Single Sign-on Flaws Drives Need For 2FASecurEnvoy 19/04/2012, Archive
Two-Factor Authentication or 2FA falls under the spotlight as US researchers discover pitfalls in single sign-on services
Commenting on reports that US security researchers have discovered a number of flaws in single sign-on (SSO) services operated by a number of portals – including Google and PayPal – SecurEnvoy says this highlights the clear need for two-factor authentication (2FA) where financial/personal logins are concerned.
According to Steve Watts, co-founder of SecurEnvoy – the tokenless two-factor authentication specialist, the fact that the security flaws also include social networking sites/services such as Facebook and Twitter – both of which have been repeatedly shown to have their security shortcomings – is enough to set the alarm bells ringing.
“The problem with SSO-based security is that it only authenticates the user when they actually log into the system concerned. And with nasties such as man-in-the-browser and plain text cookie intercepts becoming commonplace on both wireline and – in particular – wireless Internet connections, there is clearly a need for 2FA technology,” he said.
“The problem for most users is that existing 2FA technologies require they truck an authentication device – typically a hardware token – around with them, making access when away from your regular desktop computer a cumbersome process. But since most Internet users have a mobile phone in their purse or pocket, they can turn to tokenless 2FA methodology to simplify matters,” he added.
The SecurEnvoy co-founder explained that the security flaws identified by the Indiana University/Microsoft researchers – which involve poor integration by Web site developers of the application programming interfaces (API) and a lack of end-to-end security checks – mean that many Web portals are affected by one or more of the eight “serious” problems revealed.
It will, he says, be interesting to hear how the researcher’s paper is received later this year when they present their findings at the IEEE Symposium on Security and Privacy on May 20-23 in San Francisco.
At that stage, he adds, the shortcomings in security methodologies that the Indiana University and Microsoft researchers have discovered during their lengthy project will be exposed to the world’s security experts, giving the researcher’s peers a chance to review and comment on the issues revealed.
Watts went on to say that using a smartphone as a tokenless authentication channel makes a lot of sense, as it allows the mobile owner to authenticate him or herself at almost any time – including during the online session when private credentials or financial transactions are involved.
“Putting it simply, this means that users can log into an online banking service – for example, authenticating themselves using tokenless 2FA on their mobile phone – and then when they want to pay a bill, they can authenticate themselves once again,” he said.
“If you look at PayPal, for example, whenever you do anything unusual – such as making a withdrawal to an unverified bank account, for example, – the PayPal computers will call the account holder on one of their nominated phone numbers, which could be a mobile, to authenticate the user. Extending the security envelope to include tokenless 2FA in these situations – as well as to the initial login process – makes a lot of sense,” he added.