New Chertoff Group white paper promotes asymmetric approaches over passwords and OTP
In a new white paper, Strong Authentication in Cyberspace: 8 Key Principles for Policymakers, security consultancy The Chertoff Group outlines steps policymakers and implementers should take related to multi-factor authentication (MFA).
Recognizing that MFA solutions are not all created equal, the report focuses on the security, usability and privacy levels of various approaches to password replacement or reinforcement.
There are many ways attackers go after password-protected systems:
- Phishing attacks that trick users into sharing passwords
- Brute force attacks that crack passwords
- Keyloggers or other malware that capture passwords as they are entered
- Default passwords such as “admin” or “1234” that are never changed on many machines and devices
- Reuse of passwords between accounts
Of course we are all familiar with the common way to define authentication factors into three categories: something you have, something you know and something you are. But the report highlights what it suggests is an even more crucial differentiation between approaches in the modern threat landscape: shared secrets and asymmetric approaches.
Passwords are obviously shared secrets – shared between the service provider and the user – but so too are many of the additional authentication factors. As the report states, one time passcodes, whether delivered via SMS or generated via a token or an app, are also shared secrets.
Asymmetric approaches are not shared secrets but rather require each party to the transaction – the service provider and the user – to possess one part of the solution needed for authentication. These solutions rely on public key cryptography.
“Solutions that rely on shared secrets are less secure than ones that do not. This is because a shared secret can be compromised in ways that solutions using asymmetric approaches cannot,” states the report.
NIST, Google and others are making moves to reduce reliance on one-time passwords due to the rising vulnerability of the shared secret style approaches.
The Chertoff Group recommends, “any authentication solution that relies on the use of a shared secret – even one that is only good for a short time – is vulnerable to increasingly common and effective attacks. The market needs to move away from shared secrets toward other solutions. And as policymakers look to incent adoption of strong authentication, they need to make sure they are focusing on the right kind of strong authentication.”
To that end, they cite a series of principles for policymakers considering authentication initiatives, including:
- Have a plan that explicitly addresses authentication
- Recognize the security limitations of shared secrets
- Understand that the old barriers to strong authentication — including costs and burdens — no longer apply
- Recognize the authentication solutions must support mobile
- Acknowledge that privacy matters
- Recognize that biometrics are important but must be applied appropriately
- Focus on standards and outcomes rather than prescribing a single technology or solution.
Check out the white paper here.