Mobile phones in our daily lives

With hackers becoming increasingly determined and more effective, it pays to add the extra level of security provided by 2FA.

Given the proliferation of mobile phones (either personal or business phones) and the natural habits of users to keep their mobile device with them at almost every moment of the day, it is perhaps no surprise that Goode Intelligence recently revealed some telling statistics. Goode found that 40% of organisations plan to deploy services that will enable employees to use their mobile phone as a remote access authentication device by the end of 2011.¹ It seems that the idea of mobile tokenless two-factor authentication is coming to the fore.

Why Mobile Two-Factor Authentication Makes Sense in 2011

Although technology never stops evolving, sometimes it takes its time. Often for good reason: new operating systems need to be assessed for compatibility before being rolled out across an organisation, and numerous technologies have been vigorously touted as the Next Big Thing. Virtualization has been held back by connectivity limitations; the cloud has suffered from the same drawbacks, as the omnipresent connectivity that was promised and has yet to materialise.

Two-factor authentication (2FA) has been declared as the saviour of computer security for a good few years, but business users haven’t quite taken to the technology as quickly as expected. This is for one very powerful reason: inconvenience. 2FA forces users to significantly change their habits, for example having to remember to carry a physical passcode token at all times or get through the time-consuming process of obtaining the passcode through other means.

Ultimately, regularly used computer security systems need to recognise the importance of usability and allowing users to get on with the job at hand without having an excessive number of hoops to jump through. This is where tokenless two-factor authentication comes in. Two-factor authentication (2FA) adds an additional layer of security to the process by requiring a separate passcode in addition to a PIN or other secret information to be entered when the user is resetting their password.

Mobile phones in our daily lives

With hackers becoming increasingly determined and more effective, it pays to add the extra level of security provided by 2FA (for more detail on why mobile 2FA is an effective measure, see ‘The threat of brute force attacks’ below). With tokenless two-factor authentication, users have a new and convenient way to authenticate for remote access or reset their password and validate their identity, regardless of where they are in the world by sending a one-time two factor authentication passcode to the user’s personal mobile phone via SMS. In addition, SMS messages can be sent seven days before (and the same day) that a user’s password expires.

Given the proliferation of mobile phones (either personal or business phones) and the natural habits of users to keep their mobile device with them at almost every moment of the day, it is perhaps no surprise that Goode Intelligence recently revealed some telling statistics. Goode found that 40% of organisations plan to deploy services that will enable employees to use their mobile phone as a remote access authentication device by the end of 2011.¹ It seems that the idea of mobile tokenless two-factor authentication is coming to the fore.

At the end of 2010, we once again saw another satellite picture of Europe covered in a blanket of snow. Mobile and home working is here to stay, and inclement weather conditions make it all the more viable as a way for companies to maintain productivity even when the transport infrastructure is failing to cope. It’s becoming a cliché to make this connection, but the fact remains that working from home is both popular and, sometimes, the only option for continuing business. Remote access has enabled companies to be unaffected by the snowfall but secure remote access has been pushed further up the agenda.

So you will see that I’m suggesting that 2FA is the answer to multiple problems, but why use 2FA at all? Isn’t a username and password enough? To answer this question, let’s look at password strength in greater detail:

The threat of brute force attacks

Broadly speaking, the longer a password is the stronger it is. Passwords can be associated with a mathematical cryptographic value which is dependent upon a number of variables. Using additional variables such as upper case, lower case, numbers and symbols can generate even stronger passwords.

Long passwords are good, but consider the following examples:

User 1 password = redcheese6

User 2 password = zglihalq

User 1 password is made up of two words and one number, assuming 20,000 easy to remember common words in the English language, this password’s strength is:

20,000 x 20,000 x 10 numbers = 4 billion possible combinations

…or in terms of cryptographic strength, a 32-bit key.

User 2 password is eight randomly generated characters, therefore strength is:

26⁸ = 208 billion combinations

… cryptographic strength: 38-bit key.

The User 2 password is stronger and surpasses the strength of User 1. However, this kind of password strength is inherently difficult for the user to remember, often requiring it to be written down – thus negating the idea of having a strong password to begin with.

So, we now understand password strength, but how do we protect passwords from brute force attacks? Unfortunately there isn’t one silver bullet to fix this issue. Strong passwords are hard to remember and it is not uncommon to see a post-it note stuck to the computer screen with the password written on it.

Nearly half of all password attacks are physical, using social engineering skills to obtain them. Simply reading a post-it note on colleague’s computer is a simple attack, so is the “shoulder surfing” technique – literally watching over a person’s shoulder (ATMs usually carry warnings when you are entering your PIN code, but personal computers do not!). More sophisticated attacks use software to capture keystrokes at logon and then sends the captured information to a criminal for future use. Keylogging software can be installed on a computer from a virus infection, a Trojan program or a spyware program that was automatically downloaded from a web site (these can all happen without user’s knowledge). These attacks are especially serious, as the user is unaware until the damage has been done. Antivirus and antimalware software can be used to guard against this, but no software can guarantee 100% success.

Network snooping is another prevalent attack. Programs like Cain and Able and Dsniff capture passwords as they traverse the network. These programs capture web, FTP and telnet logons (telnet is used with network communication equipment or Unix systems). They do this very effectively and with little user set-up or intervention. Passwords traverse the network in one of two ways.

The first method, a password is sent in plaintext, therefore anyone using a protocol decoder will be able to see any plaintext password. The second way affords some protection by hashing the password. A hashing algorithm is a one-way function, transforming the plaintext password into a hash of fixed length. Common hash programs are MD5 and SHA-1, which have a fixed output of 128-and 160-bit hashes.

However, it is easy for hackers to defeat a hashing algorithm by generating a dictionary file of different password options and running them through the same hash algorithm. If the output from this algorithm is the same as the hash, the password has been broken. This technique is known as a brute force attack. Commercial programs are available today such as L0phtCrack. A moderately powerful computer running L0phtcrack can sustain password cracks of around 3 million cracks per second.  If this program were used with our example users above, all passwords would be cracked in the following timeframes:

User 1 >  less than 23 minutes

User 2 > less than 20 hours

Finally, passwords are troublesome to manage as the user typically decides their own passwords. Below is an extract from an audit of 342 user accounts conducted for a major client:

29 users had the password “password”

1 user had the password “password1”

4 users only used numbers – two of which looked like a date of birth.

3 users only used 5 character passwords

The key to defeating all these attacks is to employ a one-time password (OTP) that can only be used on one occasion. Any attempt to record and reply a password renders it useless as the initial password has already been locked. This is strong two-factor authentication, and it renders the attacks outlined above either totally ineffective or highly improbable.

Password Policies

To increase the strength of a password, organisations are advised to regularly reset user passwords. Some companies reset after 30, 60, or 90 days, but even quarterly resets can result in users forgetting their passwords. Users may try to alternate their favourite passwords so it’s also important to use a history list that tracks previous passwords. Traditional password reset security questions rely on static answers, such as a mother’s maiden name or employee number, but this method would fail a security audit because the information doesn’t change, it would fail history list checks and can be easily obtained by a hacker.

A  CIO or IT supervisor that has implemented a password policy as part of their total security mandate will inevitably face problems resetting passwords – especially for remote users who rarely visit the office. They are out on the move, and when it comes to resetting their password, they will need to be physically in the office to be able to change their password as they need to login to their laptop in order to start their VPN connection. This creates a catch-22 situation as they cannot reset their password until they are connected to the office. In the past, the only viable option was to allow their passwords to remain static, but again, this is not recommended and would lead to a security audit failure.

Two-factor authentication (2FA) adds an additional layer of security to the process by requiring a separate passcode in addition to a PIN or other secret information to be entered when the user is resetting their password. With hackers becoming increasingly determined and ever more effective, it pays to add the extra level of security provided by 2FA. With SecurEnvoy’s SecurPassword 2FA solution, users have a new and convenient way to reset their password and validate their identity, regardless of where they are in the world by sending a one-time two-factor authentication passcode to the user’s personal mobile phone via SMS. In addition, SMS messages can be sent seven days before (and the same day) that a user’s password expires.

This means mobile or remote users no longer have to return to the office and local users no longer need to be verified by IT or HR staff. In turn, this prevent the type of scenarios where workers are sometimes unable to access their computers for up to two days due to password reset problems, particularly if they don’t plan their trips around scheduled password resets.

Mobile security in 2011

No computer security solution can ever be totally water tight, but you can add layers of difficulty. An especially determined criminal would find a way to gain access to the average family home, but there are ways you can deter a criminal and lessen the chance of being burgled. Although the threat of attacks is real, many computer security companies are increasingly using scare tactics to convince users and companies that certain types of attacks will circumvent advanced security measures. However, the examples they cite – such as phishing attacks (essentially a confidence trick) – require an unrealistic level of action required from the user.

Taking SMS-based authentication as an example, it’s patronizing to assume that people will fall for a phishing attempt, just because it arrives on their mobile phone. Building hysteria around ‘smishing’ – the latest scaremongering security story fuelled by companies touting hardware tokens – is at best naïve, and at worst damaging to the wider efforts of the IT security community.

Analysts, think tanks and journalists all consider 2011 to be a breakthrough year for mobile computing.² This expectation brings with it a new wave of speculation and fear mongering about mobile device security; for example, that Zeus is allegedly going to infect mobile devices and take over SMS use. Numerous stories are also claiming that cybercriminals will soon be sending out rogue text messages with apps to download at the user end, while taking control of SMS gateways inside corporations.

While it’s theoretically possible for an attacker to inject a rogue login panel to a banking website and steal some details, the security flaw there is due to the website and not the mobile authentication.

It’s also naïve to assume people are going to download an app sent to them from a malicious yet anonymous cybercriminal. And while it’s perfectly possible for a telephony denial-of-service attack to occur, well designed two-factor SMS authentication solutions should preload passcodes, therefore defeating this attack and resolving any intermittent signal or SMS delivery delays.

Two-factor authentication is still the benchmark in security, and doing it by SMS is not only the most convenient but the most realistic and achievable approach. The industry must stop creating unlikely scenarios that only serve to frighten users and ultimately hold businesses back, and instead concentrate on making the case for effective authentication to enterprises.

So, we have a good idea that 2011 will be an important year for mobile phones and for two-factor authentication. 2FA is lean and effective option for organizational computer security that is easy to use and simple to implement. So, are you one of the 40% that will be adding mobile 2FA to your security measures this year?

Category: Industry News