on-time, it might create a situation in which a high percentage of the codes arrive late.

Some authentication providers claim that SMS delivery is not reliable enough and, as a result, they encourage the usage of pre-issued codes. However, this lowers the level of security significantly because the OTP cannot be generated in real-time and can be a dangerous trade-off to make.

Another consideration when implementing mobile-based multi-factor authentication technologies is the level of adaptive support. One best practice is to take full advantage of contextual information, such as login behavior patterns, geo-location and type of login system being accessed. This provides some powerful benefits for an organization in terms of added user convenience. For example, it allows for the level of security to dynamically adjust based on where the user is located when logging in, what time they are logging in and what network they are logging in from.

If the user is logging in from a trusted location--such as the user's home--where they have logged in from before, then they will not be prompted for an OTP in order to authenticate. On the other hand, if the user is attempting to log in while traveling (i.e. from an airport lounge or hotel with public Wi-Fi), then an OTP is mandatory to gain access.

If all you need is a rig to get you to the corner store and back, a Volkswagen is fine. But if you need a vehicle that delivers high performance at high speeds, a Porsche is a much better choice. Just as all cars are not created equal, neither are all multi-factor authentication tools. Security, reliability and ease of use are just some of the many vital components to consider when choosing a security platform. It's essential that organizations move beyond "good enough" authentication to keep ahead of modern security threats and keep data safe.

Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the award-winning SMS PASSCODE multi-factor authentication solutions. Prior to founding SMS PASSCODE A/S, he was a co-founder and CEO of Conecto A/S, a leading consulting company within the area of mobile- and security solutions with special emphasis on Citrix, Blackberry and other advanced mobile solutions.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securityMulti-factor authenticationVolkswagen

More about Citrix Systems Asia PacificVolkswagen Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Hald, co-founder and chief relation officer, SMS PASSCODE

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts