Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog
Identity and Authentication Blog

Not Enough to Rely on One Time Passwords?

One time passwords are commonly viewed as an easy to use strong authentication method, a recent report by the Javelin Group and Nok Nok Labs suggests that heavily relying on OTP, especially on Android, carries a significant risk of fraud, as hackers figure out ways to compromise the secure messages this method of authentication relies on. With a high percentage (41%) of Android users using OTP with their financial accounts last year, it is important for users to understand the risks and that all strong authentication methods are not created equal.

The report recommends that users "Use the effective authentication capabilities of the mobile device. To protect mobile users and their accounts from vulnerabilities associated with the use of passwords, take advantage of hardware integrated into mobile devices to protect all channels. More secure solutions, such as those based on biometrics, can be delivered directly to consumers without the cost of providing additional hardware."

 

The Real Risk of Device Theft

A healthcare focused study by Bitglass reveals that theft of user devices and resulting theft of personal information poses significant risks to companies and end users.

We often think of the theft of credit card data as being the most common threat to identity and user data but the Bitglass report points out that healthcare related data accessed via stolen devices has the potential to cause many more problems for organizations and their users when it falls into the wrong hands. An article in SC Magazine discussing the results of the Bitglass report points out:

"Citing an 2013 EMC report (PDF), Bitglass noted that the value of stolen health records on the black market far outweighs that of credit card information, and that criminals can “continue using or selling the [PHI] even after the victim knows it's been compromised,” as opposed to credit card information, for instance, that can be quickly devalued by canceling a card.

A health record is sold on average for $50 on the black market, while a stolen Social Security number usually fetches a $1, the report said."

In addition to the value of these records to thieves who can reuse and resell them, the Bitglass report states that 68% of data breaches occurred when devices were lost of stolen, as opposed to the 23% which were accessed in data breaches due to hacking.

This problem centers around a specific need in security to assure that only the true user of the device and the applications on it can access the device. This report specifically speaks to the risk introduced by the device falling into the wrong hands, as opposed to the often cited risks associated with viruses and malware.

 

Do You Trust Apple's Touch ID?

Do you trust Apple's Touch ID?

Click here for a poll where readers are asked to state whether they "trust" the Touch ID feature which is is available on the latest iPhones and iPads. With the release of iOS 8, the Touch ID APIs were made available for developers, meaning that the use of Touch ID will be possible in apps, not just on Apple's devices. However, users are still hesitant, as recent news of high profile breaches are bringing to light how easy it can be to get user data and use it for nefarious purposes. One of the dangers of fingerprint and other similar biometric technologies is that they cannot be changed - and can be permanently compromised. Still, where many users seem to be hesitant even as Touch ID is presented as a more secure alternative to a traditional password or PIN, many others are ready to embrace new authentication technologies.

 

Are We Ready for the Biometrics Revolution?

Biometrics are poised to become a widely accepted way to secure devices and applications, and in many cases to replace "traditional" authentication methods such as passwords and tokens. The Washington Post discussed this "biometric revolution" and asked whether we are really ready for the paradigm shift it will bring.

As we collectively adopt this new technology, it is crucial to remember how it differs from what we are accustomed to in terms of it not being "something we know" (like a password or PIN) or "something we have" (such as a token, smart card, QR code...). Biometrics by their nature are something we "are", which makes them perfect for authenticating the user's identity, but challenging to manage and maintain as both a provider and as a user. As a user, I can't "reset" my fingerprint (without some serious effort), and once it's compromised, that's it. New technologies will be needed to handle the issues biometric authentication introduces, and perhaps as importantly, new discussions on how it should be used will be needed. This includes a critical discussion related to privacy and identity, once users start authenticating with something they "are".

 

Are Biometrics Cool Again?

The Atlantic says biometrics can be cool again.

Citing a Google study that explores use of voice searches, two of the most common answers to the question "Why do we use voice search" were "it's cool" and "it's safer". 89% of teens and 85% of adults also said "it's the future".

With highly visible security breaches happening alongside the release of new technology to enable us to do more and more with our devices, many organizations are embracing the idea that biometrics may well be a real answer to the tough question of how to secure the many things we want to be able to do with our phones, tablets and laptops. If biometrics can be used to successfully lessen the risk associated with using apps we love, and can improve our experience while we use them, that would definitely be...Cool.

 

No Security Without Training?

Is security training for employees the key to better overall security?

Technologies designed to secure our devices, networks and environments can take us part of the way toward better security. But this article points out how absolutely necessary it is to train employees on the best security policies - a critical piece of a successful security strategy in a world where we have determined that limiting device use, mobility the context in which we work is simply not a viable strategy. Untrained team members can introduce some of the greatest risks, simply by not prioritizing best practices such as:

  • Using strong passwords/pass phrases
  • Not Leaving unencrypted laptops in vulnerable places
  • Applying software updates
  • Backing up data

When team members are well educated, they are able to take steps that will enhance their security in their work environments, and outside of them. Gradually, awareness is spreading of smart strategies to protect our personal information, as described in this article that goes so far as to suggest that we routinely try to "hack" ourselves. Thinking this way should extend to our working lives as well.

 

Sacrificing Security for Productivity?

BYOD continues to drive end user reliance on mobile devices, and continues to highlight security risks as users increase their use of insecure apps.

"...Possibly the biggest obstacle that IT security meets is user resistance. BYOD has turned the security paradigm on its head. Where IT once dictated to users what they could do, users are now calling the shots and, swayed by the convenience and flexibility of mobile connectivity, 52 percent 'frequently sacrifice security practices to realize the efficiency benefits,' said a study by the Ponemon Institute, further discussed here.

In order to respond effectively to this issue, organizations and decision makers need to consider user experience and usability of security technologies they evaluate. This doesn't mean they should sacrifice security, or leave it out of their budgets and road maps. Usability will actually drive security (which users also want, and know they need) in situations where the right solution makes it easy to access apps securely without sacrificing speed or productivity.

 

Is a Combination of Authentication Methods the Right Approach?

It seems that we're always recovering from, or hearing about, the latest security breach or vulnerability. This week it was Home Depot, who announced that they have "have completed a major payment security project that provides enhanced encryption of payment card data at point of sale in our U.S. stores, offering significant new protection for customers. The rollout of enhanced encryption to Canadian stores will be completed by early 2015. Canadian stores are already enabled with EMV “Chip and PIN” technology".

One of the most powerful elements of EMV is the fact that it combines authentication methods to strengthen the security of a transaction. Passwords themselves have taken a beating as a standalone authentication method, with many organizations choosing to deploy second or multi factor authentication, and some choosing to forgo passwords all together. Biometrics are emerging as an answer to the "Password Problem", offering a unique credential that represents something the user "is" instead of something they "know" (which can be discovered, and reused by a bad actor), but each method has its drawbacks. This article discusses the good and bad of each method, and  argues that a secure transaction may well require multiple methods at once to be optimally secure.

This idea is a compelling one, especially if the combined solution can offer an elegantly simple end user experience. Biometrics may be an ideal "enhancement" for authentication precisely because of what they are - something the user "is" (nothing to remember, receive, carry, or otherwise maintain). As we continue to discuss how to enhance security, the conversation will likely become one of the best combination of methods, instead of any one method, for security.

 

Are Biometrics Having a Moment, or Are We Waking Up to Their Value?

One of the big announcements Apple made this week along with it's latest iPhone release and its new smart watch was a mobile payments platform which combines existing Apple features, support from major banks and retailers, and Apple's fingerprint authentication. Is this an indicator that biometrics are finally reaching a place of widespread acceptance?

One of the major roadblocks when it comes to universal acceptance and widespread adoption of biometric technologies has traditionally been the costs associated with distributing, maintaining, and collecting the technology and data required to perform biometric identification. With built in software and hardware, the Apple has met this challenge head on by integrating biometric authentication into an extremely popular device and baking it into software that performs a critical function. This is a huge step forward for biometric technology on the path to ubiquity.

iPhones aside, where are we, really? "...there is no blanket acceptance of all biometrics – users have a preference for which types are used and how they are used. One study found the most acceptable application of biometrics was for passports (75%) or ID verification (53%) in official contexts, with credit card verification around 56%. Users were most accepting of fingerprint, hand, voice and keystroke/signature recognition (over 90%), with one third considering iris and retina recognition as potentially risky to their health" says this article discussing the rise of biometrics. Increasing awareness of biometric technologies, combined with an increasing collective acknowledgement of the danger of fraud in our everyday lives will push adoption forward.

The key could well be identifying the best use cases possible, where biometric authentication enhances, instead of detracts, from user experience. Apple realizes that mobile is one such use case, and that payments is an area where authentication is both required, and in need of an overhaul. Biometrics as an elegant solution to a real problem is a significant step forward for the industry and the space. It won't be long before adoption becomes more widespread, with Gartner predicting that 30% or more of users with devices connected to enterprise networks will be using biometric authentication by 2016.

 


Page 3 of 11