Two-Factor Authentication: The TruthHow to Separate Myths from Realities
In light of evolving fraud threats, financial institutions increasingly are turning to two-factor authentication solutions. Alex Doll, CEO of OneID, offers advice to help institutions make the right choices.
With the ubiquity of smart phones, now is the time for organizations to roll out two-factor authentication solutions that take advantage of mobility, Doll says.
But fraudsters are keeping pace, introducing mobile malware variants and ramping up social engineering schemes that are able to crack some second factors of authentication.
Because fraud is evolving, two-factor authentication must, too.
"We have to do better for the users," Doll says, meaning that the users need more granular information about the transactions they are being asked to approve, and institutions need to employ better device ID technologies to help ensure they are communicating with the right users.
"And we can't design two-factor authentication that is unique to a communications channel," Doll says. SMS alone isn't 100% reliable. "But the phone has built-in many communications channels," he adds. "3G, 4G, WiFi, SMS - solutions that will work are going to take advantage of all communications channels that are on the phone."
In an interview about the myths and realities of two-factor authentication, Doll discusses:
- The current threat landscape;
- How organizations are successfully deploying two-factor solutions;
- How to keep customer experience top-of-mind in a two-factor rollout.
Don't miss OneID's new five-part authentication series of blogs, covering topics ranging from the five most common security attacks to how to ensure a secure identity system.
Doll is a seasoned technology executive with more than 20 years of experience in the security, software and Internet fields. He was co-founder and Chief Operating Officer of PGP Corporation - a global industry leader in encryption and trusted data protection - and has a track record for building high performance teams across business development, marketing, finance, product development and sales. Personally impacted by the Stratfor breach and tired of using password recovery systems, Doll is passionate about the need for more secure digital identity systems.
Two-Factor - Why Now?
TOM FIELD: Two-factor, why is it such a timely topic now?
ALEX DOLL: The easiest thing is there's a billion smart phones out there in the world and everybody's figured out that the mobile phone has a role to play in the future of authentication. More recently, some big names, some thought-leaders in the space, early-adoption people like Apple and Google, have enabled two-factor authentication for some of those users.
The other reason it's so timely is it seems to be a popular response for those who have been breached, particularly even in the last couple of weeks and months. Both Evernote and Dropbox are some examples of very popular and great websites that were unfortunately victims of a username-password breach. The remedy that they selected and put out for those security breaches was a two-factor authentication response.
FIELD: You mentioned mobility. You talk about a couple of recent breaches. Tell us: how do you see the threat landscape evolving?
DOLL: The threat landscape of the last decade, a lot of consumer authentication revolves around malware on our endpoints, and we're seeing a lot of how malware has evolved into mobile. Phishing was kind of and still is, unfortunately, a very rampant and successful endeavor. What's happened in the last couple years is instead of going after consumers on a one-to-one basis, the criminals have figured out they can steal by the ten million and 100 million fold, and they're successfully able to lift large amounts of usernames and passwords. It seems what that points to is this shared secret - a username and password, something that's shared between me and the user and the website I'm logging into - is a broken system. A lot of what's happened recently is people have figured out that they can use two-factor authentication as a solution to that. Some of the early approaches are effective against the last decade to the problem.
But more recently, on a very sophisticated front, we're seeing attacks like Eurograbber in the European banking system that's effectively a man-in-the-browser attack, and it's designed and written to intercept the SMS push or the two-factor authentication push. Here's another example I like to point out where two-factor authentication isn't really working. In the Australian Telecom Union, there's already been evidence of people hacking into the SMS channel successfully and man-in-the-middling SMS messages, and they advised the banks in Australia to cease the use of SMS as an authentication mechanism.
Finally, good old pre-texting or good old social engineering is alive and well, even in the two-factor authentication world in India. There have been cited cases where people are walking into telecom stores and presenting fake IDs and getting new SIM cards for phones and using it to approve a bank wire transfer for a username and password that they stole. As much as we've done to solve last decade's problems there's a whole slew of new initiatives that are already designed to compromise two-factor authentication.
FIELD: I'm glad you gave us that overview of the landscape, and particularly you touched upon some of the exploits. Given what you've told us, how does two-factor have to evolve to adapt to this changing landscape?
DOLL: The first thing is we have to do better for users. We have to put in front of users the information specific to a transaction that we're asking them to approve. For example, with wire transfer, our customers are doing things like saying, "Wire transfer originating from credit union A to this account - please approve for this amount." That's the level of granularity that should be put in front of users in asking for approval on the second factor. The technology is there to do that today.
The second thing we need to do is I mentioned this notion of a one-time password. We have the capability today to cryptographically sign the transaction that the user is seeing at the endpoint, and this is very valuable. It allows us liability reduction, or a kind of detailed amount of, technically speaking, non-repudiation out to a device-specific key on that transaction. That has great benefits for both the users seeing what they're doing, but also for the bank and everyone in the system knowing exactly what was approved and exactly what device it was coming from.
