Multi-Factor Authentication: What to Look ForBy Clare Nelson – ISSA member, Capitol of Texas Chapter

This article discusses multi-factor authentication and what to look for if you are planning a product refresh, or implementing a solution for the first time. The goal is to arm you with questions to ask, plus identify some suboptimal technologies to avoid.

AbstractThis article discusses multi-factor authentication and what to look for if you are planning a product refresh, or implement-ing a solution for the first time. Since there are over 200 ven-dors, it is not easy to select the best solution for your needs. The goal of this article is to arm you with questions to ask, plus identify some suboptimal technologies to avoid. Your feedback to vendors will help them provide better, more se-cure products and services.

Multi-factor authentication is a common component of a layered security approach, beyond username and password. Those of you who studied for the

CISSP exam have the definition etched in your memory. NIST defines multi-factor authentication as two or more of: something you know, something you have, or something you are.1 If you are shopping for a multi-factor authentication solution, what should you look for? There are over 200 multi-factor au-thentication vendors; how do you evaluate the best one for your needs? How can you give positive feedback to vendors to help improve their product offerings? You can weed out more than half of the vendors by following a simple step.

Suboptimal technologies or design choices in multi-factor authentication solutionsJust say, “No,” or request alternatives for the following subop-timal choices in some multi-factor authentication products:

• 2D fingerprints, other already-hacked or easily hacked biometrics

• Quick response (QR) codes

1 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.

• Short message service one-time password (SMS OTP)• JavaScript requirements• Weak account recovery methods• Over reliance on GPS• Lack of mobile-device risk analysis• Lack of checks for OWASP Mobile Top 10 Risks2 for

mobile apps• Encryption with backdoors, mysterious constants, or

“magic numbers” of unknown provenance3

• Elastic definition of multi-factor authentication: there is a growing chasm between NIST’s definition and newer definitions from some vendors.

BiometricsAs German defense minister Ursula von der Leyen can attest, fingerprints can be hacked, even from photographs.4 Facial and other biometrics can also be hacked. Why, then, is bio-metric-based authentication so fashionable? It is easy to re-set a password. It is hard to reset fingerprints. According to industry expert Dustin Kirkland, “…biometrics cannot, and absolutely must not, be used to authenticate an identity.”5 His March 15, 2015, SXSW talk title sums up his position: “Fin-gerprints Are Usernames, Not Passwords.”In the US are you legally bound to surrender your fingerprint, but not your username and password? A Virginia court ruled that while police cannot force you to unlock your phone with a

2 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks.

3 https://www.grc.com/sqrl/sqrl.htm.4 http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-

from-photograph/.5 http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html.

22 – ISSA Journal | April 2015

ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

©2015 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

password, they could force you to unlock it with a fingerprint scan.6 In a number of early cases, courts held that requiring a lawfully arrested defendant to submit to fingerprinting did not violate the defendant’s constitutional rights.7 I am not an attorney. Research on this topic is left to the reader.Are you willing to contend with error rates from false posi-tives and false negatives?Privacy is another concern. Your biometrics are readily available in the public domain. Your fingerprints are on that restaurant glass or almost anything else you touch. Your voice is recorded when you call a financial institution or any oth-er organization that prompts you about voice recording for training or quality purposes. Your dandruff contains DNA. Your facial math and irises are present on Facebook, Linke-dIn, and many other online repositories.Biometrics for authentication are riding a wave of irrational exuberance and market acceptance. Apple Touch ID and Samsung Pay are lauded as cool and secure. According to Ju-piter Research, “By 2019, 770 million apps that use biomet-ric authentication will be downloaded annually, up from 6 million in 2015. Fingerprint authentication will account for an overwhelming majority, driven by increase of fingerprint scanners in smart phones.”8 However, that does not mean you have to follow suit. Regardless of how cool, new, or secure the biometric authentication method, the threat model is basical-ly the same. Ask your favorite vendors to reveal their threat models.

QR codesMany information security professionals stopped using QR codes long ago. QR codes can be easily hacked and subse-quently direct a person to a malicious website or other haz-ardous URL.9 Unfortunately, many multi-factor authentica-tion solutions use QR codes during enrollment, or as part of an ongoing authentication process. In one scenario, the user captures the QR code with his or her mobile device, is direct-ed to the appropriate website, and then enters a PIN code to log on or validate a transaction.

SMS OTPIn Operation Emmental, banking malware was used to scrape SMS OTPs from Android phones.10 This is just one ex-ample of how SMS OTP is susceptible to man-in-the middle (MITM) attacks. A 2014 paper from Northeastern University and Technische Universität Berlin states, “SMS OTP systems cannot be considered secure anymore.”11

6 http://www.tomsguide.com/us/smartphone-fingerprint-unlock-virginia,news-19858.html.

7 Andre A. Moenssens and Stephen B. Meagher, “Fingerprints and the Law,” Chapter 13 of Fingerprint Sourcebook, US National Institute of Justice (2011).

8 http://www.nfcworld.com/2015/01/22/333665/juniper-forecasts-biometric-authentication-market/.

9 http://www.csoonline.com/article/2133890/mobile-security/the-dangers-of-qr-codes-for-security.html.

10 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf.

11 https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf.

Unfortunately many multi-factor authentication vendors, including some of the market leaders, employ this method. These vendors claim that by sending an OTP via SMS to a mobile phone, that mobile phone is turned into a token (see problems with this in the Mobile Device as Token section be-low). SMS OTPs are sent for logon, or to challenge the user at a later point in time. The user receives the password via text message, and then enters it for successful completion.

JavaScriptMany multi-factor authentication vendors require JavaScript to track user behavior such as keystroke or mouse character-istics. In some cases, and when an app is downloaded, JavaS-cript code is inserted into the browser. If WhiteHat Security’s Aviator browser is in use, or JavaScript has been disabled for other browsers, the multi-factor authentication solution will not work.

Account recoveryIn many cases, once multi-factor authentication is enabled, if a user loses the ability to authenticate, the vendor cannot help. This is by design; otherwise it would make it too easy for an impostor to gain access by pretending to be the out-of-luck user, unable to authenticate.According to Google product management director for iden-tity Eric Sachs, account recovery is the Achilles heel of au-thentication.12 Google Authenticator recovery keys are pro-vided during enrollment. The user is told to print them out, and store them in a wallet or safe place. Other vendors have account recovery methods that assume you enrolled a trusted device, because that trusted device is needed to restore ac-cess to your account. There is no silver bullet yet; that is why this topic is repeated below. Let vendors know you care about account recovery and its attendant poor ease-of-use and vul-nerabilities.

Account recovery methodsAs mentioned above, recovery is the Achilles heel of authenti-cation. Those of you who use Google Authenticator probably have a piece of paper with ten recovery codes, and it is tucked away in a safe place.

GPSIn 2012, researchers at University of Texas, Cockrell School of Engineering, successfully spoofed GPS, even under the watchful eye of the US Department of Homeland Security.13 Since civil GPS signals are not encrypted, they are especial-ly vulnerable.14 If GPS is one of several factors, or part of an overall user profile, there may be no issue. However, if geolo-cation is one of only two factors, then the solution could be at risk for targeted attacks based on GPS spoofing.

12 http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/.

13 http://www.ae.utexas.edu/news/features/todd-humphreys-research-team-demonstrates-first-successful-gps-spoofing-of-uav.

14 http://www.ted.com/talks/todd_humphreys_how_to_fool_a_gps - t-681339.

April 2015 | ISSA Journal – 23

Multi-Factor Authentication: What to Look For | Clare Nelson

©2015 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

Mobile device as tokenIf the mobile device is used as a token, is the mobile device checked for malware prior to enrollment and on an ongoing basis? According to some industry experts, “Mobile is the new adversarial ingress point.”15 Some multi-factor authen-tication vendors assume the mobile device contains malware or is otherwise compromised. They take action, and contin-

uously scan for future issues with the mobile device.

OWASP Mobile Top 10 RisksIf a mobile app is used (hopefully this is not the case; but if it is), was the mobile app checked against the OWASP Mo-bile Top 10 Risks? In 2014, researchers

analyzed over 38,000 mobile apps and discovered that most of them displayed an assortment of the Top 10. Over 67% of the apps had OWASP Mobile Top 10 risk “M3,” insufficient transport layer protection.16

EncryptionEncryption is an excellent technology for multi-factor au-thentication. However, sometimes you have to pull teeth to get straight answers about a vendor’s encryption implemen-tation. Ask questions about the life expectancy of the cryptographic method in light of quantum computing. According to some cryptologists, quantum computing may break RSA or ECC by 2030.17 A brief Google search provides a range of answers, some earlier, some later than 2030. Ask about encryption backdoors, and whether or not it is NIST-free or NSA-free (plus the appropriate agency for your country). Of course, no one wants mysterious constants or “magic numbers” of un-known provenance.18 If the multi-factor authentication solu-tion is open source, enlist the help of an expert to look under the hood.

Definition of multi-factor authenticationNIST states that mobile device identification, time, and geo-location could be used to challenge an identity, but “they are not considered authentication factors.”19 There is a growing chasm between the NIST definition for multi-factor authen-tication and that of some of the multi-factor authentication vendors. Many vendors consider mobile device identification, geolocation, and time as factors. This is not serious when many other parameters, in some cases over 400, are used. However, if the factor is part of a two-factor or three-factor implementation, it is weaker than many competitive offer-ings.

15 http://guardtime.com/blog/biggest-enterprise-risk-mobile-devices. 16 http://metaintelli.com/blog/2015/01/06/industry-first-metaintelli-research-

discovers-large-number-of-mobile-apps-affected-by-owasp-mobile-top-10-risks/. 17 January 18, 2015: Ralph Spencer Poore, cryptologist, Austin ISSA guest lecturer18 https://www.grc.com/sqrl/sqrl.htm.19 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.

Better technology and design choices for multi-factor authentication solutionsFor internal employees, hard tokens and complex, multi-step enrollment processes may be acceptable. However, for exter-nal consumers or customers, ease of use requirements are far more critical. Some multi-factor authentication vendors offer the following:

• Invisible user enrollment (e.g., no mobile app to download)

• Invisible user challenges for step-up authentication• Push notification (instead of SMS OTP)• More than just two-factor authentication: con-

text-based or adaptive authentication methods based on user profiles; in the case of one vendor, user pro-files are amassed over time and contain over 400 pa-rameter

• Integration with live threat intelligence services to de-tect malicious IP addresses, malware, or other unde-sirable or abnormal characteristics

• Appropriate total cost of ownership (TCO) that matches your budget and unique requirements

Invisible user enrollmentIn many cases, multi-factor authentication vendors require a user to download a mobile app and then go through a multi-step process for enrollment. A small number of new-er multi-factor authentication market entrants simply start monitoring the user, and do not require an involved enroll-ment process. No software or hardware tokens are necessary. This strategy was developed with the external consumer or customer in mind.

Invisible user challengesThe old-school method for user challenges includes asking for the name of your first pet, answering a phone call with voice verification, or responding to SMS OTP. Other vendors have found methods of challenging users invisibly, without both-ering the user. For example, one vendor assumes that when your cursor is lost, you jiggle your mouse in a unique way. Once this jiggle is recorded in your unique profile, if there is a need to perform a step-up challenge to ensure your identity is not fake or stolen, your cursor is made invisible, and the way you jiggle your mouse to find it is compared with the stored, expected response. This is just one example, taken from be-havioral-biometrics. There are many other vendors that seek to make the user experience as painless as possible.

Push notification instead of SMS OTPFor iOS and OS X devices, the Apple push notification ser-vices (APNS) can be used instead of SMS OTP or other, less secure alternatives. With APNS, “each device establishes an accredited and encrypted IP connection with the service and

“Mobile is the new adversarial ingress point.”

24 – ISSA Journal | April 2015

Multi-Factor Authentication: What to Look For | Clare Nelson

©2015 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

April 2015 | ISSA Journal – 25

Power to the Password | Ken Munro

Keep Attackers on the Outside Looking In with the Most Advanced Security Protection AvailableFortinet’s solutions for the Federal government give you the sophisticated security you need at a budget you can afford.

Fortinet offers a wide range of security products to help Federal customers to prevent breaches and keep hacktivists, black hats and foreign governments at bay. With industry-leading high-performance UTM and NGFW Firewall products combined with other technologies like Wireless Access Points, Advanced Threat Detection and DDoS Protection, government IT administrators get the solutions they need to deliver robust, reliable and secure network access.

Fortinet Products for Federal Government

nn UTM and NGFW Firewalls

nn Ruggedized Firewalls

nn Wireless and Wired LAN/WAN

nn Advanced Threat Detection

nn DDoS Protection

nn Application Control

nn Intrusion Prevention System

nn Web Filtering

nn WAN Optimization

nn Email Security

nn Identity Management and Authentication

nn Centralized Security Management

nn Centralized Logging & Reporting

Headquartered in Silicon Valley, Fortinet is proud of its continued collaboration with US government customers and certification achievements including Common Criteria EAL4, FIPS 140-2 and DISA UC APL. For more information on Fortinet’s Federal offerings, please visit: http://www.fortinet.com/solutions/federal.html

FortiDDoSDenial of Service Protection

FortiGateHigh Performance Firewalls, UTM and NGFW

FortiGate RuggedIndustrial Network Security

Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet.

©2015 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

Tips: More secure, more suitable for your needsThe crowded multi-factor authentication market is very com-petitive. You may find some of the vendors are flexible and open to your input.• As noted above for the case of biometric-based authenti-

cation, ask the vendor for a threat model of the solution, regardless of the methodology.

• Don’t hesitate to give feedback or ask for what you need. I recently told the CEO of a multi-factor authentication vendor that the enrollment process was too complicated and that it comprised too many steps. His team responded immediately with a streamlined version.

• Let the vendor know that you understand account recov-ery is not glamorous, but it is a common weak link or vul-nerability. Let the vendor know you are interested in the product road map and hope that improvements in account recovery are imminent.

Websites for multi-factor authentication vendors may not readily display the content you need. Be prepared to do plenty of research and engage in conversations with knowledgeable employees to evaluate the product or service prior to con-ducting a proof of concept.

ConclusionBased on the list of technologies to avoid, outlined in the beginning of this article, you are now armed to evaluate multi-factor authentication solutions and their associated vulnerabilities. If you engage with vendors and convey your concern, perhaps they will take measures to create products and services that are more secure. You are also armed with positive attributes and will easily identify vendors that are making design trade offs in favor of security at the expense of ease of development and time to market. Good luck and caveat emptor!

Resources—Allan, Ant; Singh, Anmol; Ahlm, Eric. December 1, 2014, Gartner Magic Quadrant for User Authentication.—Fontana, John. May 9, 2013. “Google Unveils 5-Year Road-map for Strong Authentication,” http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authenti-cation/. —Krissler, Jan.December 2014. video, “Iche sehe, also bin ich …Du,” https://www.youtube.com/watch?v=vVivA0eoNG-M&feature=youtu.be.—Maler, Eve and Cser, Andras. December 30, 2013. Forrest-er Market Overview: Employee and Customer Authentication Solutions in 2013.—Nelson, Clare. March 13, 2015. “The Inmates Are Run-ning the Asylum: Why Some Multi-Factor Authentication Technologies Are Irresponsible,” BSides Austin, http://www.slideshare.net/eralcnoslen/the-inmates-are-running-the-asy-

receives notifications over this persistent connection.”20 For Android, as well as Apple, some vendors provide proprietary, patented push mechanisms for smart phones. The push tech-

nology is designed to be more secure than SMS OTP, especial-ly for MITM attacks.

Context-based authenticationThere are many variations on a theme for this topic. Some vendors refer to adaptive au-thentication, or risk-based authentication. They all agree that two-factor authentication is insufficient and propose ag-gregated and layered contextu-al factors. For example, these factors can include device reg-istration and fingerprinting,

source IP reputation data, geolocation, geofencing (define an acceptable area), geovelocity (the user moved from San Fran-cisco to Boston in two minutes), and behavioral analysis. A user risk profile is constructed and updated on a continuous basis.

Integration with live threat intelligence servicesAs noted in the description of context-based authentication above, in some cases, it relies on a threat intelligence feed. Some multi-factor authentication vendors have integrated their products with live threat intelligence services in order to create a comprehensive user risk profile. This makes it easi-er to detect abnormal behavior from possible identity theft or other malicious attacks.

Total cost of ownershipOne would expect downward pricing pressure to take hold in such a teeming, competitive market. However, pricing still leverages vestiges from high-priced hardware token offerings. There is a vast price range for multi-factor authentication solutions. Different pricing models make it difficult to con-duct apples-to-apples comparisons. One popular model for multi-factor authentication is based on $/user/month.Open source vendors give away the software, and charge for support. Other vendors are shockingly expensive. For one such vendor, a 2014 Gartner report stated, “Its pricing is in the highest quartile for Scenario 2 for on-premises solutions.”21 Scenario 2 is described in a separate document, dated Octo-ber 2012. After all of the digging, the pricing characteristics remain qualitative, not quantitative. Needless to say, there is a high level of complexity in the pricing discussion. Fortunate-ly, a number of vendors are aware of this. They publish their pricing, and are flexible in negotiating reasonable terms.

20 https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html.

21 Ant Allan, and Anmol Singh. Gartner Magic Quadrant for User Authentication (December 1, 2014).

Be prepared to do plenty of research and engage in conversations with knowledgeable employees to evaluate the product or service prior to conducting a proof of concept.

