Common Pitfalls of Authentication-Based Security
Ground chuck and filet mignon are two very different types of beef. Ground chuck is priced for everyday meals. Filet mignon, however, is a luxury cut, prized for its tenderness with a price tag to match. Beef may be what’s for dinner, but what kind clearly matters to the consumer.
When it comes to the multi-factor authentication market, simply looking at the label is not enough to get an accurate read on quality and use case. Not all approaches are the same. There are many differentiators within the market, and those differentiators are significant. Understanding differences in multi-factor authentication can determine whether identities and data remain secure, whether authentication codes arrive in a timely manner and whether applications are easy to use.
Multi-Factor Authentication: Criteria to Consider
The level of security is a significant differentiator among mobile-based multi-factor authentication approaches. A good rule of thumb is to avoid pre-issued passcodes. Many authentication platforms operate similar to token-based technologies with pre-issued one-time-passcodes that are based on a seed file. If codes are pre-issued then they are vulnerable to even simple hacks like phishing (i.e. through unauthorized usage or theft of seed files). This is not just a theoretical risk but has actually happened before, requiring the replacement of millions of hardware tokens. If the authentication code is pre-defined before the login, then it can be stolen and used for another login since the code isn’t linked to a specific login. That means the system’s security can be significantly compromised as the code can be exploited by phishing.
Challenge- and session-based security must be considered as well. Being challenge-based creates the basis for organizations being able to set up systems that make employee remote logins even more secure. With this approach, a code can be generated only after the login session is created. By waiting to generate the code, instead of relying on a pre-set bank of existing codes, the authentication system can see which computer workstation the login request is coming from. A code is then created and linked to the computer so the code can only be used from the same machine from which the request was originally initiated. If for any reason the code is intercepted, it cannot be used on any other device. This helps protect against even more sophisticated hacks.
Authentication apps should be reconsidered as well. Certainly mobile apps are cool and most smartphone users are familiar with using them. But as an authentication mechanism, the “coolness” of the mobile app will quickly fade once an organization starts deploying it in the real world. Making sure an app is successfully deployed to everyone in an organization will not be hassle-free and likewise, maintaining compliance so that everyone is using the most up-to-date version won’t be either. If an organization opts for an approach that requires user-deployed software, then it drastically increases user dependency since the success of the implementation relies on all users having the software deployed and up to date. In addition, the technology relies on all users having a smartphone, which is not always the case. Some mobile apps (unless they use a basic soft token) also require a data connection to work and this can be impractical and expensive to use for employees while traveling.
As the saying goes, timing is everything. When using a multi-factor authentication security platform that leverages SMS as a delivery mechanism for the one-time-passcode (OTP), the reliability of the SMS arriving quickly is essential. Users are waiting to log into critical business applications remotely and cannot proceed until the code arrives. There is a huge difference between the SMS arriving within 10 seconds or two minutes. Some authentication providers claim that SMS delivery is not reliable enough and, as a result, they encourage the usage of pre-issued codes. However, this lowers the level of security significantly because the OTP cannot be generated in real time. That is why choosing a platform that expediently delivers OTP is critical to both usability and security. The ideal compromise includes real-time challenge- and session-based capabilities along with a robust delivery mechanism that ensures reliable passcodes generated in real-time.
Finally, consider the level of adaptive support when implementing mobile-based multi-factor authentication technologies. One best practice is to take full advantage of contextual information, such as login behavior patterns, geo-location and type of login system being accessed. This provides some powerful benefits for an organization in terms of added user convenience. The allows for the level of security to be configured to dynamically adjust based on where the user is located when logging in, what time they are logging in and what network they are logging in from. For example, if the user is logging in from a trusted location – such as the comfort of the user’s home – where they have logged in from before, then they will not be prompted for an OTP in order to authenticate. On the other hand, if the user is attempting to log in while traveling (i.e. from an airport lounge or hotel with public Wi-Fi), then an OTP is mandatory to gain access.
Your Choice: Filet Mignon or Ground Chuck
Ground chuck is fine for throwing onto the grill at a backyard barbecue, but filet mignon is a better choice for a state dinner at the White House. It comes down to the inherent value of the product. Timeliness, security and ease of use are key differentiators to consider when choosing a security platform. Because data safety is so critical, it behooves organizations to do their due diligence and determine if the approach they are considering is so-so or stellar.