- What is user authentication?
- What is strong authentication?
- Why is there a need for strong
authentication?
- What kind of intruding attacks
are there?
- What is a smart card?
- What is hardware token?
- What is biometrics?
- What is authorization?
- What is Authernative’s foundation?
- How does Authernative address
the challenge of Internet authentication?
- How secure is Authernative’s
solution?
- Why not just use passwords?
- Why not just use hardware tokens?
- Why not just use smart card?
- Why not just use biometrics?
- What is unique about Authernative’s
authentication technology?
- What is unique about Authernative’s
authorization technology?
- How does Authernative’s authentication
compare to other types of solutions?
- What are mandatory requirements
to business IT security?
- Why do you need online self-reset
of authentication credentials?
- Why do you need online account
setup capabilities?
- Why do you need automated security
and system administration event logs / databases?
- Why do you need encryption
of authentication credentials on communication lines?
What is User Authentication?
User Authentication is
the process of verifying the identity of a person. A
legitimate user accessing a network through the Internet,
Extranet, or Intranet must be positively identified
and verified through digital means. Below are the types
of means, known as authentication factors, used to establish
the truth of or identity claimed by the user:
Authentication by Knowledge
(Something only the user knows) |
A password or pass phrase
A PIN
Information about the user or family members
Secret answers to agreed questions
|
Authentication by Ownership
(Something only the user possesses) |
A physical key
A magnetic-stripe card
A token that generates a one-time password
|
Authentication by Characteristic
(Something only the user is (or does)) |
A biometric trait:
Fingerprint
Iris pattern
Hand geometry
Voice
|
Back to
Top
What is strong authentication?
Strong authentication
is any combination of the above mentioned factors and
perhaps other ones, also called two- or three-factor
authentication. By combining several independent authentication
factors, much stronger security against intruding attacks
is assured. For example, one factor may be something
that the user knows such as a password or PIN, while
the second factor may be something the user has, such
as a token, or a smart card. If one of the factors is
lost or stolen, the user’s identity cannot be compromised.
Back to
Top
Why is there a need for strong
authentication?
More and more businesses
are utilizing the speed and economic advantages of the
Internet to transact and exchange sensitive or confidential
information. While expanding their e-business environments
to employees, customers, and partners, businesses become
exposed and vulnerable to many risks including unauthorized
access, fraud, IP theft, information leaks, and malicious
harm. If users’ identities are not properly authenticated,
an organization has no assurance that access to resources
and services is properly controlled. Businesses with
Internet presence can have a potentially large community
of customers and partners in various diverse geographic
locations, connected through only the browser. Therefore,
strong authentication is of critical importance to positively
identify such participants.
Back to
Top
What kind
of intruding attacks are there?
Below is a table outlining
common intruding attacks used to gain authentication
credentials or access to resources.
|
Password Guessing |
An intruder is trying to log in with a real
user name while making password guesses based
on personal knowledge of the user. |
|
Phishing Attack |
Phishing attacks use 'spoofed' e-mails and fraudulent
websites designed to fool recipients into divulging
personal financial data such as credit card
numbers, account usernames and passwords, social
security numbers, etc. More sophisticated Phishing
attacks do not require user intervention. Users
who only open a malicious e-mail, containing
a spyware, Trojan, or other forms of malware,
will have their systems modified so that the
next time they surf to their bank’s online site,
the browser will redirect to a fake address
where the users login information is captured
and invisibly sent to the hacker. In other cases
victims are directed to the real bank web site
while a pop-up window is overlaid to capture
details. Still in other cases a key logger is
downloaded that captures customers’ identifier
and password, or grabs screenshots of users
authenticating themselves. While the “layered
site” phishing attacks overlay the authentic
site so when financial data is extracted, the
fake site fades and the real site emerges. |
|
Man-in-the-Middle |
A man in the middle attack (MITM) is an attack
in which an attacker is able to read, insert
and modify at will, messages between two parties
without either party knowing that the link between
them has been compromised. The attacker must
be able to observe and intercept messages going
between the two victims. Also known as a "man-in-the-middle
attack," a replay attack is when messages from
an authorized user who is logging onto a network
