Tag Archives: authentication

Friction and emerging threats: two items to consider when implementing multifactor authentication

For my long-time readers, here’s a quiz. Read the four statements below and take a guess as to which one of these statements best reflects my views.

  1. With recent accuracy improvements, facial identification is the only identification method that you will ever need in the future.
  2. Possession of a driver’s license is sufficient to prove identity.
  3. Fingerprints are the tried and true authentication method; you don’t need anything else.
  4. Passwords are dead.

Readers, this was a trick question. I don’t agree with ANY of these statements. It is possible to subvert facial identification methods. Your twin can steal your driver’s license. Fingerprints can be subverted also. And passwords have their place.

If you’ve read my writings for any length of time, you know that I believe that any single authentication factor is not a reliable method of authenticating someone. Multifactor authentication, in which you use more than one of the five authentication factors, is a much stronger method. It’s possible to spoof any single authentication factor (a gummi fingerprint, a fake driver’s license, etc.), but it’s much harder to spoof multiple factors.

No, they don’t have ridges. By Thomas Rosenau – Own work, CC BY-SA 2.5, https://commons.wikimedia.org/w/index.php?curid=685011

Please note that I am referring to multiple FACTORS, not multiple TYPES OF BIOMETRICS (for example, authenticating finger and face and declaring victory). All biometrics fit within the “something you are” category, and it’s much better to combine this factor with one or more of the other four: something you know, something you have, something you do, and somewhere you are. Or perhaps use two factors other than biometrics. The important thing is that you use multiple factors.

What of the vendor that only offers one type of biometric authentication? Or the vendor that only offers biometric authentication? Or the vendor that only processes secure documents? Or the one with really strong password protection schemes? Well, in my humble opinion these vendors need to partner with other vendors who support other authentication factors, to ensure delivery of a robust solution.

Julie Pattison-Gordon made many of these points in a recent GovTech article, “Cyber Refresher: Understanding Multifactor Authentication.” But she made two additional points that are worth mentioning.

Friction and authentication

The first point that Pattison-Gordon makes is the following:

Agencies may need to consider how their selection of authentication methods creates or avoids friction for employees.

Friction, in which a task becomes hard to perform, is bad.

Not sure how Jack feels now that the Lakers are, um, subpar. By May be found at the following website: http://www.impawards.com/2003/anger_management.html, Fair use, https://en.wikipedia.org/w/index.php?curid=11893883

Some authentication methods have, or can have, more friction than others. For example, some password implementations require use of characters from the Roman, Greek, and Cyrillic alphabets and require you to change your password daily. (I exaggerate only slightly.) Older iris readers required you to put your head directly against the reader, like if you were at an opthamologist’s office. Even today, most fingerprint readers require you to touch your finger against a platen. (There are exceptions.)

But why worry about friction? After all, if someone’s required to perform some type of authentication, they’re going to do it regardless of how hard it is.

Oh no they’re not:

Speaking during a panel last month, Delaware Chief Security Officer Solomon Adote said that workers who find MFA processes too cumbersome may adopt unsafe workarounds, such as storing official files on personal devices to let them skip login procedures entirely.

This is worse than an abandoned shopping cart, since it’s the abandonment of an entire security infrastructure. When security is too cumbersome, the result is little or no security at all.

I feel safe now. By IMP Awards, Fair use, https://en.wikipedia.org/w/index.php?curid=42298113

It is possible to improve all authentication methods to reduce friction. Strong yet easy passwords that you don’t have to change all the time. “On the move” capture of all sorts of biometrics, including fingerprints, faces, and irises. The ability to read information on secure documents without sliding them through a card reader (yet incorporating protections against unauthorized reading of the data).

Trust me – frictionless will make people happier and will cause them to use your security methods without objection.

Emerging threats and authentication

Pattison-Gordon makes a second point:

Organizations must also weigh the cyber threats facing each type of authentication, as malicious actors continue evolving their strategies.

No authentication method is foolproof, and every authentication method attracts one or more threats. I’ve mentioned some in passing in this post, such as “gummi fingerprints” in which someone creates a fake fingerprint with the ridge detail from a true fingerprint. Pattison-Gordon mentions another threat, SIM swapping.

There are ways to deal with these two threats. For example, if a gummi fingerprint is literally a piece of non-organic material, there are various methods of liveness detection (tempreature, heartbeat detection, skin features) that can identify the fingerprint as fake.

However, this does not solve the problem, since some day some fraudster will create a fake fingerprint that appears to have human skin, a temperature, a detectable heartbeat, and everything else that a real fingerprint will have.