26 – ISSA Journal | April 2015

Multi-Factor Authentication: What to Look For | Clare Nelson

©2015 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

ACHIEVING GOOD SECURITY SOLUTIONS should begin with identifying the primary business and management culture of the enterprise. Next identify its history and plans, and inventory as-sets, their locations, and stakeholders entrusted with them. Then learn as much as affordable about adversaries, threats and vul-nerabilities, loss experience, and all related conditions and envi-ronments. Identifying adversaries and all that they may do is not possible. It would require knowing all of their skills, knowledge, resources, authority, motives, and objectives (SKRAMO). There may be a big difference between the value of your assets to them and to your enterprise.

Some important solutions may seem far afield. For example, trust-ed people’s anguishing personal problems may result in trust violations. The enterprise should provide confidential advisory problem-solving services to head them off. For another example, multilevel information classification such as military confidential, secret, and top secret may deteriorate in business environments without a costly full-time staff dedicated to make it function. An alternative is two, public and private, levels with a designated re-quirement of controls identified for each private database.

Provide a confidential, periodic intelligence report to higher man-agement to indicate awareness and what is being done to avoid, mitigate, and counter adversities. Strike while the iron is hot when attacks and losses occur to gain management support for im-proved security. Obtain “inside information” from other security professionals to give management more than news media cover-age.

Solutions have complex effects. One solution may affect more than one vulnerability and one vulnerability may be affected by more than one solution. The financial value of security solutions is usually not determinable, so security should be considered as a necessary overhead business expense like audit, legal, or accounting.

Here are some maxims to consider:

58. Don’t spend more protecting an asset than it is worth.59. We must think like the enemy to overcome him.60. Don’t apply security solutions unless the stakeholders accept

and support them. 61. Solutions and vulnerabilities are in one-to-many and many-

to-one relationships. 62. The value of security solutions is usually unknown.63. Security and the constraints impose unrecoverable costs and

are universally hated. 64. The lack of quality security is primarily a “people problem.”65. Adding security solutions may reduce the value of other

solutions, increase vulnerabilities, and even reduce overall security by providing a challenge to adversaries.

66. Properly used computers are often far superior anomaly detection devices than humans.

67. Attempting to forecast security risks (probabilities and im-pacts) of what unknown adversaries may do is fruitless and dangerous to careers when wrong.

68. Risk assessments may be achieved by providing simple and succinct expert opinion reports.

69. Segregation of duties or dual control and confidential person-al advisory services for trusted people are important security solutions.

70. Multilevel classification of information in non-government enterprises ultimately deteriorates.

71. An objective of good enterprise security is at a minimum to have all appropriate accepted controls and practices in one’s industry effectively in place or documented reasons why they are not in place.

72. Internal controls and catching trust violators protects trusted people.

73. Unusual efforts to gain trusted status, expertise, and special knowledge may be warning signs.

74. Security controls and practices in hiring, contracting, reveal-ing secrets, and terminating employees should be commen-surate with the degree of trust.

Next I will provide advice to information security management.

Donn Parker, CISSP, retired, Distinguished Fellow, and information security pioneer, donnlorna@aol.com.

Donn’s Corner By Donn Parker

ISSA Distinguished FellowSilicon Valley, USA Chapter

Donn’s CornerInformation Security Solutions

Information Security Solutions

lum-why-some-multifactor-authentication-technology-is-ir-responsible.—OWASP contributing authors. September 2014. “Guide to Authentication,” https://www.owasp.org/index.php/Guide_to_Authentication - What_is_two_factor_authenti-cation.2C_really.3F.—Schwartz, Michael. January 15, 2014. “Achilles Heel of Two-Factor Authentication,” http://www.gluu.org/blog/2fa_achilles_heel/.—Trader, John. July 24, 2014. “The Impact of Biometrics in Banking,” http://blog.m2sys.com/financial-services/im-pact-biometrics-banking/.

—Valente, Emilio. 2009. “Two-Factor Authentication: Can You Choose the Right One?” SANS Institute White Paper, as part of the Information Security Reading Room, http://www.sans.org/reading-room/whitepapers/authentication/two-factor-authentication-choose-one-33093.

About the AuthorClare Nelson, CISSP, founded strategy and business development firm ClearMark Con-sulting in 2001. She served on the ISSA Capi-tol of Texas Chapter board in 2012 and 2013 and is active in the information security com-munity. She may be reached at clare_nel-son@clearmark.biz.

April 2015 | ISSA Journal – 27

Multi-Factor Authentication: What to Look For | Clare Nelson

©2015 ISSA • www.issa.org • editor@issa.org • Permission for author use only.