Thursday, October 22

Two Factor Authentication is Worth Nothing?

Apparently, Roger Dean, executive director of EEMA, recently declared two-factor authentication “not worth anything anymore.” According to the article, Dean's thinking is that man in the middle (MITM) attacks render strong authentication useless.

Isn't that like claiming that firewalls are worthless because they don't prevent viruses from being installed on desktops? Strong authentication (which includes two-factor) was never intended to prevent MITM attacks. That problem was already (theoretically) solved with SSL.

Perhaps Dean was reading Bruce Schneier's thoughts from back in 2005. I get it. Issuing tokens to users is not a panacea. But, there is no cure-all in the security space. We rely on SSL to establish secure links to sites, which should both identify the site as being who it says and prevent snooping. Theoretically, that end-to-end encryption and use of trusted certificate authorities is what would prevent MITM attacks.

But even when using SSL correctly (and assuming there are no flaws in SSL), there is still an authentication challenge that strong authentication techniques such as two-factor rise to meet. Without it, users may share credentials or use weak passwords exposing numerous other potential attack vectors.

I think Dean's frustration is focused in the wrong direction. Strong authentication techniques are good at what they do and (still) have their place in the security infrastructure. I think the problem he's seeing mainly lies in the user interface of SSL. Like any good security feature should, it does a good job of staying transparent to the end user. But a little too good. So good, in fact, that most users don't even know when it's not there. And that's the problem.

If we could force users to look for and expect the SSL connection and to confirm the domain with which they're connected, phishing and MITM would become immediately unprofitable. I'm surprised browser vendors haven't done that yet (and EV certificates are not the answer). Personally, I'd want to see a white list approach for personal banking and other regular-use sites coupled with a per-use hoop to jump through for occasional other data transfers.

But don't blame strong authentication for SSL's incompetence.

Friday, October 9

Cloud-Based Strong Authentication

Yesterday, RSA and Verisign announced a partnership on cloud-based secure authentication for the consumer market. Pretty interesting stuff. The management of these organizations should be commended for looking past their competitive rivalry to identify a new business opportunity.

The solution isn't new. Verisign has been offering its VeriSign Identity Protection (VIP) authentication services for quite some time. I've had a token that I use with my PayPal account (and my OpenID) for the past couple of years (made in China by ActiveIdentity). But adoption of the offering has been less than overwhelming.

We could probably all count on one hand the number of people we know with a non-work-based authentication token. And most of those are likely tokens handed out by banks and other financial companies that are tied to a single account. The VIP solution gives you a token to use across multiple sites. And there are a few other perks as well.

I don't know what they charge to add this strong authentication to your site. But, I expect that it's more competitive than implementing your own solution. And the end-users benefit from a single token that can be used across systems.

RSA hasn't been wildly successful in getting tokens into the hands of consumers. So, partnering with Verisign seems like a good move - leverage an existing solution to sell more product. And Verisign customers benefit from more choice. RSA has a lot of token options and some are impressive. Their manufacturing is done at their headquarters in MA and the quality assurance process is top rate (I've been through the tour).

In addition to overall quality, some provide additional convenience as well such as a token with an integrated smart chip (for access to encrypted laptops and digital signing) or the software tokens for BlackBerry, iPhone, Win Mobile, etc. that don't require an additional piece of hardware. I should note that the release only mentions hardware tokens, but in the consumer market, it would be a bad move to restrict usage to hardware only.