Should SPECTRE and Meltdown Make You Reconsider Your Approach to Multifactor Authentication?

ymassard@hidglobal.com's picture

Spectre and Meltdown are two recently discovered security flaws that affect modern CPUs on PC mobile devices.  While these vulnerabilities are being mitigated, it may be a good time to consider how this may impact your user authentication strategy.

Those two flaws take advantage of multiple applications running in parallel to perform timing and side-channel attacks, essentially letting the attacker access the memory and read data on your PC or mobile device, regardless of privilege protections built into the operating system and the CPU.

The scariest part was that some browsers were vulnerable to attacks. Users going to a malicious site (or a hacked reputable site) could be affected, letting the attacker have access to the memory of the PC/smartphone/tablet including credentials that you use to authenticate.

If this is a username/password(s), the attacker could leverage those credentials to create a beachhead into your IT system and plan further escalation of privilege.

Even if you are using more advanced forms of authentication, if the credentials are stored on your PC or smartphone, they could be compromised.

One option to limit these attacks is to use a dedicated authenticator. Dedicated authenticators typically embed a secure element into a small device. This is often is in the form of a smart card, a USB dongle or a Bluetooth token. The secure element at its core acts as a vault and never lets your authentication secrets leave its vault.  Instead it uses digital signature to prove to your IT system that it’s you and not an attacker. That means the attacker cannot reuse your credentials to access your IT system. 

Those secure elements are essentially a computer with a CPU, RAM and EEPROM or flash memory. It is dedicated to its security purpose as opposed to a PC running your line of business application, an email client, a spreadsheet program with your sales projections and a web browser vulnerable to those attacks.

Those secure elements are built to protect against side channel and timing attacks.   Look for devices that are FIPS 140-2 Level 2 certified so that you can get a third party verification of the security of the product you are considering.

Multifactor credentials stored on your PC or your smartphone provide significant security improvements over passwords with the advantage that they do not require separate devices. However, if you are concerned that you may be vulnerable to Spectre and Meltdown attacks or similar future attacks, consider a dedicated authenticator whose single purpose is to protect your credentials!

HID Global has a range of dedicated authenticators, including Crescendo® Smart Cards, ActivKey® USB Tokens and ActivID® BlueTrust Tokens. Contact us for more information.