Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Avoiding the pitfalls of authentication based IT security

SMS Passcode : 10 November, 2014  (Special Report)
David Hald, co-founder and chief relation officer, SMS PASSCODE provides a step-by-step guide to understanding the common pitfalls of authentication-based security
Avoiding the pitfalls of authentication based IT security

Everyone wants to save a buck. However, trying to get a product or service for the least money can have its pitfalls. It’s easy to focus too much on the cost-saving element, while taking a perfunctory approach to ensuring that the product delivers the level of quality needed to be truly effective. (E.g., that umbrella might be 90 percent off because it has a giant hole in it.) But hey, if two products share virtually identical names, and are in the same category, they do the same thing, right?

Many take this approach with multi-factor authentication (MFA) methods. Price alone is not in any way an adequate or appropriate means of decision-making. Protecting remote access to business applications is so critical, and such important differences exist among the offerings, that serious research of the market is required. It may indeed turn out that the best offering is not the most expensive one, but a lack of awareness of the market and of the relative merits of various approaches can lead to a “good enough” purchase based on assumptions and cut corners. When it comes to protecting against phishing, late-arriving codes and hard-to-use applications, “good enough” simply isn’t.

Factors in Choosing Multi-Factor Authentication


With today’s sophisticated and relentless cyber threats, the level of security offered by a mobile-based multi-factor authentication approach is a true deciding factor. Pre-issued passcodes are no longer a best practice and should be avoided. Many authentication platforms operate similar to token-based technologies with pre-issued one-time-passcodes based on a seed file. If codes are pre-issued, they are vulnerable to even simple hacking like phishing, or unauthorized usage or theft of seed files. This is not just a theoretical risk but has actually happened before, requiring the replacement of millions of hardware tokens. If the authentication code is pre-defined before the login, then the code is not linked to any specific login and can be stolen and used for a malicious login session. As the code can be exploited by phishing, the system’s security can be significantly compromised.

Challenge- and session-based security is another key distinguishing factor. Being challenge-based creates the foundation for organizations to set up highly secure remote login systems. With this approach, a code can be generated after the login session is created. By waiting to generate the code until after the session is created—instead of relying on a pre-set bank of existing codes— the authentication system can see which computer workstation the login request is coming from. A code is then created and linked to the computer so the code can only be used from the same machine from which the request was originally initiated. If for any reason the code is intercepted, it cannot be used on any other device. This helps protect against even more sophisticated attacks.

One-time-passcodes (OTP) have become a popular element of authenticating remote access to business or cloud applications. When implementing a multi-factor authentication security platform that uses SMS as a delivery mechanism for the OTP, the reliability of the SMS arriving on time becomes mission-critical. There is a significant difference between the code arriving within 10 seconds or two minutes. Some authentication providers claim that SMS delivery is not reliable enough and, as a result, they encourage the usage of pre-issued codes. However, this lowers the level of security significantly because the OTP cannot be generated in real time. This is a dangerous trade-off to make. Because of this, one should consider an approach that is real-time and challenge- and session-based, and also offers a robust delivering mechanism to ensure reliable usage of real-time generated passcodes.

Organizations may be drawn to using apps for their mobile authentication needs. It’s easy to see why: apps have become a part of daily life for most people, creating a high familiarity and acceptance rate. However, as an authentication mechanism, the “coolness” of the mobile app will quickly fade once an organization starts deploying it in the business environment. Making sure an app is successfully deployed to everyone in an organization will not be hassle-free; and maintaining compliance so that everyone is using the most up-to-date version won’t be, either. If an organization opts for an approach that requires user-deployed software, then it drastically increases user dependency since the success of the implementation relies on all users having the software deployed and up to date. In addition, the technology relies on all users having a smartphone, which is not always the case. Some mobile apps also require a data connection to work, which can be impractical and expensive for employees to use while traveling.  
      
How much adaptive support is available is another differentiator when considering mobile-based multi-factor authentication technologies. A best practice is using contextual information – such as login behaviour patterns, geo-location and the type of login system being accessed – to help authenticate users logging in remotely. For example, if the user is logging in from a trusted location – such as the comfort of the user’s home – that they have logged in from before, they will not be prompted for an OTP. On the other hand, if the user is attempting to log in while traveling (ie from an airport lounge or hotel with public Wi-Fi), then an OTP is mandatory to gain access.

Challenge- and session-based security, OTPs, the feasibility of apps, the timeliness of authentication codes and the level of adaptive support: all of these factors must be seriously considered when choosing a multi-factor authentication approach. It’s critical to move beyond the “price only” mindset that wants to choose a “good enough” offering if you hope to keep your data secure. Otherwise, that great deal you got could end up costing you money, customers and reputation.

About the Author

David Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the award-winning SMS PASSCODE multi-factor authentication solutions. Prior to founding SMS PASSCODE A/S, he was a co-founder and CEO of Conecto A/S, a leading consulting company within the area of mobile- and security solutions with special emphasis on Citrix, Blackberry and other advanced mobile solutions. In Conecto A/S David has worked with strategic and tactic implementation in many large IT-projects. David has also been CTO in companies funded by Teknologisk Innovation and Vækstfonden. Prior to founding Conecto, he has worked as a software developer and project manager, and has headed up his own software consulting company. David has a technical background from the Computer Science Institute of Copenhagen University (DIKU).

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo