Spoiler from report title "Strong Authentication Uses Increased Driven by Threats of New Risks and Regulatory Requirements."
The Javelin Strategy & Research research company has published the report "The State of Strong Authentication 2019" (). This report says: what percentage of American and European companies use passwords (and why few people use passwords now); why the percentage of use of two-factor authentication based on cryptographic tokens is growing so fast; why one-time codes sent via SMS are insecure.
Everyone who is interested in the topic of the present, past and future of authentication in enterprises and in user applications is welcome.
From the translator
Alas, the language in which this report is written is rather βdryβ and formal. And the fivefold use of the word βauthenticationβ in one short sentence is not the crooked hands (or brains) of the translator, but the whim of the authors. When translating from two options - to give readers a text closer to the original, or more interesting, I sometimes chose the first, and sometimes the second. But be patient, dear readers, the content of the report is worth it.
Some parts of little significance and not necessary for the narrative were removed, otherwise the majority would not have mastered the entire text. Those wishing to read the report "uncut" can do so in the original language by clicking on the link.
Unfortunately, the authors are not always accurate with terminology. So, one-time passwords (One Time Password - OTP) they are sometimes called "passwords", and sometimes "codes". With authentication methods, things are even worse. It is not always easy for the unprepared reader to guess that "authentication using cryptographic keys" and "strong authentication" are the same thing. I tried to unify the terms as much as possible, besides, there is a fragment with their description in the report itself.
Nevertheless, the report is highly recommended reading, because it contains unique research results and correct conclusions.
All figures and facts are given without the slightest change, and if you do not agree with them, then it is better to argue not with the translator, but with the authors of the report. And here are my comments (typed as quotes, and marked in the text italic) are my value judgments and for each of them I will be happy to argue (as well as for the quality of the translation).
Review
Nowadays, digital communication channels with customers are more important than ever for businesses. And within the enterprise, communications between employees are more digitally oriented than ever before. And how secure these interactions will be depends on the chosen method of user authentication. Attackers use weak authentication to massively compromise user accounts. In response, regulators are tightening standards to force businesses to better protect user accounts and data.
Authentication threats extend beyond consumer applications, attackers can also gain access to an application running inside an enterprise. This operation allows them to impersonate corporate users. Attackers using access points with weak authentication can steal data and perform other fraudulent activities. Fortunately, there are measures to combat this. Strong authentication can significantly reduce the risk of an attack by an attacker, both on consumer applications and on enterprise business systems.
This study looks at: how enterprises implement authentication to secure user applications and enterprise business systems; the factors they consider when choosing an authentication solution; the role that strong authentication plays in their organizations; the benefits that these organizations receive.
Summary
Main conclusions
Starting in 2017, the use of strong authentication has skyrocketed. With the increasing number of vulnerabilities affecting traditional authentication solutions, organizations are strengthening their authentication capabilities with strong authentication. The number of organizations using cryptographic multi-factor authentication (MFA) has tripled since 2017 for consumer applications and increased by nearly 50% for enterprise applications. The fastest growth is in mobile authentication due to the growing availability of biometric authentication.
Here we see an illustration of the saying "until the thunder breaks out, the peasant will not cross himself." When experts warned about the insecurity of passwords, no one was in a hurry to implement two-factor authentication. As soon as hackers started stealing passwords, people began to implement two-factor authentication.
True, individuals are much more actively implementing 2FA. Firstly, it is easier for them to calm their fears, relying on the biometric authentication built into smartphones, which is in fact very unreliable. Organizations, on the other hand, need to spend money on the purchase of tokens and carry out work (actually very simple) on their implementation. And secondly, only lazy people didnβt write about password leaks from services like Facebook and Dropbox, but CIOs of these organizations will not share stories about how passwords were stolen (and what happened next) under any circumstances.
