Month: March 2017
Authentication and risk
Risk-based authentication plays an important role in many scenarios such as information access and use, fraud detection, device protection, and secure hardware and software product development. Risk-based authentication often works behind the scenes and its use is well established in banks and other financial institutions (Breitenfeld, 2011). Below are two scenarios related to risk-based authentication.
Fraud Detection. Companies such as Experian have deep experience in the use of risk-based methodologies to authenticate identity (Breitenfeld, 2011). Authentication schemes involve the establishment of an authentication score and use of layered identity correlation with knowledge challenges. The goal is confirm a correct identity with a high probability of assurance and minimize the risk of identity theft. Credit card and banking transactions are long-time consumers of risk-based authentication to reduce fraud and financial loss. With the advent of the Internet, the same methodologies are now used to detect and alert individuals of possible suspicious activity. Risk-based authentication provides ecosystem reduction in the wrongful manipulation of identity.
Improved Identity Detection. Internet authentication schemes often rely on basic information such as device type or IP address to establish individual identity (Traore, Woungang, Obaidat, Nakkabi, & Lai, 2012). This type of information can be fabricated by attackers looking to disguise their identity or may his the identity of an attacker who controls a compromised computer (Federal Trade Commission, 2013). To address this type of risk, keyboard or mouse use as well as other use behaviors may provide a secondary form of authentication (Traore, Woungang, Obaidat, Nakkabi, & Lai, 2012). The issue with user behavior is that a system must be well-trained to identify an individual and then potentially block behaviors that are not consistent with an individual. As biometric technology evolves, biometrics may combine with user behavior to provide higher assurance of identity. Biometrics provides a strong correlator for authentication and may deliver benefits such as ease of use (Boriev, Sokolov, & Nyrkov, 2015).
The Risk of Risk: Protecting Access
Reliance of risk-based authentication should not be confused with replacement of access controls. Smart cards and other methods of authentication are often coupled with access controls to automate the process of identity establishment and authorized resource access (Boriev, Sokolov, & Nyrkov, 2015). Access controls can also be associated with the ability conduct certain operations such as payroll or bank account access. Risk-based analysis should not be limited to authentication. Risk-based analysis should extend to suspicious activity such as transferring funds that are outside typical parameters (Breitenfeld, 2011). As device and software designers focus on authentication, risk analysis should extend through to access controls and resource usage to further mitigate overall system risks.
References
Boriev, Z. V., Sokolov, S. S., & Nyrkov, A. P. (2015). Review of modern biometric user authentication and their development prospects. In IOP Conference Series: Materials Science and Engineering (Vol. 91, No. 1, p. 012063). IOP Publishing.
Breitenfeld, K. (2011). Positive identity. Public CIO, 9(3), 34-38.
Federal Trade Commission. (2013). Taking charge: What to do if your identity is stolen. April),(accessed March 4, 2014),[available at http://www. consumer. ftc. gov/articles/pdf-0009-taking-charge. pdf].
Traore, I., Woungang, I., Obaidat, M. S., Nakkabi, Y., & Lai, I. (2012, November). Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In Digital Home (ICDH), 2012 Fourth International Conference on (pp. 138-145). IEEE.
Streamlining an authentication solution
The marketplace for authentication services is a multi-billion dollar market (Bonderud, 2014). Organizations such as the U.S. Department of Homeland security are purportedly spending $7 billion dollars on the implementation of authentication systems. The National Institute of Standards and Technology (NIST) has highlighted the availability of these services as worth consideration for federal agencies (NIST, 2011). Authentication systems contain a mix of password, biometric, token and encryption key options that enable flexibility in choice of solutions. The difficulty for many organizations is defining authentication needs given the complexity of information systems, assets and users. With appropriate consideration of organizational requirements, the process of authentication management can be streamlined. This process however can be an arduous process (Bonneau, Herley, Van Oorschot, & Stajano, 2015).
Authentication System Requirements
Design of an authentication system may include the following criteria which are often discussed in context of biometric authentication, but may apply to analysis of an organization’s overall authentication requirements (Sharma, Kapoor, & Dhillion, 2013; Goodrich & Tamassia, 2011). The goal of appropriate analysis should be the definition of a sustainable authentication system that permits efficient management and adaption for technological change. Through consideration of multiple criteria in defining requirements, a multi-dimensional authentication system could be identified (Oltsik, 2014).
- The method or biometric attribute should be global. For example, it is assumed that all individuals have fingerprint. The ability to enter passwords could also be considered global.
- Authentication attributes must be unique. Again the fingerprint is an example of uniqueness. Another example would be the assumed uniqueness of phone numbers or mobile device physical IDs.
- An attribute does not change. For biometrics such as an iris scan, this attribute may apply, but mobile devices and passwords are not permanent.
- An attribute should be reasonable to obtain. An example would be the Apple iPhone’s button-based fingerprint scanner. The scanner matches a provided fingerprint to a stored copy within seconds as a means to unlock the phone for access.
- A characteristic can be measured without inconveniencing a user. An example would be a biometric scanner for an electronic health records system (EHR). Authentication would not interfere with medical staff use of EHR.
- An attribute should contain the necessary accuracy.
- Alternatives should exist to accommodate human impairment or inability to comply with existing authentication (e.g., lack of a fingerprint).
Watch-outs
Streamlining and automating authentication have risks that should be evaluated and addressed as part of authentication implementations. Listed below are several factors to consider for a secure authentication process.
An organization is still responsible, even with outsourcing. Service providers such as Amazon Web Services (AWS) address requirements definition in the context of a shared responsibility model (Todorov & Ozkan, 2013). AWS clients are responsible for defining and managing their systems within the AWS architecture. When additional layers of security such as authentication are required, AWS or other vendors’ services are the client’s responsibility. Whether an organization has full control over their physical computing assets or utilizes cloud computing, an organization has ultimate responsibility for authentication. This includes policies, administration, monitoring, and risk assessment.
Do not build a home-grown system. Open-source web application vulnerability group OWASP (2013) has identified authentication bypass and session management as a top security vulnerability for web applications. Authentication services are available in may forms that permit ease of access and management. For example, the software development framework Ruby on Rails (n.d.) has several programmatic options for use authentication. External options should be thoroughly vetted, but external options have a higher likelihood of proper development by individuals who understand authentication. A home-grown solution should only be considered if there is sufficient capability and skill to create a system. External testing and validation should be required for securing authentication.
Authentication may require a mix of providers and managed solution(s). Passwords are a significant form of authentication, but users are increasingly interested in other options due to data breaches such as Yahoo (NCSA, 2016). Since passwords were first used, authentication by password management has developed substantial systemic complexity (Vacca, 2013). As users have become open to more options and newer avenues to authentication have evolved, organizations have the opportunity to examine many options including vendors known as managed authentication service vendors that streamline the authentication management challenge (ILS Technology, 2008). It is important to centrally align and manage authentication policies , procedures, and technology choices.
References
Bonderud, D. (2014, August). Multifactor authentication market to be worth $10 billion by 2017 — But is the model all wrong? Security Intelligence. Retrieved from https://securityintelligence.com/news/multifactor-authentication-market-worth-10-billion-2017-model-wrong/
Bonneau, J., Herley, C., Van Oorschot, P. C., & Stajano, F. (2015). Passwords and the evolution of imperfect authentication. Communications Of The ACM, 58(7), 78-87. doi:10.1145/269939
Goodrich, M. T., & Tamassia, R. (2011). Introduction to computer security. Boston: Pearson
ILS Technology. (2008). ILS technology releases authentication managed service enhancement for secureWISE. Business Wire. Retrieved from http://www.businesswire.com/news/home/20081202005560/en/ILS-Technology-Releases-Authentication-Managed-Service-Enhancement
National Cybersecurity Alliance (NCSA). (2016). Lock down your login. Retrieved from https://stopthinkconnect.org/campaigns/lock-down-your-login
National Institute of Standards and Technology (NIST). (2011, December 21). NIST special publication expands government authentication options. ScienceDaily. Retrieved October 6, 2016 from www.sciencedaily.com/releases/2011/12/111221105829.htm
Oltsik, J. (2014). BYOA: Bring your own authentication (opinion). Network World. Retrieved from http://www.networkworld.com/article/2458760/security0/byoa-bring-your-own-authentication.html
OWASP. (2013). Top 10 2013. Retrieved from https://www.owasp.org/index.php/Top_10_2013-Top_10
Ruby on Rails [computer software]. (n.d.) Rails authentication. Retrieved from https://www.ruby-toolbox.com/categories/rails_authentication
Sharma, Kapoor, & Dhillon. (2013). Design of biometric authentication system using three basic human traits. International Journal of Science and Research (IJSR). Retrieved from http://www.ijsr.net/archive/v5i1/12011602.pdf
Todorov & Ozkan. (2013). Amazon Web Services – AWS security best practices (white paper). Retrieved from http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

