The hidden dangers of "good enough" authentication

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

While it's human nature to make comparisons, not all comparisons are helpful or accurate. When comparing a Porsche and a Volkswagen, for example, the most you can say is that they are both vehicles. They have wheels and doors and engines, and will get you from Point A to Point B, but that is where the comparison ends.

In a similar vein, not all multi-factor authentication approaches are the same. The variances can mean the difference between true security and susceptibility to phishing, between timeliness and late arrival of authentication codes, and between user-friendly and hard-to-use applications.

The first thing to beware of when considering multi-factor authentication tools is pre-issued passcodes. Many authentication platforms operate similar to token-based technologies with pre-issued one-time-passcodes that are based on a seed file. If codes are pre-issued then they are vulnerable to hacking, i.e. through unauthorized usage or theft of seed files. This is not just a theoretical risk but has actually happened before, requiring the replacement of millions of hardware tokens. If the authentication code is pre-defined before the login, then it can be stolen and used for another login meaning the system's security can be significantly compromised and the code can be exploited by phishing.

A second important factor is the significant benefit that challenge-and session-based security brings to the table. Being challenge-based enables organizations to set up systems that make employee remote logins even more secure. With this approach, when a code is generated it's only after the user session has been confirmed. By waiting to generate the code, instead of relying on a pre-set bank of existing codes, administrators can see which computer workstation the login request is coming from. A code is then created and linked to the computer so the code can only be used from the same machine from which the request was originally initiated. If for any reason the code is intercepted, it cannot be used on any other device. This helps protect against sophisticated attacks such as man-in-the-middle attacks.

Next, it's important to look past the shiny surface of authentication apps. Certainly mobile apps are cool and most users are familiar with using them on their smartphones. But as an authentication mechanism, the "coolness" of the mobile app will quickly fade once an organization starts deploying it in the real world. Making sure an app is successfully deployed to everyone in an organization can be a challenge, as is the chore of maintaining compliance so that everyone is using the most up-to-date version.

If an organization opts for an approach that requires user-deployed software, then it drastically increases user dependency since the success of the implementation relies on all users having the software deployed and up-to-date. In addition, the technology relies on all users having a smart phone, which is not always the case. The mobile app (unless it uses a basic soft token) also requires a data connection to work and this can be impractical and expensive to use for employees while traveling.

When implementing a multi-factor authentication security platform that leverages SMS as a delivery mechanism for the OTP (One-Time-Passcode), the reliability of the SMS arriving on-time becomes mission-critical. Users are waiting to log into critical business applications remotely and cannot proceed until the code arrives. There is a huge difference between the SMS arriving within 10 seconds or two minutes. If the code isn't effectively delivered on-time, it might create a situation in which a high percentage of the codes arrive late.

Some authentication providers claim that SMS delivery is not reliable enough and, as a result, they encourage the usage of pre-issued codes. However, this lowers the level of security significantly because the OTP cannot be generated in real-time and can be a dangerous trade-off to make.

Another consideration when implementing mobile-based multi-factor authentication technologies is the level of adaptive support. One best practice is to take full advantage of contextual information, such as login behavior patterns, geo-location and type of login system being accessed. This provides some powerful benefits for an organization in terms of added user convenience. For example, it allows for the level of security to dynamically adjust based on where the user is located when logging in, what time they are logging in and what network they are logging in from.

If the user is logging in from a trusted location--such as the user's home--where they have logged in from before, then they will not be prompted for an OTP in order to authenticate. On the other hand, if the user is attempting to log in while traveling (i.e. from an airport lounge or hotel with public Wi-Fi), then an OTP is mandatory to gain access.

If all you need is a rig to get you to the corner store and back, a Volkswagen is fine. But if you need a vehicle that delivers high performance at high speeds, a Porsche is a much better choice. Just as all cars are not created equal, neither are all multi-factor authentication tools. Security, reliability and ease of use are just some of the many vital components to consider when choosing a security platform. It's essential that organizations move beyond "good enough" authentication to keep ahead of modern security threats and keep data safe.

Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the award-winning SMS PASSCODE multi-factor authentication solutions. Prior to founding SMS PASSCODE A/S, he was a co-founder and CEO of Conecto A/S, a leading consulting company within the area of mobile- and security solutions with special emphasis on Citrix, Blackberry and other advanced mobile solutions.