If you want to protect your sensitive data, and it’s exposed to the Internet, you have to choose between multi-factor authentication (MFA) and a basic password. On your internal network you may have additional safeguards in place to keep the bad guys out, but when you have data exposed to the Internet, it should be protected. This means you protect it with tools like encryption when it is at rest, in transit and you strongly authenticate users when they access it. You really only want people who are authorized to be able to log on and see that stuff.
Single-factor authentication would include using a password or PIN to log onto a web application, or your Windows domain when you get to work in the morning, for example. For many users this is quite adequate. If someone steals your password and the worst they can do is screw up your data or see your email and this doesn’t put your company at risk, then your company may do fine with a simple “90-day” policy for changing your password. Two-factor authentication would add another requirement in addition to your password or pin (something you know), such as a piece of hardware (something you have: a key fob or card) or a biometric (something you are: a fingerprint or iris scan). Traditionally, two-factor authentication is implemented by having both basic logon credentials (username/password) and a hardware token that generates a unique code every 60 seconds, that is somehow synchronized with a server on the other end. These two layers of security then are much more effective at only allowing the people you want to connect.
Do not fool yourself into thinking that adding a pin or a second password is really strong authentication. In that case, you are really just using two “things you know”, and these can be captured by keystroke loggers if you type them into a kiosk at the airport that has been compromised. What you really want for MFA is more than one layer of authentication that relies on a different secure method of entry.
Two-factor authentication (TFA) is also important for non-repudiation. This means, if you have a good way of verifying that the person is who they say they are when you give them the a key fob, then you have a high degree of confidence that transactions using TFA can be trusted.
Let’s face it, passwords suck. They are somewhat convenient, but unless they are overly complex (requiring you to write them down or keep them someplace electronically) and changed frequently (which leads again to forgetting them, and higher help desk costs), they are not a major hurdle for a motivated individual. One-factor authentication is, however, “what we’re stuck with” until we have some ubiquitous second factor easily added on, which means card readers, USB, biometric readers, etc. These have to be ubiquitous if we want a single solution for everybody. Otherwise, it is often prohibitively expensive for companies to bear the burden of deploying readers, and it is difficult to convince managers that people should carry a “second-factor”. But, passwords still suck.
[*Unless we are simply IT managers and not really security-minded professionals who want to really do something legitimate to keep out the bad guys, in which case pins and pictures and passwords are usually adequate to keep you out of jail. They don’t really protect your data well.]
I’ve done extensive research into what is out there, and (again, since there is no industry standard solution built-into all hardware) there is no one-size-fits-all solution. However, if your company has sensitive data they want to protect, regardless of what Uncle Sam is “making” you do, it should be protected better than simply with a basic password. Of course, this comes down to a risk analysis, and the cost of the solution has to be compared to the cost of exposing the data. Also, you need to look at how people use your solution. If they are going to write a pin on the back of a token and pass it around, or if your vetting process sucks, then the results will also be poor.
The online banking sites that use additional layers of “what you know” may do somewhat better than just having a simple password. By that, I mean if they don’t just use a second pin or password, and ask specific questions or use a complicated picture scheme like http://myvidoop.com, then for many casual attacks this is better than just a password. However, if you have a collaboration tool exposed to the Internet, and you allow 20,000 internal employees to access it, and it contains sensitive data, you have to expect that SOME of the employees will be coming from exploited computers with keystroke loggers and perhaps even screen capture trojans that will totally subvert these kinds of 1-factor solutions. Once they have access from ANY employee’s account, they may have the ability to view a LOT of compartmentalized data or sensitive conversations.
Giving someone a poorly vetted, or potentially exportable cert is also not a great solution, because to really have PKI in use you need to properly vet the certificate for each user and each machine for that user and it is unwieldy and expensive to deploy and manage.
Two-factor hardware and software tokens, or out-of-band solutions like SMS/call-back phone solutions are all good, but seldom will one solution fit well for all your use cases. Many people hate using hardware tokens. Not everyone has a phone, or may have reception, etc. when they need it – but, more and more people do have at least a personal cell phone and SMS is becoming much more reliable than it used to be in the US (it was good in Europe way before in the US). You can come up with a whole infrastructure, and provide people choices if you want, but that may be more expensive and harder to manage, while providing more flexibility and usability for the end-users.
What I am considering seriously as an intermediate offering is something that is more like “1-factor + controls”. You may consider evaluating the RSA “behavioral solution” which uses the same methodology they use with many banks to audit user activity and when it becomes more suspicious than some threshold you set, it will trigger some out of band confirmation that is strong, like an SMS message or so on. This behavioral software allows most users to just use one-factor, the password, but when it sees a user logging in from two different countries at the same time, logging on at times that are unusual for that user, etc. it will raise the authentication bar, so to speak. I am not sure if this will prove to be a good intermediate method, but I am hoping it will and won’t also prove to be too expensive.
I would personally love to just tell all our employees and partners to go out to Verisign and buy a $20 VIP card that will let them authenticate to a number of federated sites like eBay and PayPal. I suspect that people will routinely carry second-factor authenticators in the future, like a card or fob – unless something like reliable biometric readers, or card readers become ubiquitous from the hardware vendors. (Barring some mandate, I don’t see that happening.)
Other alternatives include telling your business owners that they can’t put anything sensitive on external facing sites, etc. If this is self-policed by the data-owner, it will probably not work well. I am seeing some companies moving to a DLP solution, but that can be darned expensive and it requires that you have a strict data classification policy. Another alternative is more passive, which is running eDiscovery tools to find sensitive data and then remove it from those sites. However, if removing all sensitive data is going to break your ability to collaborate or have transactions, you really need 2-factor authentication and a fairly good vetting method.
To be frank, while many companies require their suppliers and employees using remote access to use strong authentication of some sort, they aren’t good about enforcing a rule that sensitive data not be exposed to the Internet. In the case that the data is high profile, like PCI data or engineering drawings, the business is going to do a pretty good job about putting that behind existing 2-factor protected standard access solutions. Other stuff like speculative discussions, potentially sensitive data files, collaboration tools like SharePoint are much less policed and based on my experience with how compartmentalized data can be exploited from my years with the government, I suspect that this is fodder for the industrial spy, even though it may not be a blueprint or contract.
I “think” the behavioral monitoring tools might be a good intermediate solution, but I have more work to do before I will say that for certain. These other (picture/passphrase/etc) solutions are exploitable unless they incorporate properly vetted certificates or some kind of two-factor authentication. There is just no substitute for 2-factor, and there probably won’t be. That means you either roll-out new hardware (tokens/cards), or use an out-of-band solution that leverages already deployed hardware (like cell phones or company laptops) or force people to buy into a federated solution (i.e. Verisign). Even the behavioral tools are not a panacea, as they ratchet up to actual 2-factor when people are not acting in a pre-determined “normal” way. But, they may be seen as single-factor for a majority of users who always transact business the same way.
That’s my best take on the subject. If the customer data is not truly sensitive, and business owners prefer to use some method of obscuring the data with a proprietary schema and/or encryption, or some other method, that may also work for programmatic transactions. I’ve seen this done between data processing devices and backend (non-web) apps running on special ports, with no special level of authentication. But, I don’t see how this would work if individuals have to log onto a web app. The devil’s in the details.
February 23rd, 2009 by John
As part of our research I read your article with interest.
We at OEM Partnership take ID Theft & Fraud seriously and have
developed a software program that hides your sensitive data and
enables access to it via a Picture of your choice.
No more Usernames and passwords to remember.
Check out our free product at
http://www.picturepin.co.uk