Those who do not use strong authentication underestimate the risk to their business and customers. Some organizations that do not currently use strong authentication tend to view logins and passwords as one of the most effective and easy to use user authentication methods. Others do not see the value of the digital assets they own. After all, it is worth considering that cybercriminals are interested in any consumer and business information. Two-thirds of companies that only use passwords to authenticate their employees do so because they believe passwords are good enough for the type of information they protect.
However, passwords are on their way to the grave. Over the past year, reliance on passwords has dropped significantly for both consumer and enterprise applications (from 44% to 31%, and from 56% to 47%, respectively) as organizations expand their use of traditional MFA and strong authentication.
But if you evaluate the situation as a whole, then vulnerable authentication methods still prevail. For user authentication, about a quarter of organizations use SMS OTP (one-time password) along with security questions. As a result, additional protections have to be implemented to protect against a vulnerability, which increases costs. The use of much stronger authentication methods, such as hardware-based cryptographic keys, is used much less often, in about 5% of organizations.
The evolving regulatory environment promises to accelerate the adoption of strong authentication for consumer applications. With the introduction of PSD2, as well as new data protection regulations in the EU and a number of US states like California, companies are feeling the heat is on. Nearly 70% of companies agree that they face strong regulatory pressure to provide strong authentication to their customers. More than half of enterprises believe that in a few years their authentication methods will not be sufficient to meet regulatory standards.
The difference in the approaches of Russian and American-European legislators to the protection of personal data of users of programs and services is clearly visible. Russians say: dear service owners, do what you want and how you want, but if your admin leaks the database, then we will punish you. They say abroad: you must implement a set of measures that won't allow dump the base. That is why the requirements for the presence of strong two-factor authentication are being introduced with might and main.
True, it is far from a fact that our legislative machine will not come to its senses at one fine moment and will not take into account Western experience. That's when it turns out that everyone needs to implement 2FA that meets Russian cryptographic standards, and urgently.
Building a strong authentication foundation allows companies to shift their focus from meeting regulatory requirements to meeting customer needs. For those organizations still using simple passwords or receiving codes via SMS, compliance will be the most important factor in choosing an authentication method. However, those companies that already use strong authentication can focus on choosing those authentication methods that increase customer loyalty.
When choosing a method of corporate authentication within an enterprise, the requirements of regulators are no longer a significant factor. In this case, ease of integration (32%) and cost (26%) are much more important.
In the era of phishing, attackers can use corporate email to scam, to fraudulently gain access to data, accounts (with appropriate access rights), and even to convince employees to transfer money to his account. Therefore, corporate mail and portal accounts must be especially well protected.
Google has stepped up its security by implementing strong authentication. More than two years ago, Google published a report on the implementation of two-factor authentication based on cryptographic security keys according to the FIDO U2F standard, reporting impressive results. According to the company, there have been no phishing attacks against more than 85 employees.
Recommendations
Implement strong authentication for mobile and online applications. Multi-factor authentication based on cryptographic keys is much more secure against hacking than traditional MFA methods. In addition, the use of cryptographic keys is much more convenient, because there is no need to use and transfer additional information - passwords, one-time passwords or biometric data from the user's device to the authentication server. In addition, the standardization of authentication protocols makes it much easier to implement new authentication methods as they become available, reducing costs of use and protecting against more complex fraud schemes.
Get ready for the end of one-time passwords (OTPs). The vulnerabilities inherent in OTPs are becoming increasingly apparent as cybercriminals use social engineering, smartphone cloning, and malware to compromise these authentication tools. And if OTPs have certain advantages in some cases, it is only in terms of universal accessibility for all users, but not in terms of security.
It is impossible not to notice that receiving codes via SMS or Push notifications, as well as generating codes using smartphone programs, is the use of those same one-time passwords (OTP) for the decline of which we are offered to prepare. From a technical point of view, the solution is very correct, because a rare fraudster does not try to find out a one-time password from a gullible user. But I think that the manufacturers of such systems will cling to the dying technology to the last.
Use strong authentication as a marketing tool to increase customer trust. Strong authentication can do more than just improve the actual security of your business. Informing customers that your business is using strong authentication can reinforce the public perception of that business's securityβan important factor when there is significant customer demand for strong authentication methods.
Conduct a thorough inventory and importance assessment of corporate data and protect it according to importance. Even low-risk data such as customer contact information (no, itβs true that the report says βlow-riskβ, itβs very strange that they underestimate the importance of this information) can bring significant value to fraudsters and cause problems for the company.
Use strong authentication in your enterprise. A number of systems are the most attractive targets for criminals. These include internal and Internet-connected systems such as an accounting program or a corporate data warehouse. Strong authentication prevents attackers from gaining unauthorized access, and also allows you to determine exactly which employee has committed malicious activity.
What is strong authentication?
When using strong authentication, several methods or factors are used to authenticate a user:
- Knowledge Factor: a shared secret between the user and the user's authentication subject (for example, passwords, answers to security questions, etc.)
- Ownership factor: a device that only the user has (for example, a mobile device, a cryptographic key, etc.)
- Inheritance factor: physical (often biometric) characteristics of the user (e.g. fingerprint, iris pattern, voice, behavior, etc.)
The need to crack multiple factors greatly increases the chance of failure for attackers, since bypassing or tricking the various factors requires the use of several types of cracking tactics, for each factor separately.
For example, with βpassword + smartphoneβ 2FA, an attacker can authenticate by looking at the userβs password and making an exact software copy of his smartphone. And this is much more difficult than just stealing a password.
But if a password and a cryptographic token are used for 2FA, then the copy option does not work here - it is impossible to duplicate the token. The fraudster will need to quietly steal the token from the user. If the user notices the loss in time and notifies the admin, the token will be blocked and the work of the fraudster will be in vain. That is why for the ownership factor, you need to use specialized secure devices (tokens), and not general-purpose devices (smartphones).
The use of all three factors will make such an authentication method rather expensive to implement and rather inconvenient to use. Therefore, two of the three factors are usually used.
The principles of two-factor authentication are described in more detail. , in the "How two-factor authentication works" section.
It is important to note that at least one of the authentication factors used in strong authentication must use public key cryptography.
Strong authentication is much more secure than classic password-based one-factor authentication and traditional MFA. Passwords can be spied on or intercepted using keyloggers, phishing sites, or social engineering attacks (when the deceived victim reveals his password himself). Moreover, the owner of the password will not know anything about the fact of theft. The traditional MFA (which includes OTP codes, smartphone or SIM card binding) can also be easily hacked because it is not based on public key cryptography (by the way, there are many examples when, using the same social engineering techniques, scammers persuaded users to tell them a one-time password).
Fortunately, since last year, the use of strong authentication and traditional MFA has been gaining momentum in both consumer and enterprise applications. The use of strong authentication in consumer applications has grown particularly rapidly. If in 2017 only 5% of companies used it, then in 2018 it was already three times more - 16%. This can be explained by the increased availability of tokens that support Public Key Cryptography (PKC) algorithms. In addition, increased pressure from European regulators after the adoption of new data protection rules such as PSD2 and GDPR had a strong effect even outside of Europe (including in Russia).
Let's take a closer look at these numbers. As we can see, the percentage of private traders using multi-factor authentication has grown by an impressive 11% over the year. And this happened clearly at the expense of password lovers, since the numbers of those who believe in the security of push notifications, SMS and biometrics have not changed.
But with two-factor authentication for corporate use, everything is not so good. First, according to the report, only 5% of employees were transferred from password authentication to tokens. And secondly, the number of those who use alternative MFA options in the corporate environment has grown by 4%.
I'll try to play analytics and give my interpretation. At the center of the digital world of individual users is the smartphone. Therefore, it is no wonder that the majority use the opportunities that the device provides them - biometric authentication, SMS and Push notifications, as well as one-time passwords generated by applications on the smartphone itself. People usually do not think about safety and reliability when using the tools they are used to.
That is why the percentage of users of primitive "traditional" authentication factors remains unchanged. But those who have previously used passwords understand how much they risk, and when choosing a new authentication factor, they stop at the newest and most secure option - a cryptographic token.
As for the corporate market, it is important to understand in which system authentication is carried out. If a Windows domain logon is implemented, then cryptographic tokens are used. The possibilities for using them for 2FA are already built into both Windows and Linux, and alternative options are long and difficult to implement. Here is the migration of 5% from passwords to tokens.
And the implementation of 2FA in a corporate information system depends very much on the qualifications of the developers. And it is much easier for developers to take ready-made modules for generating one-time passwords than to understand the operation of cryptographic algorithms. And as a result, even incredibly security-critical applications like Single Sign-On or Privileged Access Management use OTP as a second factor.
Lots of vulnerabilities in traditional authentication methods
While many organizations remain dependent on legacy single-factor systems, vulnerabilities in traditional multi-factor authentication are becoming increasingly apparent. OTPs, typically six to eight characters long, delivered via SMS, remain the most common form of authentication (besides knowing the password, of course). And if the words βtwo-factor authenticationβ or βtwo-step verificationβ are mentioned in the popular press, they almost always refer to authentication using SMS one-time passwords.
Here the author is slightly mistaken. Delivery of one-time passwords via SMS has never been two-factor authentication. This is in its purest form the second stage of two-step authentication, where the first step is to enter a username and password.
In 2016, the National Institute of Standards and Technology (NIST) updated its authentication policy to eliminate the use of one-time passwords sent via SMS. However, these rules have been substantially relaxed following industry protests.
So let's follow the story. The American regulator rightly admits that outdated technology is not able to ensure the safety of users and introduces new standards. Standards designed to protect users of online and mobile applications (including banking). The industry is figuring out how much money it will have to shell out to buy truly reliable cryptographic tokens, to remake applications, to deploy a public key infrastructure, and βrises on its hind legs.β On the one hand, users were convinced of the reliability of one-time passwords, and on the other hand, there were attacks on NIST. As a result, the standard was relaxed, and the number of hacks, thefts of passwords (and money from banking applications) has increased dramatically. But the industry did not have to fork out.
Since then, the inherent weaknesses of SMS OTP have become more apparent. Fraudsters use various methods to compromise SMS messages:
- Duplicate SIM card. Attackers create a copy of the SIM (with the help of employees of a mobile operator, or independently, using special software and hardware). As a result, the attacker receives an SMS with a one-time password. In one particularly notorious case, hackers were even able to compromise the AT&T account of cryptocurrency investor Michael Turpin, and steal nearly $24 million in cryptocurrencies. As a result, Turpin claimed that AT&T was at fault due to lax validation measures resulting in a duplication of the SIM card.
Amazing logic. So it's really AT&T's fault? No, the fault of the mobile operator is that the sellers in the communication salon issued a duplicate SIM card, no doubt. What about the cryptocurrency exchange authentication system? Why didn't they use secure cryptographic tokens? Money for implementation was a pity? Isn't Michael himself to blame? Why didn't he insist on changing the authentication mechanism or use only those exchanges that implement two-factor authentication based on cryptographic tokens?
The introduction of truly reliable authentication methods is delayed precisely because users show amazing carelessness before hacking, and after that they blame anyone and anything for their troubles, except for ancient and "leaky" authentication technologies.
- Malicious programs (malware). One of the earliest functions of mobile malware was to intercept and forward text messages to attackers. Also, man-in-the-browser and man-in-the-middle attacks can intercept one-time passwords when they are entered on infected laptops or desktop devices.
When the Sberbank application on your smartphone blinks a green icon in the status bar, it is also looking for βmalwareβ on your phone. The purpose of this event is to turn the untrusted execution environment of a typical smartphone into, at least somehow, trusted.
By the way, a smartphone, as an absolutely untrusted device on which anything can be done, is another reason to use only hardware tokensthat are protected and devoid of viruses and trojans. - Social engineering. When scammers know that the victim has one-time passwords via SMS enabled, they can contact the victim directly, impersonating a trusted entity such as their bank or credit union, in order to trick the victim into providing the code they just received.
I personally encountered this type of fraud many times, for example, when trying to sell something at a popular online flea market. I myself mocked the swindler who tried to fool me to my heart's content. But alas, I regularly read in the news how another victim of scammers βdidnβt thinkβ, reported the confirmation code and lost a large amount. And all this is because the bank simply does not want to get involved with the introduction of cryptographic tokens in their applications. After all, if something happens, then the customers are "to blame."
Although alternative methods for delivering one-time passwords may mitigate some of the vulnerabilities in this authentication method, other vulnerabilities remain. Standalone code generation applications are the best defense against eavesdropping, as even malware is almost unable to interact directly with the code generator (seriously? the author of the report forgot about remote control?), but OTPs can still be intercepted when typed into the browser (e.g. using a keylogger), through a hacked mobile application; and can also be obtained directly from the user through social engineering.
Using multiple risk assessment tools such as device recognition (detection of attempts to make transactions from devices that do not belong to a legal user), geolocation (a user who has just been in Moscow is trying to perform an operation from Novosibirsk) and behavioral analytics, goes a long way in addressing vulnerabilities, but neither solution is a panacea. For each situation and type of data, it is necessary to carefully assess the risks and choose which authentication technology should be used.
No authentication solution is a panacea
Figure 2. Table of authentication options
| Authentication | Factor | Description | Key vulnerabilities |
| Password or PIN | Knowledge | A fixed value that can include letters, numbers, and a variety of other characters | Can be intercepted, peeped, stolen, picked up or hacked |
| Knowledge Based Authentication | Knowledge | Questions that only a legal user can know the answers to | Can be intercepted, picked up, obtained using social engineering methods |
| Hardware OTPs () | Possession | A special device that generates one-time passwords | The code can be intercepted and repeated, or the device can be stolen |
| Software OTPs | Possession | An application (mobile, accessible through a browser, or sending codes by e-mail) that generates one-time passwords | The code can be intercepted and repeated, or the device can be stolen |
| OTP SMS | Possession | One time password delivered via SMS text message | The code can be intercepted and repeated, or the smartphone or SIM card can be stolen, or the SIM card can be duplicated |
| Smart cards () | Possession | A card that contains a cryptographic chip and secure key memory that uses a public key infrastructure for authentication | May be physically stolenbut an attacker will not be able to use the device without knowing the PIN code; in case of several incorrect input attempts, the device will be blocked) |
| Security keys - tokens (, ) | Possession | A USB device that contains a cryptographic chip and secure key memory that uses a public key infrastructure for authentication | Can be physically stolen (but an attacker will not be able to use the device without knowing the PIN code; in case of several incorrect input attempts, the device will be blocked) |
| Binding to a device | Possession | A process that creates a profile, often using JavaScript or using markers such as cookies and Flash Shared Objects to ensure that a specific device is being used | Tokens can be stolen (copied), and the characteristics of a legitimate device can be imitated by an attacker on their device |
| Behavior | Inalienability | Analyzes how the user interacts with the device or program | Behavior can be imitated |
| Fingerprints | Inalienability | The stored fingerprints are compared with those read optically or electronically | Image can be stolen and used for authentication |
| Eye Scan | Inalienability | The characteristics of the eye, such as the pattern of the iris of the pupil, are compared with new scans obtained optically | Image can be stolen and used for authentication |
| Face Detection | Inalienability | The characteristics of the face are compared with new scans obtained by optical means | Image can be stolen and used for authentication |
| Voice recognition | Inalienability | The characteristics of the recorded voice sample are compared with the new samples | The entry can be stolen and used for authentication, or emulated |
In the second part of the publication, the most delicious awaits us - the figures and facts on which the conclusions and recommendations given in the first part are based. Authentication in user applications and corporate systems will be considered separately.
See you there!
Source: habr.com