may be captured by an attacker and resent (replayed)
the next day. Even though the messages may be
encrypted, and the attacker may not know what
the actual keys and passwords are, the retransmission
of valid logon messages is sufficient to gain
access to the network. |
|
Dictionary Attack |
An intruder uses a brute-force technique of
successively trying all the words in some large,
comprehensive list against the password file
or copy of the password file. The intruder encrypts
each trial value using the same algorithm that
the system’s login program uses. |
|
Log In Session Videotaping |
Remarkable sensor technology breakthrough makes
widely commercially available micro audio and
visual sensors, and other tools, facilitating
hidden observations. Video- and/or audio-recording
is possible from a significant distance and
any time of the day, jeopardizing secret passwords
or PINs entered by computer or network online
users at public locations (ATM machines; customers
at Point-Of-Sales; Internet terminals offered
at various conferences, cafes, libraries; employees
shared large offices with desktop computer terminals
within everybody’s visual reach, and other places). |
|
Shoulder Surfing |
An intruder nearby the legitimate user watches
password entering. |
|
Social Engineering |
An intruder pretends to be an administrator
or a real user asking for a password disclosure
/ reset. |
|
Trojan Horse |
Hidden downloaded software invoking an imitation
of the standard login session but instead collecting
user names and passwords. The program is often
concealed in software programs unknowingly downloaded
by users or spread by intruders. |
|
Keystroke Monitoring |
Secretly downloaded software which keeps log
of all keystrokes. |
|
Con Artists |
Con artists can figure out the password while
being quite far from the real user and having
special hearing/observation skills/training. |
|
Network Sniffing |
An intruder records user names and passwords
while in transit on communication lines. |
|
Keyboard Buffer Memory Sniffing |
Some desktop OS do not have hardware protection
against intruders’ software copying passwords
from a keyboard buffer. |
|
Password File Theft |
An attacker can read users’ passwords from the
password file, security database, or a backup
copy. |
Back to
Top
What is a smart card?
A smart card is a credit
card-like device with both memory and CPU on board enabling
client/server communication and client side data processing.
It is used to store personal credentials and / or other
information. The smart card often requires a PIN to
unlock the card.
Back to
Top
What is hardware token?
A hardware token is a
device that generates a one-time password to access
secure resources. It is time or event pre-synchronized
with the server. The device can take a form of:
- the size of a credit card but thicker,
- small handheld device with LCD window, a key
fob with LCD window,
- USB fob,
- calculator,
- PDA or smart phone running vendor-supplied software.
Back to
Top
What is biometrics?
Biometrics provides a
method of generating authentication information for
a person by digitizing measurements of a physiological
or behavioral characteristic. Whatever the characteristic
is used, (i.e. fingerprint, retina scan, hand geometry,
voice pattern), the identity of a user is verified by
comparing a “live” sample, encoded from the captured
image or data, with a reference template that was created
during an enrollment process.
Back to
Top
What is authorization?
Authorization is the process
of allowing a specific user access to certain resources,
based on a pre-determined set of rules called a user
profile or policy. Authorization should be granular,
meaning it is able to differentiate between users, so
that they are only able to access their own specific
information.
Back to
Top
What is Authernative’s foundation?
Authernative developed
a portfolio of Intellectual Property giving way to next
generation technologies and original products. Authernative
addresses key security and business challenges of the
Identity Management, 3A (authentication, authorization,
administration) and Encryption market segments.
Back to
Top
How does Authernative address
the challenge of Internet authentication?
Authernative’s secure
authentication technology provides companies with an
effective and economical means of ensuring that access
to protected networks and resources is granted to the
authorized users only, regardless of the network infrastructure
or location of users.
- It provides strong
authentication that is highly secure, yet electronically
deployable, cost effective, user friendly and convenient.
- It positively identifies
the individual attempting to access the network
or resource.
- It prevents somebody
from assuming the identity of a valid user through
the use of a guessed or stolen password.
- It greatly reduces
the administration headache and user resistance
to password management.
- It is a highly scalable,
easy to implement solution that is well within the
technical and financial capability of small and
large corporations, often generating a return on
investment measured in months.
Back to
Top
How secure is Authernative’s
solution?
Authernative AuthGuard®
solution offers several legacy and advanced authentication
methods to choose from. In particular, the advanced
authentication methods utilize customizable Random Partial
Shared Secret algorithms minimizing credentials’ entropy
leakage and enhancing credential combinatorial capacity
for stronger protection against known attacks. The authentication
server never challenges the user to provide the full
shared secret, but instead requests a session-only random
subset of the graphics based shared secret. This one-time
authentication challenge initiates a one time authentication
response that cannot be reused if intercepted by an
intruder.
Additional security capabilities
include two-channel (out-of-band) authentication, strong
mutual authentication, as well as combinations of authentication
factors for layered security or “what user knows” and
“what user has” two-factor authentication. AuthGuard®
also includes a proprietary client-server session encryption
key management system and separately, RDBMS- or LDAP-based
user store encryption scheme. Each of them protects
user authentication credentials. The product also applies
SSL to protect the content exchanged between client
and server during the communication session. Integrated
into one product, these capabilities provide end-to-end
security protecting against multiple intruding attacks
at credentials’ input devices, communication lines,
and back-office user stores.
Back to
Top
Why not just use passwords?
Passwords offer inadequate
security and have hidden costs. Passwords do not assure
conclusive identity of users that is so necessary for
sensitive, valuable, or private information access or
transaction. The risks associated with passwords are
many and well known (see the table below). Other issues
with passwords are the associated high costs and complexities
required to make them secure. Due to the lack of security
of passwords, organizations typically require users
to choose longer or complex passwords and change them
on a frequent basis. This creates administration and
maintenance complexities and hassles both for the organization
and for the end user that results in higher operating
and hidden costs, as well as productivity loss.
|
Forgotten passwords |
Users forget passwords, leading to a potentially
high administrative overhead (as high as 40
percent of help desk calls in some organizations)
or costly self-service password reset solutions. |
|
Shared passwords |
Users might share passwords with colleagues
to shortcut access controls request procedures.
This might not expose the system to an attacker,
but it does destroy accountability. |
|
Weak passwords |
Users tend to choose passwords that are easily
remembered and so easily guessed or vulnerable
to a "dictionary attack," an attack that uses
a brute-force technique of successively trying
all the words in some large, exhaustive list. |
|
Written down passwords |
Users write down passwords where they can be
found by an attacker, in the worst case, on
notes stuck to workstations or in document file
stored in the computer. |
|
Innocently given out |
An attacker might use social engineering, employing
some kind of confidence trick to persuade the
user to reveal the password or a help desk operator
to reset the user's password. |
|
Monitored passwords during login |
An attacker might simply observe a user keying
in a password, monitor it through video surveillance,
or record keyboard strokes. |
|
Intercepted passwords |
An attacker can intercept clear text passwords
sent over public electronic networks (like Internet)
at multiple “access points”. In a case of hash-encrypted
intercepted passwords, they can be compromised
by offline dictionary or brute force attacks. |
|
Electronically stolen passwords |
If an attacker can place malicious software
on the user's workstation or the organization's
network, this can discover usernames and passwords
and e-mail them to the attacker. |
|
Compromised password files |
Confidentiality of passwords in the authentication
database must be ensured (usually using one-way
encryption). Even with encryption, passwords
are vulnerable to password-cracking tools. |
|
Difficult to detect password misuse |
With most of these vulnerabilities, it is difficult
to detect if or when a password has been compromised. |
Back to
Top
Why not just use hardware
tokens?
Ubiquitous Internet resources,
transactions, and applications are accessed by a large
number of users dispersed around the world. The costs,
hassles, and inconvenience of acquiring, distributing,
and maintaining hardware tokens for mass users make
it an impractical solution. Below are the reasons why:
- Hardware tokens are
difficult and/or costly to distribute securely.
- Requires manual distribution.
- Hardware tokens are
required to be carried with the user, which is inconvenient.
- Can’t force customers
to carry or use hardware tokens.
- Tokens may require
appropriate peripherals, readers and/or software
on the workstation.
- Impractical for mass
deployment.
- Hassle to replace.
- A hardware token
may be lost or stolen, maybe without the user’s
knowledge.
- Software tokens have
a particular risk: a software token alone authenticates
the workstation, not the user.
- Increase in number
of steps for the user when using challenge/response
hardware token.
Back to
Top
Why not just use smart card?
Ubiquitous Internet resources,
transactions, and applications are accessed by a large
number of users dispersed around the world. The costs,
hassles, and inconvenience of acquiring, distributing,
and maintaining smart cards for mass users is impractical.
Below are the reasons why:
- Smart cards security
has been known to be compromised.
- Smart cards require
user’s devices to include a smart card reader.
- Smart card readers
are costly and not widely distributed in devices,
requiring the user to purchase and install them.
- Smart cards are difficult
and/or costly to distribute securely.
- Smart cards require
manual distribution.
- Smart cards are required
to be carried with the user, which is inconvenient.
- Can’t force customers
to carry or use smart cards.
- Mobile end-users
access to smart card readers is even more problematic.
- Smart cards are impractical
for mass deployment.
- Hassle to replace.
- A smart card may
be lost, stolen, left or forgotten in the workstation.
- PIN protection is
clearly indicated, but even so, strong, two-factor
authentication has been reduced to a single factor:
anyone with physical access to the smart card need
only discover the user’s PIN to be able to masquerade
as that user.
- Smart card authentication
conflicts with the accepted Internet model for application
use where the end-user simply needs a browser.
Back to
Top
Why not just use biometrics?
There are several reasons
why biometrics is an unpractical solution.
- Biometric authentication
is known to be compromised.
- Requires biometric
devices that are expensive and as yet not sufficiently
reliable.
- Biometric devices
are costly and not widely distributed in devices,
requiring the user to purchase and install them.
- User acceptance is
an issue, especially with regard to privacy, religious,
and civil rights issues.
- Biometric authentication
relies on close matches. Depending on the match
required, a bogus user might be falsely accepted
or a legitimate user might be falsely rejected.
False acceptance rates and false rejection rates
require balancing security against ease of use.
- The biometric characteristic
itself might change from time to time. For example,
a person’s voice may change if he or she is not
feeling well. The sample might vary depending on
how the scanner is used. How close a match is required
to verify a user depends on what biometric technology
is used and how it is configured in a particular
implementation?
- An organization must
ensure that scanners cannot be fooled by prosthetics,
images, and so on.
- Between one and three
percent of the public does not have the body part
required for any one biometric.
- Is biometrics truly
unique?, DNA, for example, is shared by identical
twins. Is the encoded sample unique? Poor resolution
or a poor algorithm might give rise to samples that
collide.
- Once a biometric
trait is compromised, it cannot be reissued. Furthermore,
a user will tend to use the same finger, iris, etc.,
with different systems using the same biometric
technique. If one the biometric trait is compromised
on one system, all systems are exposed. Even an
encrypted biometric password may be “cracked” years
in the future, which would render that password
useless.
- Confidentiality of
the user's biometric sample and template is crucial
and must be robust over the lifetime of the user.
That is, any cryptography must be designed to withstand
foreseeable cryptanalysis 30 to 40 years from now,
so will most likely involve unusually long keys.
Back to
Top
What is unique about Authernative’s
authentication technology?
Authernative’s solution
is the first commercial offering providing multiple
legacy and advanced innovative authentication methods
integrated into a single web based login GUI console.
Particular authentication methods can be mandated by
system administrator or made available to end-users
for selecting themselves. This flexibility allows personalizing
the level of security and the ease of use particular
to the user’s needs or company’s policies. The legacy,
one-time challenge-response, multi-channel, multi-factor
& mutual authentication methods allow to scale the level
of security and usability to meet any range of authentication
requirements in an electronically deployable and cost
effective manner. The web login console also includes
self-service capabilities allowing users to establish
& set-up their account and self-reset their credentials
without contacting help desk. The result is an easy
to use, scalable security solution having a low total
cost of purchase, deployment and management.
Back to
Top
What is unique about Authernative’s
authorization technology?
Authernative’s authorization
technology incorporates multiple layers of security
including native integration with our own authentication
engine, a client and server early stage intrusion detection,
and encryption schemes. These proprietary strong security
layers enhance the product’s resource protection (authorization)
engine. Authernative’s authorization engine enforces
user privileges and rights across domains and enterprise
environments to protect any network resource or corporate
data, managing all your users, roles, groups, and security
policies.
Back to
Top
How does Authernative’s authentication
compare to other types of solutions?
Security technology is
fast becoming a priority for any company in the New
Economy, as the number and frequency of security breaches,
vicious virus attacks and cyber-attacks skyrocket. A
large number of vendors offer various authentication
solutions. Here is how Authernative compares to them:
| |
Passwords |
Tokens |
Smart
Cards |
Biometrics |
PKI |
Authernative |
| |
| Inexpensive |
X |
|
|
|
|
X |
| Low total cost of ownership |
X |
|
|
|
|
X |
| High security Level |
|
X |
X |
X |
|
X |
| Infrastructure Neutral |
X |
X |
|
|
|
X |
| No additional hardware
required |
X |
|
|
|
|
X |
| Electronic deployment |
X |
|
|
|
X |
X |
| Internet-scale performance |
X |
|
|
|
X |
X |
| 100% Portable (roaming) |
X |
X |
X |
|
|
X |
| Ease of Use |
X |
|
|
|
X |
X |
| Not user intrusive |
X |
|
|
|
X |
X |
| No separate encryption
needed |
|
|
|
|
X |
X |
| Easy match to other methods |
X |
|
|
|
X |
X |
| Does not rely on third
parties |
X |
X |
X |
X |
|
X |
| Mass Deployable |
X |
|
|
|
|
X |
Back to
Top
What are mandatory requirements
to business IT security?
In the past several years
there have been a growing number of International, federal,
and state regulations passed to increase security, protect
consumer privacy against fraud and cyber-terrorism,
as well as enact audit and reporting controls. The common
compliance factor of these regulations requires that
network resource access security systems know who users
are and make reasonable efforts to tightly authenticate
those users. Once a system knows who the user is, it
must then know what the user is permitted to do online.
After that, the system is expected to record what the
user has done and to provide an auditable record that
reconciles user’s privileges and actions.
Unsecured enterprises
will face civil liability as well as higher costs from
poorly administered, expensive security programs, intellectual
property losses, theft and lawsuits. Superior security
will become a competitive advantage, and poor security
will be increasingly disadvantageous.
Back to
Top
Why do you need online self-reset
of authentication credentials?
Productivity and support
costs are the main issues when it comes to calling help
desk to reset authentication credentials.
Users, who forget their
passwords, waste time on (trying to log in, calling
the help desk and waiting for service, proving their
identity and waiting for a password reset). Each problem
incident may consume 20-30 minutes of user’s time per
authentication credential. In many organizations, users
experience this problem 2-4 times annually. In a large
user population, this generates a huge volume of user
problems and help desk calls. These calls normally represent
30% to 40% of total help desk call volume with estimated
cost $20-$60 per incident.
Allowing the user to self
manage a password reset from any PC at any time, without
calling help desk, significantly reduces productivity
loss and support costs.
Back to
Top
Why do you need online account
setup capabilities?
By leveraging the power,
efficiency, and mass reach of the Internet, organizations
can save enormous amounts of administrative time by
allowing users to enroll themselves. Users are able
to create accounts online, including login IDs and authentication
data, as well as enter personal profile information
required by human resources or administration departments.
Such personal profiles can be then utilized for further
security assurance if the user wants to update or self-reset
forgotten authentication credentials online. Accounts
having been setup online are on hold and not released
until the enterprise security check is completed, and
user’s authorization to protected network resources
is configured.
Back to
Top
Why do you need automated
security and system administration event logs / databases?
In order to provide accountability,
non-repudiation, audit trails, proper reporting, and
meet regulatory requirements, the system is expected
to record what the user or administrator has done, and
to provide an auditable record helping to reconcile
one’s privileges and actions.
Back to
Top
Why do you need encryption
of authentication credentials on communication lines?
Public electronic networks
(like the Internet) have multiple “access points” allowing
to intercept digital information, and expose it to powerful
computer-processing offline attacks. It is especially
dangerous when user authentication credentials are deciphered,
giving an intruder (or an intruding organization) an
illegal network access. After the authentication part
of a communication session is passed, other data, follow-on
messages exchanged or files transferred, can be compromised
the same way as authentication credentials. In both
cases, encryption of data, when in transit on communication
lines, is the only line of defense, and it is as strong
as the encryption itself.
|
