Advantages of Integrated Two-Factor Authentication T wo-factor authentication (2FA) has been around for a result, the number of 2FA accounts the average user to get access to the corporate VPN, perhaps for of the number of usernames and passwords, we are quite a while. Until recently, 2FA was usually used a few high-security applications, and by CFOs and a few high-worth individuals to manage their bank accounts. 2FA also usually involved some sort of token: either a dedicated piece of hardware that displayed a number or a soft-token application that ran on your computer, or more recently on must manage is increasing. While not nearly at the scale rapidly approaching the point where the number of 2FA technologies becomes difficult to manage. Which token (or soft token) do I use for this account? What’s the right app to use for this? Will it send me an SMS, phone me, or what? Enterprises deploying two-factor authentication have an your phone. advantage: they are in a position to require employees to factor authentication much more into the mainstream cases, financial institutions can require 2FA, particularly The threat landscape is changing, bringing two- use 2FA to get access to corporate applications. In some for consumers. Driven by Federal banking regulations, financial institutions are deploying 2FA and out-of-band authentication for many average consumers’ online transactions. And given a sharp increase in attacks, 2FA is even finding use in the realm of social media logins. As PA GE 1 Contact OneID where it is uniformly required by others in the industry. But in other situations, uptake of 2FA is in the single digits. How can we make 2FA easy enough to use to actually move the needle on security on these sites? [email protected] www.oneid.com authentication methods that don’t reveal which Adding Two-Factor Authentication authentication factor failed or succeeded are inherently stronger than those that give this clue. In some cases, users may be prompted for authentications on their mobile Sites that want to use two-factor authentication often have some existing authentication mechanism in place, probably username and password. They need to make phones that they didn’t initiate. While this is potentially annoying, it is also an alarm to warn them of a possible attack. Two-factor authentication can use several different two-factor authentication available in a way that is least methods. By far the most secure is to use a smartphone deployment of two-factor authentication as an add-on. After the authentication service and displays the nature of the disruptive to their existing user base. This leads to the the user provides their username and password, they are required to prove the possession of something they have, sometimes referred to as a token. In this context, a token doesn’t have to be a specific authentication device; it could also be something like their mobile phone. When a user first uses a two-factor authentication token, they must first associate that device with their account. Depending on the situation, this may be as simple as allowing the user to associate the device after logging in, or may require that the user provide additional proof (such as a one-time password mailed to them) to make sure that application that communicates securely (using SSL) with transaction being approved. It may also prompt the user for additional confirmation (such as entry of a PIN) and may provide a cryptographic signature from the user to document that approval. What is Integrated TwoFactor Authentication? Combining, or integrating, the authentication factors an impostor isn’t doing this on a legitimate user’s behalf. increases security, improves the user experience, and to the online service that is used when the online service authentication methods. Improved user experience is The two-factor authentication service provides an identifier wants to request stronger authentication of the user. Depending on the type of authentication service and type of token the user has, different things may be provided provides flexibility that is not available when using separate critical to gaining acceptance for two-factor authentication when its use is not mandated. As mentioned above, having two separate authentication to the authentication service. A very basic 2FA service factors makes it possible for an attacker to go after the the user enters on the online service, which sends it to the better than single-factor authentication, it isn’t as strong as may just send a numeric code to the user’s phone, which authentication provider for verification. An improvement on this is to include a description of the transaction, which would be displayed to the user for additional assurance of what they’re approving. Yet more advanced 2FA services, such as OneID, include a digital signature from the user on the transaction description. This provides non-repudiation, a positive confirmation that the user did sign the transaction and can’t repudiate or deny that he/she did so. For maximum security, an attacker must not have the ability to independently attack the two authentication factors. Just like it’s good practice not to tell the attacker if it was the username or password that failed authentication, PA GE 2 Contact OneID two factors individually. While the resulting security is it could be. One of the characteristics of integrated two- factor authentication is that the two factors are evaluated at the same time. A good example is OneID out-of-band authentication. When a PIN (something you know) is requested from the user, it is combined (or “salted”) with keying information on the device to create a verifier that is verified by the OneID Repository. The PIN never leaves the device, and the salt value used for comparison is never available to the repository. The repository also enforces a limit on the rate of PIN verifications that it will permit. The result is that verification of the PIN verification is much stronger than with approaches that verify PINs and [email protected] www.oneid.com passwords locally, and a verification failure doesn’t indicate if the PIN or keying information were incorrect. While the OneID out-of-band verification can itself be an integrated two-factor system, it integrates cleanly become yet more challenging, to provide advanced alternatives to username/password, and to improve the security of the authentication methods already in place. Two-factor authentication is often being used to with existing single-factor authentication schemes widely work around the fundamental weaknesses in password authentication to sites with existing username/password security, it increases user friction, a particular problem in use. This brings the benefit of integrated two-factor infrastructure. As users acquire a variety of different devices that they may use as two-factor authentication tokens, it becomes increasingly important to manage the devices to make it easy for the user to revoke lost or stolen devices. Users may also have several out-of-band devices available for use, such as a phone and a tablet computer. In order that it not be necessary to enroll each device with each of the online services that the user accesses, OneID management. While two-factor authentication does improve for online services that are not in a position to mandate 2FA. Integrated 2FA provides the best usability for better security, so a two-factor authentication technology that can be upgraded to integrate the two factors more closely has the best ability to grow as needs change as well as to maximize user uptake of optional 2FA. Look to tomorrow’s authentication requirements, not today’s, when upgrading your authentication. integrated two-factor authentication also presents common authentication credentials to online services, independent of which device is used for a given transaction. Additional capabilities are available when OneID authentication is used as the first authentication factor as well. OneID allows users to require stronger authentication from devices they have less direct control over, such as a computer at home that their kids also use. The OneID control panel allows users to specify these requirements; the actual strength of authentication performed is the greater of that required by the online service and by user preferences. Conclusion Maintaining security is becoming more and more challenging with time. Some of the challenges can be anticipated, such as advances in computation that are making it progressively easier to dictionary-attack a password database. Other challenges are harder to anticipate, such as the discovery of new “day-zero” vulnerabilities in operating software. For these reasons, security requirements are not fixed, but increase with time. Online services considering deploying a two-factor authentication service should consider the ability of that service to grow with them: the ability to evolve as threats PA GE 3 Contact OneID [email protected] www.oneid.com
© Copyright 2024 ExpyDoc
