Vanguard Magazine

Vanguard AprMay 2018

Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR

Issue link: http://vanguardcanada.uberflip.com/i/985397

Contents of this Issue

Navigation

Page 61 of 63

thE last WORD 62 APRIL/MAY 2018 www.vanguardcanada.com George Santayana famously wrote, "Those who cannot remember the past are con- demned to repeat it." His words ring par- ticularly true regarding cybersecurity issues such as passwords. Authentication systems that rely solely on a username and password provide an un- acceptably poor level of security for most Internet applications. Passwords are easily intercepted, stolen through social engineer- ing, and even guessed. Predictable human factors result in password reuse across mul- tiple systems, magnifying the impact of breaches. In December 2017, security re- searchers at 4iQ discovered a 41-gigabyte file containing a shocking 1.4 billion user- name and password combinations. Adding a second authentication factor is definitely an improvement, and over the past few years many business, including Amazon, Facebook, and Google, have ad- opted open standards such as FIDO U2F, Time-based One-time Password Algorithm (TOTP), and HMAC-based One-time Password Algorithm (HOTP). Curiously, the finance and insurance verticals have re- sisted stronger multi-factor authentication (MFA) mechanisms, relying instead on sig- nificantly weaker knowledge-based factors to reinforce passwords. Despite the widespread availability of these open technologies, the vast majority of Internet-accessible systems continue to use simple username and password schemes, and many users fail to take advantage of MFA even when offered for free. Accord- ing to The Register, less than ten per cent of Gmail users have enabled it, even though obtaining access to an email account allows the intruder to identify and take over most of the user's online accounts. To be fair, Google leads the pack: unlike most email providers they use heuristics to identify and block suspicious behaviour. But the low MFA enrollment rate highlights a major factor contributing to weak authen- tication: most Internet users overestimate the strength of their password and underes- timate the risk of compromise. Password systems remain inexpensive to implement, and as long as customers accept them as "good enough," there is little incentive for developers to adopt more robust au- thentication systems. Even individuals and businesses that rec- ognize the value of strong authentication frequently struggle to implement MFA. While various open source solutions ex- ist, they lack the ease of use and simple integration necessary to propel them into mainstream solutions. Many consist of multiple components and are too complex and expensive to deploy. Few developers want to write their own authentication system, but until existing solutions meet modern application develop- ment requirements, they have little choice. To facilitate adoption, a practical MFA sys- tem should be available as an easily deploy- able virtual appliance and should leverage an open-source clusterable database to meet scalability and availability requirements. To support web applications, the sys- tem must include an easily brandable web front-end capable of authenticating users, resetting credentials, and other manage- ment capabilities – ideally leveraging a standard such as OpenID. This will al- low developers to deploy an authentica- tion server in an isolated environment and minimize the likelihood of compromise. The fact that credentials are often stolen during web application hacks illustrates why this isolation is required. Mobile app authentication is more com- plex. Many use a simple RESTful API with a username and password for authentica- tion, but this makes multi-factor authen- tication difficult. For most mobile apps, leveraging a web browser window for at least initial authentication, and allowing the user to stay logged in for a relatively long time is a better approach. Many open source projects, even those with enviable internal designs, neglect the user experience, resulting in an un- deployable product. To be successful, an authentication server requires an intuitive, responsive, and attractive user interface. Beyond application and user interfaces, a successful authentication service will provide extensible, adaptive, risk-based multifactor authentication. Rather than adopting a binary "password correct or not" approach, the future of authentica- tion takes into account the security re- quirements of the application and mul- tiple signals to make intelligent, reliable, and user-friendly authentication decisions. For applications requiring a moderate level of security, a short numeric PIN may be sufficient for a user who has recently authenticated from the same computer, browser version, and IP address using MFA. If the user fails three login attempts, a standard MFA authentication could be required. Should the same authentication attempt originate from a different com- puter located on a different continent, an enhanced authentication requirement could be triggered. Depending on appli- cation security requirements, it may be advisable to block or delay the login for a period of time. An adaptable system could take into account user travel history and similar information. On the other hand, a high-security ap- plication such as a VPN for administrator- level access to systems should require MFA for every connection. Applications with low security requirements might prompt for multiple factors only when suspicious behaviour is detected. Other information, including IP reputa- tion, intelligence feeds, and lists of known compromised passwords should be incor- porated into the MFA system. For exam- ple, if a user logs in with a username and password exposed in a data breach, MFA authentication and a password change would be initiated. Santayana was clearly ahead of his time. It's 2018 and we need to catch up. Eric Jacksch is a leading cybersecurity ana- lyst with over 20 years of practical security experience. He has consulted to some of the world's largest banks, governments, automakers, insurance companies and postal organizations. multi-FaCtor authentiCation by eriC JaCksCh

Articles in this issue

Links on this page

view archives of Vanguard Magazine - Vanguard AprMay 2018