The evolution of authentication
15 January, 2015
category: Biometrics, Corporate, Digital ID
Bryan Ichikawa, Specialist Leader, Deloitte Cyber Risk Services
Every day there seems to be another story of an information system becoming victim to a security breach. All types of organizations – from companies to government entities to academic institutions – have all suffered from breaches.
These breaches reveal, however, that steps could have been taken to reduce the threat of a hack and many organizations are waking up to the fact that tighter access controls are a critical element of their overall security posture.
And individuals are also realizing that security is their responsibility. If a neighbor or friend’s home is burglarized, you learn from their experience and take the appropriate steps to protect yourself and your assets. It is said that the best time to sell someone a home security system is after they have been robbed. The same thing can be said about organizations improving their security posture.
Authentication, the notion that you are who you claim to be, is required at the entry points to applications that deliver or transact data. Depending on the severity of damage that could occur if a bad actor conducted a malicious transaction using your identity, strong authentication methods are required. Password authentication by itself is not sufficient.
Passwords are the de facto authentication method used today for most applications. Stronger passwords seem to be the primary mantra of organizations, stating that a stronger password is more difficult to hack. But it is not an individual’s password that is the primary target. Unless you are a celebrity, chances are you are not likely to be a singular target of attack.
A highly vulnerable point for end users are the passwords they use on sites that may not implement strong security practices and are susceptible to compromise. If a user ID and password combination can be obtained, those attacking organizations can simply run scripts that attempt to log into thousands of sites, an effective gambit because many individuals reuse the exact same userid and password combinations on multiple sites. The bad actors don’t have to hack into a high security site. All they have to do is breach a low security site and see if their illicitly obtained identities work elsewhere.
Multi-factor authentication is a method that can significantly improve the security for accessing an application or web site. Factors are often translated as passwords — what you know – a card or token — what you have — and a biometric, something you are. The use of two or more of these factors when logging into a website is called multi-factor authentication.
It is a good idea to employ strong passwords, and a better practice not to reuse them. Using additional authentication factors significantly improves your security posture and provides better protection against bad actors conducting illicit transactions on your behalf.
There are new strong authentication technologies that can replace the user ID and password combination altogether, effectively raising the bar so high that the adversaries will simply go somewhere where it’s easier. It is like having a large barking dog in your home, and to-be robbers target a quiet house down the street instead.
These new authentication methods do help raise the bar. They are not foolproof and they are not invulnerable to attack. Organized crime has already demonstrated its ability to launch multi-faceted attacks on organizations, defeating multi-factor protection mechanisms. These are highly sophisticated and orchestrated attacks, sometimes taking months, if not years, to execute.
Security technology is evolving and the new password replacement mechanisms take advantage of the sophistication that exists in today’s computing devices. These devices exist in homes, offices, pockets and purses.
Today, PCs and laptops are delivered with integrated security chipsets that create trusted computing environments unique to each device. Trusted Platform Modules, or TPMs, facilitate the use of strong cryptographic algorithms that are essential in protecting against outside intrusions. Mobile devices benefit from similar mechanisms such as the Trusted Execution Environment and the Secure Element. These technologies advance the state of the art for securing many of today’s devices.
As the Internet of Things (IoT) begins to grow, the devices that become connected may not necessarily have these new security modules, and for many consumer devices, it can generally be assumed that they do not. Combine the IoT with the cloud and you increase the opportunity for security and privacy violations. Controversy is already growing regarding issues surrounding privacy, security, and the potential issue of control yielded to governments and corporations.
The Internet is continually evolving as a telecommunications critical infrastructure asset, and its use is creating dependencies with individuals, businesses and governments as the backbone for daily task flows and as a resource for information needed to accomplish those tasks.
Misuse of that information in an ever-present threat and protecting access becomes critically important. It is the responsibility of every single individual to do their job and be diligent about protecting their access points. It’s like having a big dog in your house…the bad guys are going to be out there, help them decide to go somewhere else.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the months of December and January, these panelist’s predictions are published at SecureIDNews.