Most, if not all, of the recent major data breaches have something in common with the way in which the attack was accomplished – the attacker was able to steal a username and password. These breaches highlight the need for strong multi-factor authentication, but what we should keep in mind is that not all multi-factor authentication methods are created equal.
By leveraging the mobile platform, strong authentication can be implemented in a user-friendly manner. The near term trend for the mobile platform is to take advantage of secure hardware elements and trusted execution environments. This also is true for critical Internet of Things (IoT) environments where higher levels of security are demanded.
In recent breaches at major retailers, financial institutions and government agencies, a username and password was stolen early on in the attack. A password is a poor secret because it is difficult to secure. In most cases the password is stolen through a form of social engineering. To make a password attack more difficult several techniques have been introduced that add a second factor to user authentication.
One-time tokens provided through a variety of forms, such as hard token or SMS, are an improvement over single factor credentials alone. However, we have seen examples where SMS tokens were compromised by redirection malware such as Zitmo and Eurograbber working in conjunction with a Zeus or Zeus variant infection on the victim’s endpoint.
Additionally, SMS tokens are transmitted in plain text putting them at risk of a man-in-the-middle type attack. One time passwords that are typed into a web form by a user are at risk of compromise because they are not “out of band” and therefore social engineering, in conjunction with key loggers and fake web forms can put these forms of second factor authentication at risk in the same way in which passwords are at risk.
In other words, even though these security techniques offer a higher challenge to an attacker, the difficulty is often not high enough to fully deter the attack. The strength of the authenticator should match the risk being mitigated.
Desktop operating systems do not offer the same level of application isolation as mobile operating systems. This isolation prevents mobile device malware from interfering in the memory space of critical native apps. This technique has proven itself, but now we have the option to store cryptographic credentials in a very secure environment such as hardware secure elements and trusted execution environments. This is a long way from username and password in terms of both security level and user experience.
In the past strong authentication has often been difficult to implement or presented a poor user experience. Today, by leveraging mobile platforms for strong authentication we are taking advantage of a user-friendly computing form factor that is always in our pocket. We may forget our wallet at home and not go back to get it, however if we were to forget our smartphone, more times than not, we would go back to retrieve it. Mobile platforms offer us the ability to secure our digital identities in ways that are stronger than the other forms of second factor authentication, such as SMS tokens, discussed earlier.
With mobile platforms, your digital identity can take the form of a cryptographic credential that never has to leave the device. Communication between backend systems and the mobile device can be encrypted and identity tokens do not have to be re-typed into user endpoints. These capabilities offer users a truly out-of-band multi-factor authentication.
Attacks on mobile platforms are typically related to privacy items such as stolen pictures or redirected SMS messages. Over privileged apps such as a calculator app that has been given access to the device’s microphone present a privacy risk. But that same malicious calculator app will not be able to access cryptographic credentials stored in an isolated secure hardware element.
The malicious app will also be isolated from critical code running in a trusted execution environment, whether it is a cryptographic function or a secure keyboard. By taking advantage of these technologies we can match the level of security to the level of risk being mitigated, all while providing a superior user experience. The idea is to make the cost of the attack much too high for an attacker to consider fraud.
Finally, it should be noted that the usage of secure elements in IoT is a way to offer a root of trust for devices to be able to secure their own digital identities. Encrypted communication, authentication and authorization between devices can become possible. Complex supply chains will also demand that device identities are secured throughout their lifecycle. Attackers should not be allowed to simply “become you” on your network because of a stolen credential. This is true whether we are considering traditional IT networks that run our enterprises, or device-centric operational technology networks that run our critical infrastructure. By taking advantage of credentials stored in a highly secure manner, the security of digital identities becomes possible.