download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Common web single sign-on and authentication<br />
solutions customarily separate documents<br />
by required authentication level, and at least<br />
two common systems, IBM Tivoli Access<br />
Manager and Computer Associates<br />
SiteMinder, support step-up authentication using<br />
phone-based authentication. Defining the<br />
appropriate level of access granularity in an<br />
application can be difficult. <strong>Security</strong> administrators<br />
have to balance the desire for authentication<br />
security against usersʼ desire not to be<br />
excessively bot<strong>here</strong>d by re-authentication requests<br />
during the normal course of business.<br />
Various additional tools can be brought to bear<br />
to make the common usage scenarios convenient<br />
for the user while still maintaining an<br />
appropriate level of security, including IPbased<br />
whitelists for authentications coming<br />
from trusted corporate computers, or transaction<br />
authentication caching, including not reauthenticating<br />
successive similar transactions.<br />
For example, it may make sense not to reauthenticate<br />
an ACH transfer to a given destination<br />
account after the first authentication<br />
succeeds.<br />
Transaction verification can be implemented in<br />
a number of ways. We have described phone<br />
authentication as one possibility; another is<br />
SMS-based authentication, w<strong>here</strong> the details<br />
of the transaction are sent via SMS text message<br />
to a userʼs mobile phone. The user then<br />
replies to the SMS message out-of-band to<br />
confirm the transaction. In addition, t<strong>here</strong> are<br />
various smart card-based solutions that do full<br />
transaction data signing, although they havenʼt<br />
seen wide deployment to date due to cost and<br />
logistical considerations.<br />
These systems generally involve the use of a<br />
smart card together with a special-purpose<br />
smart card reader with a numeric keypad that<br />
can be used to enter and sign transaction<br />
details.<br />
T<strong>here</strong> are a variety of challenges involved in<br />
transaction verification. Most applications<br />
(outside of certain government situations) lack<br />
the concept of transaction or event confirmation.<br />
These applications simply donʼt have a<br />
mechanism for requesting authentication at<br />
arbitrary points within the workflow. Applications<br />
such as these will either require source<br />
code modifications or a proxy solution.<br />
Beyond the basic capability, setting up a system<br />
for transaction confirmation can be tricky,<br />
because of the potentially complex rule set<br />
dictating when additional authentication is<br />
necessary and the tension between ease of<br />
use and authentication security. Centralized<br />
access management systems can be of help<br />
in heterogeneous web environments, but security<br />
administrators are largely left on their<br />
own when dealing with individual line-ofbusiness<br />
applications.<br />
Going forward<br />
The world has changed. Cybercriminals are<br />
making an excellent living attacking authentication<br />
systems, and security administrators<br />
have the difficult task of defending the users<br />
against these attacks. So, w<strong>here</strong> do we go<br />
from <strong>here</strong>? Companies should include a comprehensive<br />
authentication security analysis in<br />
the planning stage of every significant new<br />
application that the organization deploys. Try<br />
to focus on applications that have support for<br />
granular, event-based authentication, or consider<br />
proxy-based solutions. Look to out-ofband<br />
authentication methods to protect<br />
against in-line threats.<br />
Finally, start analyzing existing applications for<br />
potential weaknesses in the authentication architecture.<br />
Transactions that are particularly<br />
high-risk should be protected by transaction<br />
verification; press vendors for transaction<br />
verification support or add it yourself.<br />
Steve Dispensa is CTO & co-Founder of PhoneFactor (www.phonefactor.com). His many accomplishments<br />
include designing one of the worldʼs first broadband wireless Internet networks for Sprint, as well as being a<br />
five time winner of the Microsoft Most Valuable Professional award. Steve, along with PhoneFactor developer<br />
Marsh Ray, recently discovered the TLS/SSL Authentication Gap – a major vulnerability in SSL authentication<br />
making it vulnerable to man-in-the-middle attacks.<br />
www.insecuremag.com 21