Two-factor authentication is nothing new in government, the home of the original smart card. As security threats grow in number and sophistication, however, expanding the use of strong multifactor authentication that’s resistant to attack has become a renewed priority — especially for systems accessed by the public.
President Obama highlighted this need in his Cybersecurity National Action Plan, released in February. The plan lays out a multilayered approach to bolstering the security of federal systems.
“We’re going to empower Americans to be able to help themselves and make sure that they are safe online with an extra layer of security, like a fingerprint or a code sent to your cellphone,” Obama said.
This strong statement of executive support is crucial to the implementation of multifactor authentication, but the burden of designing and building these systems rests with agency IT teams and their vendor partners. Let’s peel back the layers of factors that could be combined to create an attack-resistant multifactor authentication strategy.
Different Kinds of Authentication
For many systems, users authenticate themselves solely with passwords that are known only to them and their authentication systems. Password authentication is knowledge-based — something users know. The username and password system, however, is the authentication approach that is most vulnerable to attack.
Other authentication systems rely upon biometrics, such as fingerprints or voice and retinal patterns — something users are. Agencies have long used biometric authentication for physical access control, limiting restricted areas with a finger or eye scan. Biometric authentication approaches provide strong security because it’s difficult, although not impossible, to steal a fingerprint.
Biometric authentication, though, requires specialized hardware, making it difficult to remotely authenticate large audiences, especially when users don’t have agency-issued equipment. For example, it’s hard to imagine how the IRS would implement fingerprint authentication to verify taxpayer identity without providing everyone with access to fingerprint scanners.
A third and final authentication technique includes something users have. For many years, this approach relied upon the distribution of hardware tokens that displayed a changing sequence of letters and numbers. A user inputs this code into an authentication system, proving that he or she has access to the physical token.
SOURCE: whitehouse.gov, “Fact Sheet: Cybersecurity National Action Plan,” Feb. 9, 2016
This technology faced the same barrier as biometrics: the distribution of specialized hardware. The emergence of smartphones turned the paradigm on its head when authentication providers such as Symantec, Google and RSA rolled out app-based approaches to authentication.
Now, employees and citizens can generate security codes on their phones with an app. Many of these solutions also offer push-based authentication that displays a message on the user’s registered phone, prompting acceptance or denial of an authentication attempt.
As its name suggests, multifactor authentication combines techniques from two or more of these categories.
The most common multifactor implementation combines knowledge (such as a password) with a device (like a smartphone). For example, a user visiting a website might first be prompted for a username and password and then sent a security code via text message to his or her phone.
To access these accounts, hackers must not only steal a user’s password, but also gain access to the phone. This creates a fairly high barrier for entry. And with security, deterrence is a critical element.
As agencies roll out multifactor technology to meet the president’s mandate, they will need to carefully choose authentication technologies.
Security system designers commonly make the mistake of choosing two authentication factors from the same category, such as combining the use of a password with security questions.
This is not, in fact, multifactor authentication, as passwords and security questions are both knowledge-based approaches. If an attacker steals a password, he or she could likely also steal the answer to a security question through a phishing attack or target research.
Deploying multifactor authentication therefore takes work up front. Agencies using the smartphone-based approach will need to design and implement back-end solutions that support the technology, then work to register users for the new system. Introducing this approach to citizens will also require thoughtful attention to education and awareness.
The reward? Authentication systems that are more secure and provide more confidence in the identity of end users and systems administrators alike.