My Profile Photo

Jason Lazerus


“Beware the quiet man. For while others speak, he watches. And while others act, he plans. And when they finally rest… he strikes.” - Anonymous


Multi-factor Authentication for All

Multi-factor authentication is used repeatedly on a daily basis by most people who don’t even know that they are using it. The act of authentication is used to establish your identity to someone or something. Authentication is based upon three factors: something you know, something you have, and something you are. Using those three simple factors, the identity of an individual can be securely determined while preventing or reducing fraud. However, with technology that never stops advancing and businesses moving more and more towards paperless environments, identity theft and security vulnerabilities will always be a concern. In fact, identity theft and cyber-crime are expected to become more prevalent and poor economic performance is only projected to spur the trend. (Siciliano, 2010) As a result, authentication will have to continuously evolve to stay ahead of changing technology and security risks.

Multi-factor authentication is often referred to as two-factor authentication, meaning that at least two of the three factors of authentication are used. People use multi-factor authentication every time that they use an ATM at a bank, purchase something with their debit card or log onto a computer at work especially when they are accessing highly sensitive data. Most businesses, however, are only using single factor authentication which amounts to a username and password. It’s more time consuming and in some cases more expensive to use multi-factor authentication (issuing key fobs or cards), but one cannot deny the advantage of using more than one factor: a much higher degree of security.

Not surprisingly, security is a growing concern these days with unauthorized breaches, social engineering and malware spreading throughout the world. Breaches can be very damaging, often resulting in companies losing millions of dollars or even declaring bankruptcy. “In 2004, approximately 9.2 million Americans suffered from identity theft crimes.” (Apostille US, 2007) Not surprisingly, certain agencies of the U.S. Government use multi-factor authentication to protect our Nations well-being. The fact of the matter is that using more than one factor of authentication makes data exponentially more difficult to compromise. “If a username and password is compromised, then the attacker will still need additional information to access the confidential data or website.” (Guhl, 2008)

The first factor of authentication is something you know, like a password or pin number. Most people use passwords to access bank records, log on to a computer at home or work and even protect the data you may have on a cell phone. It is the most widely used form of authentication in the world. A lot websites, including ones that do not contain sensitive data like forums or social networking sites, make users create some form of authentication prior to allowing the use of their services. But is a single factor of authentication enough?

RSA SecurID - Two-factor AuthenticationThe interchangeable second form of authentication is something you have. People may not think of it as a form of authentication but many of us have multiple examples of these items on us at a given time, for example an ATM card. However, these cards aren’t the only objects in this category. Companies like RSA have developed devices like the SecurID which is another form of something you have. Depending on which one a company chooses, SecurID can be a card the size of a credit card or something small enough to keep on your key ring. They have even developed iPhone applications that act as a digital “something you have”. These applications tend to provide the user with a number between six and eight digits that change every thirty or sixty seconds (depending on how your server is setup or which device you use). In turn, this unique number acts as a second password.

This is becoming a more popular option as security breaches increase. Some banks are offering these devices to their customers but it’s not just the banking industry that is taking advantage of such an excellent piece of technology. Blizzard, a gaming company commonly known for its hugely popular game World of Warcraft, is currently offering this second form of authentication to its customers free of charge. Blizzard commonly encounters issues with users’ accounts being compromised by hackers using techniques like keystroke logging (recording keys depressed on a keyboard with a program). “When players that have this authenticator log on to their game, they’re met by an extra validation screen during log-in.” (Cavalli, 2008) The cost of such systems is relatively inexpensive as opposed to the potential cost of breached data.

But there are other options as well. Duo, a company that specializes in two-factor Duo Securityauthentication has a great product that’s free for up to ten users (with some other limitations). Duo will walk users through the setup of their application and their smart phone app for Android and iPhone can be used the same way as Google Authenticator. However, when setting up Duo, some applications will allow you to receive a ‘push’ notification where you can accept or reject a login instead of entering a 6-8 digit pin. Lastpass, a company that has a great password vault, also has a similar ‘push’ notification authentication app however as of this time, you cannot use it with custom applications.

Smart Cards are another type of authentication that you carry with you. These cards are embedded with a small chip that stores information about you and is used to verify that the original password you typed in was typed in by you. The negative side to these cards is that they only store a limited amount of information so shorter encryption keys must be used which increased the chance for data loss.

Similar to the above method is two-step verification. Many companies are using two-step verification now for their consumers. LinkedIn for example offers the opportunity to have an SMS message with a one-time password sent to you at login. They began offering this only after their system was compromised. While this method is a good method of 2FA, its not the best since many people receive SMS messages that do not require a phone to be unlocked to see. This weakens the security of this method of authentication.

The last factor of authentication is something you are. This can mean a few different things like a fingerprint, eye scans, hand prints, writs scans, signatures or even voice signature. Each of these technologies have different things to offer and can vary significantly in price as well from a few dollars to thousands per device. “Fingerprint scanners are currently the most popular form of biometric authentication.” (Beal, 2010) In recent years they have become an option on many laptops and desktop keyboards and they can be installed aftermarket. Since fingerprints are very unique to each person, this type of authentication offers a cost effective way to protect sensitive information, but check with the manufacturer prior to buying because some fingerprint scanners read more points on a finger than others. No one wants to own a fingerprint reader that will allow for false positives or negatives. That may allow for other people to access your data or may keep you from accessing it. Like fingerprint readers, hand readers have shown an increase in interest while remaining cost effective and allow for increased accuracy due to the fact that the surface area of your hand is much larger and contains more distinguishable characteristics than your finger, but the concept remains the same.

Another form of something you are is signature authentication which is virtually impossible to duplicate because it scrutinizes multiple characteristics and measures the stability and deviations observed in the signature. With this type of authentication signatures are captured with a digitizer and then converted to data. This can be done on many devices like a signature pad, PDA or even a smart phone. It offers very reliable forgery detection which surpasses other solutions such as manual verification. (Apostille US, 2007)

Similar in principle to signatures and fingerprints, eye scanning works well as an authenticator because no two people share the same eye pattern. There are two different types of eye scans, iris and retina. Retina scans work by mapping out some distinguishing characteristics of the retina by directing a low-intensity IR light to capture things like blood vessels. Iris recognition uses a camera to capture the colored band of tissue that surrounds the pupil. (Dong-hun) While their popularity is increasing, this technology remains expensive and not very cost effective. This type of technology is predominantly used in sectors such as government, financial, medical and prison systems where funding is available and security must remain tight.

While some organizations are already using multi-factor authentication, more and more are working on implementing this technology for the safety and security of information. Some people that feel as though using a biometric scanner is an invasion of privacy but overall the more security that is used to guard against unauthorized access to information, the more secure information can be kept. Multi-factor authentication is so effective because it is difficult to fraudulently possess more than one of these factors. A key logger may record a username and password, but if a system requires a fingerprint reader to access it or a card to be presented or swiped, it becomes far more difficult for a remote entity to steal someones identity. With authentication available like Duo, Lastpass, and RSA’s SecurID which provide a new numerical code every 30 to 60 seconds, fraud becomes far more unlikely.

As technology gets smarter and society moves more towards a paperless environment, our information becomes more at risk. Those committing cyber-crimes wouldn’t be very effective if they sat idle while technology advanced around them. Because criminals are unlikely to let up on their attempts to scam people or steal their information, security in the form of multi-factor authentication will continue to be a very important aspect of everyone’s lives. It will have to continuously evolve to keep up, or better yet, keep ahead of criminals. Security is a proactive job; it is not only the responsibility of a business to protect an individual’s information from theft, but also that of the individual to make sure that they are proactive in the protection of their own information. Businesses must make discerning choices about who they allow to store their information and insist that it is protected by security that includes multi-factor authentication.

Product Links

https://www.duo.com

https://www.lastpass.com

https://www.rsa.com/en-us/products/rsa-securid-suite

References Apostille US. (2007, November 14). Biometric Signature Authentication for the Information Age. Retrieved March 18, 2010, from Apostille.us: http://apostille.us/news/biometric_signature_authentication_for_the_information_age_.shtml

Beal, V. (2010, January 8). How Fingerprint Scanners Work. Retrieved March 20, 2010, from Internet.com: http://www.webopedia.com/DidYouKnow/Computer_Science/2004/fingerprint.asp

Cavalli, E. (2008, June 27). Blizzard Announces Account Security Token. Retrieved March 23, 2010, from Wired: http://www.wired.com/gamelife/2008/06/blizzard-announ/

Dong-hun, L. (n.d.). Biometrics, as a New Technology. Retrieved March 19, 2010, from Theory & Critique: http://maincc.hufs.ac.kr/~argus/no343/t_c2.htm

Guhl, A. (2008, August 25). The Benefits of Multi-Factor Authentication. Retrieved March 18, 2010, from EzineArticles: http://ezinearticles.com/?The-Benefits-of-Multi-Factor-Authentication&id=1439662

Siciliano, I. a. (2010, January 5). Recession to Cause a Rise in Scams, Thievery and Hacking. Retrieved March 25, 2010, from ITRC: http://www.idtheftcenter.org/artman2/publish/headlines/2010_Trends.shtml