The third thing is we can't design two-factor authentication that's unique to a communications channel. A lot of our customers are coming to us because SMS, number one, isn't always reliable. As we saw in the Australian example, it's already been compromised. But I think the phone has built in it many communication layers - 3G, 4G, Wi-Fi and SMS - and I think the solutions that are going to work will take advantage of all communication channels that are out there on the phone.
FIELD: We started this conversation with the topic of myths and realities. What would you say are some of the most common misunderstandings about two-factor authentication?
DOLL: The biggest misperception about it is it's not something that today you can just go out and find in your identity system. What you really have to do to make two-factor authentication work today in the solutions that are out there is if they buy a server or procure a service [that's] unique to you.
The second biggest myth out there is turning two-factor authentication on will end up securing your users and protecting you against threats. When you turn on a server unique to your bank, you're going to enroll the user's mobile phone in that server. Right next to their username and password authentication secret - the first-factor authentication secret - you're going to write the second-factor authentication secret. As we talked about, that's where the breaches are occurring today.
The other big myth that we've seen is if you build it, they will come. The two-factor authentication solutions put out on the market, unless they're mandated or forced by a bank or by a website, aren't being used. Users aren't taking to them naturally. The best practices that we're seeing in our customer base is people are requiring OneID and two-factor authentication for transactions like a wire transfer, brokerage confirm, or adding a user to an account. Say I'm going to add a family member or someone to my account. Those are the types of transactions that are easy for a user, number one. A credit union or a financial institution will establish security credibility with their user base by doing it this way .... Number two is they get real security value that users will use and that they will benefit from.
Two-Factor and Users
FIELD: You mentioned the users. What are some of the user implications of two-factor authentication?
DOLL: Two-factor authentication has been very helpful in stemming phishing, stemming malware on devices and providing some increased level of security for financial institutions and users alike. I think we've only really begun to scratch the surface around the user requirements of two-factor authentication. If we think about the notion of rolling out two-factor authentication unique to every website, this will start to sound a lot like the username and password problem. And like the username and password problem, two-factor authentication, as it's being contemplated, could be the sequel. From a user's perspective, if I lose my phone or if I want to change a phone number, I really don't want to have to think about going to 10, 50 or 100 websites and changing it, similar to what happens today if I have to update a credit card or my credit card is breached.
OneID has a nice solution that allows users to enroll OneID, and the bank simply puts the confirmation into there. It explodes and kicks the right use cases. An example of that would be you buy 100 shares of General Electric at this price from this website, and I can approve that level of granularity on the first site that I go to that has OneID. Then, when all subsequent websites ask for my two-factor authentication that's enabled with OneID, I don't have any enrollment friction.
FIELD: Let's talk about financial institutions specifically. How are they deploying two-factor to better conform with the FFIEC authentication guidance?
DOLL: Compliance is a great motivator. Unfortunately, we love being in regulated industries here in financial institutions. We help our customers meet and exceed those compliance directives. The FFIEC guidance came out, and then it was updated recently in particular elements. The use of dual-customer authorization through different access devices is a goal of the latest directive. Two-factor authentication is a clear way of not only meeting that directive but actually exceeding it by quite a bit and delivering real security.
The guideline also calls for the use of out-of-band verification for transactions. I think it's probably self-evident how two-factor authentication will really help banks comply and quite literally exceed that by a long shot. They use it to do things like step up authentication or other things that are required. I think that there's a big movement coming that comes out of the guidance to give users themselves control on their account activities. An example of that is OneID.
While a bank can certainly require and our customers do require two-factor authentication for certain transactions, users themselves can turn on settings. [For example], whenever I'm on my mobile phone I want to require an enhanced authentication event or I want to require that I'm going to tap in my PIN when I do anything over $100. Giving users this level of control is something that I think is directly germane to this compliance directive. More importantly, it's just good business practice. It doesn't do anything to take away from anything the bank's doing, but it really reduces the overall risk of the system that's giving users some of their own control.
The final element on that is there's a call in the compliance directive for advanced device identification techniques. OneID actually has a cryptographic key unique to each device, and we quite literally have the highest level of non-repudiation unique to a device that you can. That's a fourth way that we really help financial institutions meet the FFIEC directives on compliance.
FIELD: You just produced a blog series on two-factor that really caught my eye. Tell us what the key message is about a successful rollup in a customer environment. What works and what doesn't work with customers?
DOLL: We just produced a five-part series on two-factor authentication on the OneID website and the OneID blog. We cover some of the same content we've gone through today - myths and realities of two-factor authentication - and we reviewed some of the common attacks in a little more detail and how the attack went as it evolved from focusing on the consumer side to focusing on attacking the bank and credit union side more directly. We talk about the big secret of two-factor authentication: Don't tell anybody, but users aren't really adopting it. There needs to be a whole series of best practices and users need to be brought along, just like mini-technology rollouts that are new.
This is a big time in the industry and a big opportunity where we can do this right, we can really deliver security and better user experiences, take advantage of the one-billion mobile phones and take advantage of the users' outrage with usernames and passwords and their known proclivity and known attraction to mobile devices. Users are taking to them; they're using them. We have a role to play in the security industry and in the banking industry to help users connect and be more secure. And, by the way, in the progress, we will help ensure that we're not the next data breach victim at our bank or credit union.