Security is a constant war between the fraudsters who develop a hack, the cybersecurity folks who develop a block to the hack, and the fraudsters that develop a new hack that avoids the block to the previous hack. No authentication method is foolproof.

This is one of the benefits of multifactor authentication. When this is used, then the fraudster needs to hack something you are AND something you know AND something you have AND something you do AND somewhere you are. MFA hacking is not impossible, but it is much, much more difficult than hacking a single factor.

And you also have to keep up with the latest hacks and continue to research. Don’t quit researching an authentication method just because it seems great now.

(A couple of you may know why I said that.)

Biometric (and other) authentication CAN be spoofed…but it isn’t easy

A few days ago, Liam Tung of ZDNet wrote an article entitled “Windows 10 security: Here’s how researchers managed to fool Windows Hello.”

Those who read the title of the article may conclude that biometrics is a terrible authentication method because it can be spoofed.

Just a picture of candy. Nothing special. By Jebulon – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=27753729

Well, until they come to the third paragraph of the article.

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.

Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.

However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.

And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.

The Pandora’s Box of the “passwords are dead” movement

I’ve previously commented on the “passwords are dead” movement, and why I don’t agree that passwords are dead. But I recently realized that the “logic” behind the “passwords are dead” movement could endanger ALL forms of multi-factor authentication.

If I may summarize the argument, the “passwords are dead” movement is based upon the realization that passwords are an imperfect authentication method. People use obvious passwords, people re-use passwords, individuals don’t guard their passwords, and even companies don’t guard the passwords that they store. Because of these flaws, many passwords have been compromised over the years.

From this indisputable fact, the “passwords are dead” advocates have concluded that the best thing to do is to refrain from using passwords entirely, and to use some other authentication method instead (choosing from the five authentication factors).

In my spiral of people connections, the most frequently suggested replacement for passwords is biometrics. As a biometric content marketing expert and a biometric proposal writing expert, I’m certainly familiar with the arguments about the wonderfulness of biometric authentication.

But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.

So I guess “biometrics are dead” too, using the “passwords are dead” rationale.

And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.

So I guess “secure documents are dead” too.

Somewhere you are? Yeah, right. There are entire legitimate industries based upon allowing someone to represent that they are in one place when in fact they are in another place.

So I guess “geolocation is dead” too.

You see where this leads.

NO authentication method is perfect.

But just because an authentication method has imperfections doesn’t mean that it should be banned entirely. If you open the Pandora’s Box of declaring imperfect authentication methods “dead,” there will be NO authentication methods left.

Epimetheus opening Pandora’s Box. By Giulio Bonasone – This file was donated to Wikimedia Commons as part of a project by the Metropolitan Museum of Art. See the Image and Data Resources Open Access Policy, CC0, https://commons.wikimedia.org/w/index.php?curid=60859836

And before talking about multi-factor authentication, remember that it isn’t perfect either. With enough effort, a criminal could spoof multiple factors to make it look like someone with a spoofed face and a spoofed driver’s license is physically present at a spoofed location. Of course it takes more effort to spoof multiple factors of authentication…

…which is exactly the point. As security professionals already know, something that is harder to hack is less likely to be hacked.

“I don’t want to say multi-factor is terrible. All things considered, it is generally better than single-factor and we should strive to use it wherever it makes sense and is possible. However, if someone tells you something is unhackable, they’re either lying to you or dumb.”

And heck, be wild and throw a strong password in as ONE of the factors. Even weak passwords of sufficient length can take a long time to crack, provided they haven’t been compromised elsewhere.

Feel free to share the images and interactive found on this page freely. When doing so, please attribute the authors by providing a link back to this page and Better Buys, so your readers can learn more about this project and the related research.

Luckily, my experience extends beyond biometrics to other authentication methods, most notably secure documents and digital identity. And I’m familiar with multi-factor authentication methods that employ…well, multiple factors of authentication in various ways. Including semi-random presentation of authentication factors; if you don’t know which authentication factors will be requested, it’s that much harder to hack the authentication process.

Do you want to know more? Do you need help in communicating the benefits of YOUR authentication mechanism? Contact me.

https://bredemarket.com/idbenefits/

The five authentication factors

(Part of the biometric product marketing expert series)

I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic. (You’d expect an identity content marketing expert to do that.)

And I’m not going to do that today either (at least in any detail), because The Cybersecurity Man already did a good job at that (as have many others).

However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.

  • Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
  • Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
  • Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
  • Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
  • Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.

I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.