March 2018

othiriondebriel's picture

The multi-factor authentication market is experiencing new dynamics. For the last 15 years, strong authentication was not a top of mind concern for organizations and was mainly based on hardware tokens generating one-time passwords (OTPs), a temporary 6 or 8 digit password. The user was required to first generate an OTP on his token and then copy/paste it into his online portal. It has been pretty much about 2-factor authentication- “something you know” and “something you have.” Later on, in 2013, Apple released its first integrated mobile biometry solution: TouchID, adding a new factor to the authentication process related to the “something you are.” As a result, the market started migrating to multi-factor authentication (MFA) with an increased focus on user convenience by leveraging the mobile platform.

Today, we see a new market shift toward a new type of authentication driven by data intelligence. Multiple trends are pushing this forward:

Cyber-attacks are growing in number and in complexity. Moving to mobile has increased the attack surface. Mobile devices are less protected while being always connected. Also, the end-users are changing their habits and like to be mobile, extensively using Wifi networks that we regularly discover as unsecure (here or there). Hackers are using advanced tools, such as artificial intelligence and machine learning, and are also attacking at different levels to get around the protection deployed by organizations. Therefore, making sure the user is the one he pretends to be (authenticating the user) is critical while making sure the user’s environment is safe.

This means that multi-factor authentication on its own is not sufficient anymore, as there is no value of strong authentication on a device that is hacked or a communication channel used between the authentication device and the server, which is spied due to improper protection. So, in order to ensure genuine multi-factor authentication, organizations have to protect the full environment.

Some of the recent regulations asking for multi-factor authentication are now also asking for transaction monitoring mechanisms -- also called threat and fraud detection services. For example, the Payment Service Directive 2 (PSD2) in Europe is asking for Strong Customer Authentication but also for transaction monitoring mechanism. In a similar way, the 3D Secure 2 protocol and the New-York state regulation for financial institutions (23 NYCRR 500) are talking about Risk-Based Authentication.

Moreover, the traditional multi-factor authentication market is under a lot of pressure. New nimble companies are proposing authentication services easy to setup and easy to use for any organization willing to increase the security level of their end-users. The FIDO Alliance, which is pushed historically by Google and Paypal, is defining a new, simple-to-use authentication protocol. But also traditional IAM companies, providing adjacent functionalities (SSO, Identity Management, …), are now proposing multi-factor authentication options for almost no additional cost. Authentication in this context has become a commodity on a market where providing benefit will require offering new premium services with enhanced security and intuitive user experience based on data analytics, machine learning and AI.

As mentioned earlier, mobile biometry has been very rapidly adopted by the end-users, as it creates a perception that no more password is required and it is safe. But very few know that mobile biometry is about convenience, not about security. Indeed, it’s easier to smile at a phone or to put a finger on the sensor than typing a password or even entering a PIN code. For user convenience, the threshold for validating the user on fingerprint mobile readers or face recognition mobile solutions is low, and it results in a negative impact on security. But the end-users love it. Consequently, it is increasingly adopted as a factor in the context of multi-factor authentication, which requires organizations to increase the security in the background making sure this will not affect the overall level of security of their authentication process.

Last, but not least, users are getting used to consumer centric services that are easy to use and very intuitive. Therefore, they are less and less accepting to have cumbersome user experience for security. The traditional use of the OTP with copy/paste manipulation, even though it has proven its efficiency in term of security, is seen as difficult to use. End users are expecting better solutions with better user experience and no downsize on security.

ymassard@hidglobal.com's picture

Spectre and Meltdown are two recently discovered security flaws that affect modern CPUs on PC mobile devices.  While these vulnerabilities are being mitigated, it may be a good time to consider how this may impact your user authentication strategy.

Those two flaws take advantage of multiple applications running in parallel to perform timing and side-channel attacks, essentially letting the attacker access the memory and read data on your PC or mobile device, regardless of privilege protections built into the operating system and the CPU.

The scariest part was that some browsers were vulnerable to attacks. Users going to a malicious site (or a hacked reputable site) could be affected, letting the attacker have access to the memory of the PC/smartphone/tablet including credentials that you use to authenticate.

If this is a username/password(s), the attacker could leverage those credentials to create a beachhead into your IT system and plan further escalation of privilege.

Even if you are using more advanced forms of authentication, if the credentials are stored on your PC or smartphone, they could be compromised.

One option to limit these attacks is to use a dedicated authenticator. Dedicated authenticators typically embed a secure element into a small device. This is often is in the form of a smart card, a USB dongle or a Bluetooth token. The secure element at its core acts as a vault and never lets your authentication secrets leave its vault.  Instead it uses digital signature to prove to your IT system that it’s you and not an attacker. That means the attacker cannot reuse your credentials to access your IT system. 

Those secure elements are essentially a computer with a CPU, RAM and EEPROM or flash memory. It is dedicated to its security purpose as opposed to a PC running your line of business application, an email client, a spreadsheet program with your sales projections and a web browser vulnerable to those attacks.

Those secure elements are built to protect against side channel and timing attacks.   Look for devices that are FIPS 140-2 Level 2 certified so that you can get a third party verification of the security of the product you are considering.

Multifactor credentials stored on your PC or your smartphone provide significant security improvements over passwords with the advantage that they do not require separate devices. However, if you are concerned that you may be vulnerable to Spectre and Meltdown attacks or similar future attacks, consider a dedicated authenticator whose single purpose is to protect your credentials!

HID Global has a range of dedicated authenticators, including Crescendo® Smart Cards, ActivKey® USB Tokens and ActivID® BlueTrust Tokens. Contact us for more information.

mrobinton's picture

With thousands of people pouring into and out of high-rise office buildings each day, there is a growing demand to not only ensure the safety and security of each person, but to also create more connected experiences for people interacting with buildings.   Technologies are emerging to expand how building occupants and tenants engage, interact and work in new intelligent workspaces. In addition, such innovations enable facility managers to proactively provide a safer working environment, achieve a smarter building equipment maintenance experience, and comply with a myriad of local and federal inspection mandates.

Today, using next generation BLE beacons, cloud services and current mobile networks has significantly reduced the infrastructure costs to deploy smart building IoT applications. BLE –to-Wi-Fi location services provide facility managers with real-time visibility into when a specific area is being used throughout the workday to assist in space planning and overall building utilization – from individual offices and shared workspaces to heavily used conference rooms.  There are numerous benefits to using IoT solutions that leverage BLE and Wi-Fi in smart environments, including:

Building occupants and visitors can easily navigate throughout the building using wayfinding location services for directional assistance, making it easier to collaborate, locate team members and instantly find meeting spaces.

Facility managers can assign access to specific secure zones in a room, manufacturing floor, or any area that requires an additional layer of zone-based security.

Operations staff can use real-time location services to easily locate critical items– from office equipment to mission-critical machinery or hospital equipment.

Emergency teams and building managers can ensure that all occupants have exited a building for accurate accountability in emergency situations using live location awareness data.

IoT applications that leverage BLE and NFC identification and sensing technologies are also beneficial for streamlining maintenance and inspection processes across building operations.  Receiving real-time performance data on HVAC systems and other capital equipment can minimize costly repairs and equipment downtime. For example, maintenance departments would no longer need complex, expensive devices to manage, monitor or measure an equipment’s health.  Instead, frictionless condition monitoring can accurately capture vibration, temperature, motion and other equipment health indicators through BLE sensors and cloud solutions that can be seamlessly integrated into existing applications. 

Streamlining fire & safety inspection and maintenance

Similar efficiencies are realized when trusted NFC identification tags and a cloud authentication platform are combined with Computerized Maintenance Management Software (CMMS) to simplify fire/safety equipment inspections and compliance. With these solutions, those tasked with equipment maintenance and compliance can ensure water valves and various sprinkler equipment can transact securely to provide “proof of compliance” and “proof of presence.” With a simple tap of his or her smartphone or other NFC device to a tag attached to fire/safety equipment, field technicians can easily respond and record each inspection digitally, in a secure and trusted cloud environment.

The same tap also verifies the identity of the field worker or technician, while also ensuring the person’s credentials align with the qualifications needed to service specific equipment and that the correct field worker is servicing that piece of equipment.

From optimizing workplace efficiencies to improving maintenance and inspection for every piece of fire & safety equipment, trusted tags, cloud authentication, location services platforms help make buildings both smarter and safer. For more information, stop by HID booth #2545 at the National Facilities Management and Technology Conference & Exposition in Baltimore (March 20-22, 2018).

pan.kamal's picture

Earlier this week SecurityWeek magazine reported on a SAML (Security Assertion Markup Language) vulnerability that was discovered and self-reported by a Single Sign-On vendor. These flaws were not isolated to a single vendor product and were reported across various products used for two-factor authentication. Exploiting these flaws could enable a Man in the Middle attack allowing unintended users to be authenticated. http://bit.ly/2Cqhst8

An Alternative to SAML-based Single Sign-On

Security experts are now of the opinion that certificate-based authentication can provide a much-needed alternative to Single Sign-On (SSO) with two factor authentication. In the past certificate-based authentication, which relies on PKI as the underlying principle was considered to be complex and hard to manage. It turns out that a well-designed and modern implementation of certificate-based authentication can be easy to use, provide a higher degree of security, deliver flexibility in enabling roles-based security policy and be very cost effective.

With more and more applications natively supporting PKI-based authentication, it is highly likely that deploying certificate-based authentication is something that your IT security team will welcome with open arms.

So how does certificate-based authentication work?

Simple and easy to use digital encrypted certificates can be assigned to various types of entities. “People Certs” are certificates that are assigned to users. These certificates validate the digital identity of the person and is unique to each individual. Similarly “machine certs” can bind to system and applications. In this age of IoT (Internet of Things), devices should have identities too, and of course “device certs“can help devices existing on the edge, assert their valid identity.

In the simplest case a user connects to a trusted application on a server. The application requests to validate the identity of the user. The pre-populated user certificate which is uniquely bound to the user is presented to the application. After the application has validated the user certificate, access is granted.

As you can see certificates replace the authentication portion of the interaction between the user and the server-based application. Instead of requiring a user to send passwords across the network throughout the day, the user provides, most cases unknown to them, a private-key just once. For the rest of the session, the client presents the user’s certificate to authenticate the user to each new application or server it encounters, effectively providing the same convenience of single sign-on, however in a much more secure manner.

Need certificate management for a mid-to-large enterprise?

HID Global’s Credential Management System (CMS) can be deployed for the enterprise to further simplify user authentication. CMS can manage the certificate lifecycle and automatically enforce security considerations to ask questions like:

  • Has the Digital Certificate been issued by a Trusted Certification Authority (CA)? – HID Global’s rapidly growing IdenTrust CA is a convenient, low cost provider of people certs. Certificates from other CAs are supported as well.
  • Is the Certificate still valid? – Automatically checks expiration and triggers remediation steps.
  • Has the Certificate been revoked? – can check for internal or external revocation and disable accordingly.
  • Is the certificate still linked to a valid user? - Leveraging existing identity proofing capabilities.

Who else is doing this?

More people than you think. With the growth in cloud based adoption and enterprises adopting hybrid on premise and cloud infrastructures for IT, certificate-based authentication provides a convenient, secure and easy to use option to deliver security for people, places, transactions and things. Modor Intelligence, a research firm in the security space, published a report showing a 11.12% CAGR (Compounded Annual Growth Rate) for certificate-based authentication solutions over the period 2018-2023. For more information on HID Global identity and access management solutions, please visit www.hidglobal.com/identity-management