The Use and Abuse of Multi-Factor Authentication in Consumer Facing Systems

A Primer

Authentication is the process of proving to a computer (or other system) that you are who you claim to be. There are several methods of doing this, of which the most common is a password.

The Factors [Reference 1.1.]

A password is in fact just one method of authenticating yourself. There are several methods available, each with their own strengths and weaknesses. These can be combined into a single login process in order to increase security. The commonly accepted factors are:

Factor 1 - Something You Know

This relies on the memory of the person or system who is authenticating themselves. It is generally a password or PIN. Whilst this system is easier for the user it has weaknesses, the most significant of which is that it can be trivial to gain passwords (eg by Shoulder surfing, using a keystroke logger, looking for post it notes at the terminal or exploiting the fact that users tend to only use one password across several systems.

Factor 2 - Something You Have

This relies on something that the user is physically in position of for example a OTP (One Time Password) generator or Mobile phone etc. The most wide spread implementation of this requires the user to enter a password which changes in a cryptographically secure way for each login. These codes could be numbered on a piece of paper [References 1.4. & 1.5.], generated electronically [Reference 1.1.] or sent as an SMS to a mobile.

Several banks are adding this factor in for setting up transactions via e-banking. Users are provided with a device which they insert their card into and enter their PIN. They are provided with a code from the bank's site which is changed into a different code by the device. This uses the chip in the card to 'sign' the code thus proving that the user is in possession of their bank card.

Illustrations 1 through 4 show a selection of second factors.


1 - A Verisign OTP generator, it uses an internal clock and generates a number which depends on time.


2 - The device in illustration 1 can easily be replaced by a mobile phone application if both the algorithm and shared secret are known.


3 - Another Verisign OTP, this one is too small to have an internal clock so instead uses a counter.


4 - The CardSentry system used by some banks.

Factor 3 - Something You Are

This is where biometrics come in. It could be said that this is the scariest factor in that it is harder to replace if compromised. A password is trivial to change, a lost security token can be replaced (and the old one revoked), it is however very hard to get a new iris, finger print or DNA. Biometrics has its place in providing security but the consequences of it being compromised means that its use must be saved for only the highest security requirements. The equipment to implement it on a home system are also sufficiently expensive that it won't be mentioned again in this article.

Factor 4 – Where You Are / Someone You Know

There is some debate over what the emerging fourth factor of authentication will be. There are some camps who like the idea of using the GPS in a users phone to gather location data (Am I really making a purchase in Nigera if I'm walking down Union Street in Aberdeen?). Whilst others prefer the idea of a web of trust, that is to say “do enough people I trust, say that this person is who they claim to be?”. Again as this factor is not widely used in consumer facing systems it will be ignored in the rest of the article. [References 1.2. & 4.]

The Uses

Multi-factor authentication is generally restricted to financial institutions at the moment as they are generally liable for fraudulent transactions unless they can prove negligence or fraudulent actions on the consumer's part. There are some companies which demonstrate almost completely correct use of multi-factor authentication and there are some who use it as a form of security theatre in order to reassure the consumer [Reference 2.].

Security professionals will tell you that a multi-factor system can only count different factors in their count [Reference 1.1.], However several companies will count the number of things they ask for which could be different. The reason for the security professionals definition is that if I've gone through the trouble of kidnapping and torturing my victim to get their password it's takes only a minimal amount of extra effort to get the secondary password from them. Like wise if I've broken into their home or mugged them to get a security token it takes only minimal extra effort to get another one (unless the consumer is keen on causing themselves a lot of inconvenience by having them kept in quite separate locations). Also consider a keystroke logger, having gone through the effort of creating and installing it, it is only a minor addition to make it aware of the concept of a wholly disclosed and partially disclosed password setup.

The Abuses

Companies however like to count each item required as a separate factor. For example my bank claims to have multi-factor authentication to login to their online banking site but deliver it by the use of a password, a PIN and a secondary password.

Then there's Paypal and Ebay who allow you to bypass entering the code from a security token by clicking a 'I don't have the token' link. This obviously negates the point as any attacker is then back to using the password. They do however insist on you answering one of the security questions you'd previously setup but due to the choice of questions the answers are trivially gained through social engineering. Although an attacker may not always use such methods, it is commonly accepted that as the number of systems requiring a password has increased, so has the amount of consumers using the same (or a small selection of) password for everything. This exposes consumers to a new risk as shown by the cartoon below (Illustration 5, from xkcd.com). This is a weakness which is not adequately addressed by using two passwords as such consumers are likely to use the same password for both the wholly disclosed and partially disclosed passwords.

Why The Differences?

So it's obvious that there are significant differences between the way that multi-factor authentication should be deployed in order to deliver the increase in security it promises and the way in which it is actually being deployed.

Whilst I disagree that many of the ways it is deployed could be considered multi-factor authentication as they rely on multiple versions of the same factor I realise that the motivations of business isn't always about security.

For example by using a wholly disclosed and a partially disclosed password the consumer is made to feel reassured and has only a minimal amount of hassle added to the login process. Whilst someone prepared to use torture to gain the password has no more work to do, it's more likely that the password will be compromised by malware on the consumer's machine. This malware will have a harder time compromising the password as it needs to capture enough parts of the partially disclosed password (and know which parts it has) in order to be able to authenticate as the user.

Another example mentioned was that some services allow you to use a 'I don't have my security token' link in order to bypass entering the second factor. In my opinion there is no excuse for this. The consumer has expressly told the website that the wish to use multi-factor authentication (by setting up the token) and the site has decided to offer a back door to crackers. I realise that at time people will legitimately misplace etc. their token but I feel we should use the same procedures for a forgotten password (ie email them a temporary one).

Conclusion

Whilst multi-factor authentication provides a good level of security for providing secure transactions it needs to be implemented properly in order to delver on its promise. Although several of the psudo-multi-factor authentication systems do increase the level of security when certain attacks are considered, they do not increase security from all the attacks addressed by true multi-factor authentication and therefore leave the consumer vulnerable.

Bibliography and References

1. Episodes of Security Now Podcast, http://www.grc.com/securitynow.htm.
1.1. Episode 90 – Multifactor Authentication [podcast]. This Week In Tech; Accessed 2nd Nov 2010. Transcript available from http://www.grc.com/sn/sn-090.htm.
1.2. Episode 94 – Listener Q & A [podcast]. This Week In Tech; Accessed 2nd Nov 2010. Transcript available from http://www.grc.com/sn/sn-094.htm.
1.3. Episode 113 – Roaming Authentication [podcast]. This Week In Tech; Accessed 2nd Nov 2010. Transcript available from http://www.grc.com/sn/sn-113.htm.
1.4. Episode 115 – Perfect Paper Passwords [podcast]. This Week In Tech; Accessed 2nd Nov 2010. Transcript available from http://www.grc.com/sn/sn-115.htm.
1.5. Episode 117 – Even More Perfect Paper Passwords [podcast]. This Week In Tech; Accessed 2nd Nov 2010. Transcript available from http://www.grc.com/sn/sn-117.htm.
1.6. Episode 220 – Listener Feedback #78 [podcast]. This Week In Tech; Accessed 2nd Nov 2010. Transcript available from http://www.grc.com/sn/sn-220.htm.

2. Security theatre [internet]. Wikipedia; Accessed 1st Nov 2010. Available from http://en.wikipedia.org/wiki/Security_theatre.

3. Web of trust [internet]. Wikipedia; Accessed 1st Nov 2010. Available from http://en.wikipedia.org/wiki/Web_of_trust.

4. Access control [internet]. Wikipedia; Accessed 14 Nov 2010. Available from http://en.wikipedia.org/wiki/Access_control.

5. Van Thanh D, Jørstad I, Jønvik T, Van Thuan D. Strong authentication with mobile phone as security token. 2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems. 2009:777-782.

6. Pearce M, Zeadally S, Hunt. Assessing and improving authentication confidence management. Information Management and Computer Security. 2010;18(2):124-139.

Tags: