Posted
Apr 14, 2008
 | By
Andrew Collins

Two-factor authentication 101

If you've ever witnessed an internet café patron whip out a doodad with a constantly changing number on it and thought 'what on earth is that', you're not the only one.

That person was most likely using said doodad to securely log into their bank's website or their company VPN; you can now tell yourself that you've encountered two-factor authentication in the wild.

By now two-factor authentication is a mature technology. The first major attempts at two-factor authentication entered the market around late 2005, but few Australians outside of those who need it to log into their multinational's VPN have had need of the tech.

But this seems set to change. Several Australian credit unions are reported to have signed on, while banks including St George have recently begun to roll out the technology.

What's the point?

The technology arises from the deficiencies of your everyday authentication systems that require only a username and a password to verify a person's identity. Such systems are easily fooled: remote hackers can intercept your login details and nasty coworkers can steal the piece of paper that you've unwisely scrawled your password on.

Two-factor authentication simply asks for more information — in particular, information of a different kind. While a password is an example of something 'that you know', these systems might ask for something 'that you have' or 'that you are'. For example, some ask for a retinal scan in addition to a password; it's easy to steal a password, but hard to present someone else's eye to a scanner (though those of you who have seen Demolition Man may disagree).

More commonly (and thankfully with less potential for bodily harm), users simply carry a small 'token' — the café guy's doodad — with a constantly changing number code. When they log into their VPN or their bank's website, they enter in their password as usual (a 'what you know') and then enter the code currently on their doodad (a 'what you have').

There are many tokens, but this one is mine

These tokens can take many form factors, including but not limited to key rings and credit card-sized cards. They fall into two main categories: event based and time based.

1. Event based

These tokens generate a new code whenever a button is pressed on the token. At each authentication, the server ticks onto the next code in the sequence and the user is directed to hit the button to get a new code. If the code entered matches the code on the server, authentication is granted. The system works because the server and the token both started with the same 'seed' or 'shared secret', from which the subsequent codes are generated, and the button presses are presumably synchronised.

2. Time based

Each time-based token contains a tiny clock. At regular intervals (often 30 or 60 seconds), the token uses an algorithm — unique to each token — to generate a new code based on the time. This code is valid only for a short window. As with the event-based tokens, this code is entered alongside a password to gain authentication.

The main difference between these types is security; event-based tokens are less secure than time-based tokens, as the codes they generate are valid until they are used. If a hacker acquires a code from an event-based token, and also has the victim's password, they have until the victim themselves uses the code. With a time-based one, however, they only have at most a few minutes to do the deed.

Lag can present a problem for time-based tokens. If you're in the Antarctic, for example, and the combination of bad ping, low bandwidth and high signal-to-noise ratio mean it takes a minute for your code to get to the server, then time-based codes probably won't work for you.

Robin Balean, solutions architect for VeriSign Australia, quite rightly identifies this scenario as improbable.

"It is highly unlikely that a user's internet connection would be so slow that this time would be exceeded, particularly considering the small amount of data that needs to be transmitted," he says, suggesting that event-based tokens would be better in such a situation.

RSA's offering is able to account for such situations, according to Greg Singh, principal consultant at the company.

"RSA authentication manager can adapt organically to cater for attempts to authenticate that consistently arrive late," he says.

Securely lazy

The beauty of two-factor authentication is that if one form of authentication is compromised, the bad guy can't pretend to be you.

"Even if the user is 'lazy' and lets the token (something he has) fall into a bad guy's hands, he still does not have the second factor: an easy-to-remember user PIN," explains Stuart Rauch, director of product marketing at Secure Computing.

Also, as VeriSign's Balean points out, the constantly changing codes of time-based two-factor authentication mean that if an interloper manages to get a hold of your code and get into your bank account, they won't be able to do so again, as the required code would be different almost immediately. But that's small consolation if they've already emptied your bank accounts.

The real problem for two-factor authentication lies in human error. This is how attackers swindled a Swedish bank's two-factor authentication system into coughing up a small fortune — somewhere in the vicinity of 8 million Swedish krona (around $2 million).

Like a traditional phishing scam, the bad guys set up a web page that was indistinguishable from the real deal. They then directed their targets to log into the fake website with their account details.

But instead of waiting a few days before using the details, the fraudsters used the information as soon as they got it. They were therefore able to log in before the code expired and subsequently flee into the distance carrying bags of money. Such a real-time operation is known as a 'man-in-the-middle' attack.

According to Balean, organisations could parry such an attack by demanding authentication at every transaction, requiring users to input a new code every time they did something. So unless the man-in-the-middle had a hidden camera pointing at the user's token, they would be unable to do more than simply log in.

NEXT TIME: Does two-factor authentication spell doodad overload?



© 2008 Westwick-Farrow Pty Ltd. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this web site constitutes acceptance of our Terms and Conditions and Privacy Policy.

Get your FREE membership today - CLICK HERE  |  Log-in