Convenience and security.. when you loose a factor..

I noticed recently that the application I use for securely accessing email and other office related things had been updated to accept my fingerprint instead of a PIN.

While this is indeed convenient and it saves me the 2 seconds of inputing my 6 digit PIN, however it does mean that an authentication ‘factor’ has effectively been lost.  Previously I used my fingerprint to unlock my phone, then a unique PIN to access the email application.

Stepping back briefly, for those not familiar with authentication, when we refer to factors we are basically talking about different ways of authenticating yourself.  These are usually split into;

  • Something you KNOW – e.g. a password / passphrase / PIN
  • Something you ARE – e.g. biometric things like finger prints, voice recognition etc.
  • Something you HAVE – e.g. your bank card / credit card, a ‘token’ that generates pseudo random numbers or a device like a phone (but do you really trust your phone to be secure as much as a credit card?..)

Things like risk based authentication based on combinations of your and your devices behaviour may also be considered, although standards like the upcoming PSD2 (Payment Services Directive 2) don’t yet formally consider these a factor.  I personally believe that they should be, but this is really a decision for your organisation around how much they trust different forms of authentication.

As a side note, authentication is, and should be considered more of a ‘shades of grey’ rather than ‘black and white’ exercise.  What I mean by this is – for any given action do we trust enough that dave is dave in order for him to proceed?  If not then we should request further authentication such as another factor or further information in order to allow the next action.

So back to the factors, and why they are important.  Many sites may have a variety of ways of authenticating you like passwords, PINs, the challenge / response questions such as what was your first school, identify the image you chose previously… – the issue here as you have no doubt worked out is that these are all ‘something you know’.  So no matter how many questions a site asks you, it is still single factor authentication.

The reason why we prefer multi-factor authentication vs. single factor is it is much less likely that a malicious actor will have access to multiple factors.  For example they may find your password, but not have your fingerprint, or they may have a copy of your fingerprint from your device, but not know your PIN etc.

This is why I question the reliance by many applications, including financial ones on just asking for your finger / thumb print again.  While I recognise that the device (phone in this case) may be considered a factor in terms of being something you have, I question how much we can trust such an untrusted device as an authentication factor.  Is this a tiny extra bit of convenience at the expense of security?

Were other capabilities such as device and behaviour analysis are not in play, then yes I believe it is a loss of security.

The caveat here brings us back to my earlier point, regardless of the other factors in play, we should and must make use of the rich data we have about user and device behaviour. By these I mean the status of the device / browser accessing our systems.  Can we detect malware?  Where have we seen the device before? When? what else do we know about it? – O/S versions, software etc.  Similarly for the individual, what are their usual behaviours on our systems?  How much do they purchase? What devices do they usually access them from? etc.

What is the point of this discussion?

  • Consider convenience vs. security
  • Play close attention to the components and factors in your authentication flow; If you consider a device ‘something the user HAS’ do you really trust it enough?
  • Make use of risk based and step up authentication; When the users is performing low risk activities, allow a seamless path.  When they want to perform something higher risk, step up the authentication and ask for more information such as another factor.
  • Possibly most importantly, make use of the risk data you can gather about the user and their device(s) in order to make the most informed decisions that balance risk vs. convenience and ‘the happy flow’ through your systems

 

It would be great to hear your thoughts on this topic!

K

 

 

Using passwords for authentication

Recently when researching form my Masters project I came across some studies about users and password use.  I think we now know that passwords should be dead and replaced / augmented by something better such as two factor authentication using token or biometrics.  However many systems still rely on usernames and passwords.

In terms of business, in order to improve security many companies now add two-factor authentication when logging in remotely so the user enters their username, some sort of pin or password and a value from a hardware or software token.  This helps with the issues around passwords when remotely logging into systems such as when working from home, it does nothing to improve the security of logging in with just a username / password in the office.

The traditional assumption has been that it is OK to use just username / password when logging in from a more secure location such as the office when you are already connected to the trusted network.  Assuming your business uses modern operating systems that employ salted hashes for any password storage or transmission the issue it not with someone malicious managing to ‘sniff’ the password while it is in transit, or getting hold of the password store.  However what of the users who use the same password for multiple systems?  If your users log into insecure web sites using the same or very similar passwords to those they use to log into the secure business systems?

Studies have shown that nearly all users re-use passwords.

In addition users will tend to use the least complex, easiest to remember password possible – so while your businesses chosen level of complexity may have a password space of xxxxx passwords, the users passwords may actually tend to occupy a much smaller space, or be easy to guess despite meeting the password complexity requirements.

People will also tend to write down passwords that are too difficult to remember easily.

So I’d strongly recommend moving away from just relying on passwords and utilize some form of multi-factor authentication even within the office environment.  This is not as difficult as it may sound – most (all?) modern operating systems support multi-factor authentication out of the box.

If you cannot move away from just relying on passwords then a use education program is a must.  A good password is not just a complex one, it must combine complexity and being difficult to crack with also being easy to remember for the user.  If users can understand both the password policy and the rational for that, along with ways to come up with strong passwords that are easy for them to remember this will lead to a more secure environment.

Interestingly, we again come around to user education and training being a key component of a defense in depth security strategy.

K