Google Site Search


Saturday, November 17, 2007

I authenticated you but are you WHO you say you are?

Ok, you may say that the whole goal of the authentication process is to identify and ascertain that you ARE who you say are. But how has the authentication process progressed over years and how safe has it been?

Some thoughts:
a) Overwhelmingly majority of the world's authentication systems have been based on passwords. Dictionary attacks and weak passwords aside, this phenomenon has just led to disasters and nothing else. Your systems may have incorporated a Password Policy but over time your users get tired of coming up with new passwords because your system will not accept any of your old passwords. Remember that many of your users are smart and will create strong passwords, but they cannot generate them often, BECAUSE your system is not the only system that they interact with. They interact with a large number of systems. So they are more prone to create 2 or 3 strong passwords and try to use them around. Now, if you have a password policy, then they will not be able to use these small set of passwords they have generated, to keep themselves safe. What are they going to do? They will generate one - write it someplace or store it in a text file on their laptop. There you go. Your password policy brought you probably compliance with some regulation, but screwed your users.

b) There are many banks and financial institutions still using social security number as the primary means of identifying you, in place of regular user chosen "username". Of course, I understand that customer support costs money. Hence you chose the simplest means of uniquely identifying a US based customer. If you have read my earlier blog post about "The Underground Digital Economy", you will have jitters like I have about such approaches. The main point is that a PHISING email sent to any person will get an user entering his SSN as the username and password. The password is not very significant here because apart from the particular bank/financial institution being in danger, the SSN captured has basically exposed the victim to multiple frauds.

c) Multi Factor Authentication: This comes in multiple flavors, typically two factor authentication. You have another piece of credential apart from your password to identify you. This additional piece can be a token card, hardware device or some kind of a mutually agreed answer to a question. Well, Bruce Schneier is not very excited about the Two Factor Authentication.

d) Knowledge Based Authentication:I will not go into details about KBA. But you can read the harm caused by it. Also Bruce is not pretty convinced about Secret Questions.

There are other authentication mechanisms that I am NOT going to dive into.

Wish I could give you an answer to safely authenticate someone, without endangering your infrastructure as well as the legitimate user you were trying to authenticate. Once I know the answer, I will tell you.

No comments: