Why Passwords are Yummy!

Granted, passwords have been there for a long time and so many vulnerabilities have surfaced on password stealing and cracking techniques. Yet, Passwords continue to thrive in the free market.

This short article takes a closer look at what are the under-pinnings for this state and how can we move to a better and secure cyber world.

For this, let us look at the stake holders on this broken technology

C-level and Administrators: The passwords are yummy for them because, when their servers are hacked, as a “proverbial fig leaf” to their “naked servers”, they can always claim “We suspect compromise on our authentication (Password) servers (database); However, all the Passwords were hashed ( hash: something believed to be uncrackable to get plain passwords back); We recommend our users change their passwords immediately”. Done!

By the way, this doesn’t take into account that the advanced persistent threats could possibly be lurking around and might silently grab those changing passwords too!

Yes, given several known attacks on the user-end with simple techniques as Phishing, key-logging, we continue to rely on Passwords.

Users: The passwords are yummy for them because they can always come up with an obscure combination of their spouse’s middle name and the first name of their kids and their dates-of-birth as a part of their “super duper” password. It gets them emotionally attached to such passwords. Unfortunately they may not stand against hacking tools such as Keylogs or Phishing.

Hackers: The passwords are yummy because they are ready to go (for use). Moreover, the victim user might have used the same password across several sites. Bonanza!

Developers (app): Passwords are yummy, because they can include in their static strings (data structure in which they store) to invoke their APIs. Limited time tokens (equivalent to Password strings) are still a pain to deal with.

So goes the eco-system…

What do we need here? For starters disposable zero-footprint authentication with privacy and convenience (balancing risk and convenience), MFA characteristics along with Single Sign On (SSO) capability would mean Goodbye passwords!

Thanks for reading!

Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

On sizing-up the base factor (1st) for Online Multi-Factor Authentication (MFA)

It is time to revisit the multi-factor lingo in the context of online (remote) authentication. A recent Aite report forecasts that Knowledge-based Authentication (KBA) market is set to grow. This short article reviews and compares such solutions in the context of MFA.

Let us get them out right now:

  • Knowledge (base) factors: what we know such as passwords, shared secrets
  • Possession factors: what we carry, such as gadgets, tokens etc.
  • Our genetic human factors: what we are, identified by fingerprints,  retinal scans etc.
  • That was easy! Now lets revisit a bit of motivation on why so many factors have been introduced in the authentication jungle?. Simply put,passwords” our first front-line defense on security/privacy have become sitting ducks when it comes to several attacks such as keyloggers, Phishing, over-the-shoulder snooping, brute-force guessing and so on.

    Among others, main contributing factors weakening our “foundation” or first front-line defense, also known as Passwords are

    • Static in nature: Changing passwords in 30-90 days sounds like eternity!
    • Formed/picked up by humans: What can we say about human brains on pure recall? — very poor at the best, we always choose the easy way out
    • Password-explosion: Too many passwords to come up with; on an average 20 passwords in today’s cyber life for a normal person leading to re-use of passwords all across the applications/domains.

    Last but not least, the ease and prevalence of hacking tools, such as keyloggers, Phishing etc., in today’s cyber hacking world make passwords vulnerable.

    For the rest of this article, we shall focus on static (passwords), limited-dynamic, and dynamic KBA (knowledge-based) solutions. We refer to a set of limited number of questions and answers (challenge/response) varying over a period of few weeks or longer as limited-dynamic KBA which may include questions as a) when did you purchase your new house, b) where was your vacation this summer etc.

    On the other hand,  fully-dynamic KBA solution such as Truesigna, make the user’s response involuntarily and automatically changing/dynamic and one-time to use.  A quick comparison of the schemes is summarized in the table below:

    Zero-foot print dynamic access code solutions benefits

    The first column of elimination of password tables (either in salted and hashed or encrypted form) is a non-trivial and tremendous benefit of the fully-dynamic KBA. What does this translate into? Among several, a few to begin with:

    • The base-factor for online authentication upon which all the other factors (2nd and 3rd) may rely get a solid foundation to base upon.
    • Elimination of key vulnerabilities associated with passwords
    • Elimination of mass stealing of credentials (password hashes) from LDAP/AD  directory databases

    So, now the question that still lingers is that, can the fully-dynamic KBA solution be a multi-factor authentication (MFA) as per the old-school of thought? Absolutely, multi-factors can come in various forms as noted in the new guidelines from FFIEC (see “semantics of MFA“)

    Another driving force for such dynamic solutions is fact that “zero-footprint” is where we are heading for, given the mobile and desktop computing convergence and the cloud-computing with BYOD very much a reality.  Watch our edu-fun video of an overview of further benefits of such dynamic KBA solutions over tokens, out-of-band SMS access codes, bio-metrics and others here.

    To top the cake with icing, besides the ability to do away with passwords completely, current standards such as SAML, OpenID along with OAuth that provide ample mechanisms to do a federated as well as single-sign-on (SSO) making life easier and not worry about even the “master-password” as with the  current SSO/Federated  solutions.

    For factors other than our foundational base (knowledge-based) comparison, see our rest of the informative articles on

    TrueGuard is a solution that offers the convenience of SSO without the “master-password” and is truly zero-footprint at the end users that is convenient and easy-to-use along offering the first of its kind, robust security for all your enterprise needs.

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Comments Off on On sizing-up the base factor (1st) for Online Multi-Factor Authentication (MFA)

    Goodbye Passwords!

    Eliminating Passwords, Phishing, Preventing online fraud, Cloud computing authentication smart

    Goodbye Passwords, Phishing, Keylogs

    Hope you had Edu-fun watching this animated pres on smart authentication. Thanks.

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

    BYOD: The challenge of securing enterprise operations

    In the cloud computing, these days every one in the IT is excited about the new opportunities that cloud provides from operational and cost overheads.

    However, there are a few security issues to deal with, when it comes to current trend of Bring Your Own Device (BYOD) into the enterprise IT. A few notable challenges (not exhaustive by any means):

    • The well-defined Perimeter now becomes “a bit fuzzy” and possibly inter-dependent with cloud provider
    • Maintenance of security with BYOD devices becomes a non-trivial issue, a both from a) Authentication perspective and b) Confidentiality perspective.

    On the confidentiality, typically  encryption techniques would help, assuming that the keys are securely maintained.

    From an authentication perspective, device finger-printing would definitely help as long as users register their devices in a timely manner. Further, user-authentication could become less-secure if either soft-tokens or passwords are used, as users are less-likely to patch-up their device operating system updates etc unlike the current enterprise versions.

    Moreover, the users are less likely to handover their devices to Enterprise-IT to fiddle and install relevant security-enhancing software.

    When it comes to password based authentication, users are likely to store their strong passwords  on such devices making them susceptible to theft and eventually exposure of enterprise infrastructure to hackers.

    Best option would be to have a one-time access codes and at the same time avoid soft-tokens (for the reasons mentioned above).

    The advantage of SMS text message-based access code for authentication simply vanishes, unless the user opts to have an “inconveniently” another phone/smart-device to handle that.

    What do we need here? Yes, zero-footprint, one-time access code for strong authentication securing the weakest link (“the user”).  This will eliminate major hassles for enterprise IT security folks.

    Find out more about this solution here.

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

    On Preventing “Mass-Stealing” of User Credentials (Passwords)

    It is unfortunate that industry has witnessed another couple of mishaps when it comes to “password hacking” (Linkedin and eHarmony).

    It is highly imperative that an authentication technology should eliminate the “mass-stealing of credentials” (like X million passwords in any form).

    In layman terms, a one-way cryptographic hash is a way to encrypt the password (or plain text) such that it is “irreversible”, meaning given the hash of the text, we cannot get back the text.

    However, there have been many a hash-cracking techniques to reverse engineer what could be the plain text (password) and some tools such as rainbow-tables aiding the process.

    A password is sometimes “salted”, a term that indicates a secret but variable text value added to the password to make hash more robust. However, most of the times, Salts are stored in plain text, and as such if a system is compromised, Salts too.

    Salting by the authentication server can only make hackers job difficult if not impossible.This is because anything static is a sitting duck when it comes to brute-force (and also sophisticated differential analysis) hash matching of the guessed passwords with the stolen (given) hash of the user-password.

    Cheap computing power has made brute-force guessing of passwords with the hashes matched much more feasible.

    So, what can we do about this?
    Simple: Make password non-existent.

    How? Short answer: Make password (or now call it access code) moving target.

    Are we crazy? No passwords!!!? Yes, it is possible here.


    Find out more about a solution that prevents “mass credentials-stealing” at Truesigna.

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

    What do new (Q1 ’11) FFIEC supplement guidelines mean?

    Well, the much anticipated new set of guidelines supplement from FFIEC is released. A copy of it can be found here*.

    OK, so what does it mean for all the financial institutions/banks who are guided by directly or indirectly (NCUA etc.) by the FFIEC guidelines? Three main themes are emphasized

    • Password technology is obsolete
    • Not enough to authenticate the online user (at login) but need to authenticate/authorize transactions to reduce risk of online fraud
    • Layered-approach to risk assessment and fraud prevention

    Taking a closer look at the above three, we have:

    Passwords:  Absolutely broken technology;  With so many years in deployment, many of us have developed a deep affinity for password fields (in web/browser forms) that without them, we don’t have a sense of “feeling-secure”.

    Today, authentication without passwords is “unthinkable” .  However, it is possible to do away with passwords completely and at the same time get orders of magnitude security without the inconvenience of carrying  any gadgets or downloading any crazy software on to your devices.

    Beyond-login authentication: Essentially, what this means is, some one in the middle (between online user and the bank, call him/her (wo)man-in-the-middle) cannot simply hijack your “already logged-in session” with bank and carry out online fraud.

    By authenticating transactions, especially involving money transfer, the financial institutions are making sure that a) indeed the legitimate user is initiating and authenticating the transaction and b) making sure that the user is aware of the transaction before approval.

    And by the way, It is really foolish to ask for the same password or “the pets-name” repeatedly, as, once compromised through Phishing or Spyware/Malware, those can be easily reproduced by hackers.

    Layered approach to risk:  With the recent breaches at RSA and the token technology compromise, it is now a given fact that security approach has to be proactive and several layers need to be in place as check-points such that any breach can be reasonably detected or delayed.

    What do all these mean to CIOs/CTOs/IT-Admins
    Need to be proactive in adopting and testing new technologies based on sound principles. See our “Making a case for zero-footprint solution for online authentication” in this blog.

    For the end-users: We will be soon looking at alternatives to Passwords.  Yes, “Be Safe With No Passwords”

    * The copy is provided for convenience-sake only; copyrights belong to the originating institution/authors

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

    Balancing Privacy and Security: User Authentication

    Granted, that daily events and transactions that are done by any client/user would most likely be private and not immediately known to the outsiders, implying secrecy. Since the knowledge  (data) pertaining to such transactions varies over time, one way of doing dynamic authentication is to cross-check with queries on such transactions when authenticating a user.

    However, from an end-user perspective, this would be highly intrusive, when it comes to privacy. For example, the end-user would be highly frustrated and puzzled when the teller at the Bank enquires about how much ($s) was paid with the last check for the auto-repairs that the end-user got done.

    In this age of Google and Yahoo, needless to point out, how much information about oneself is on the Internet. Certainly, data-mining and semantic-based advanced models are helping in targeted marketing, while privacy is taking a back-seat.

    Further, as these transactions become public knowledge as the time progresses, some of these transactions can risk of being predictable.   Thus, their suitability and usage towards user-authentication, also reduces.

    When it comes to online user-authentication, a best scenario would be to leave both privacy and secrecy to the users themselves.  At the same-time the authentication system should ensure non-triviality of any parameters configured by the end-users without sacrificing convenience and any potential security risk.

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

    On Semantics of Multi-Factor Online User Authentication

    Several market verticals have been battling with the critical piece of the puzzle when it comes to online user authentication, namely: Passwords and their vulnerabilities.

    When it comes to E-Commerce and Healthcare IT, several compliancy standards have been set forth, such as FFIEC and HIPAA guidelines. While a layered approach to securing online user authentication is a no-brainer, it is interesting to note the semantics of multi-factor online user authentication. A widely accepted view of the multi-factor when it comes to online user authentication, is as follows:

    • Knowledge (base) factors — what we know such as passwords, shared secrets
    • Possession factors — what we carry, such as gadgets, tokens etc.
    • Our genetic human factors — what we are, identified by fingerprints, unique retinal scans etc.

    Now, let us look closely at what “Online user authentication” means. It implies, there is no physical verification of the humans behind the computer/device over the Internet; in contrast to, say, physical verification at the airports, where a government official is physically present overseeing the identities of the travelers.

    As such, it is the response from the end user that we have to rely upon; whom (end-users) the authentication systems cannot touch, feel, or sense or visually and physically verify. Notice that biometric sensors, tokens, cell-phones and other possession/human factors  ultimately aid in generating the “response” for the authentication systems. This is the inherent attribute of the communications over Internet.

    Thus, the ultimate goal of any authentication system is to have multiple factors such that the event of hacking and hijacking user-credentials is minimized to a large extent, rather elimination. These multiple factors can be of same category or different categories as long as they induce additional robustness in online authentication, taking appropriate risk factors into account.

    Major influencing factors in the selection of such categories (the three authentication factors listed above) are a) Perceived value and costs of implementation and maintenance b) User-convenience and most importantly c) Raising the bar of hacking and bringing in robustness against known attacks.

    See our “Making a case for strong zero-footprint online user authentication” for more details on why such approach makes sense for E-Commerce and Cloud computing when it comes to millions of online users, as a balanced and sensible approach.

    <span style="”font-family: georgia; color: #2233ff;">
    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

    Cloud Computing: Securing the Weakest Link

    These days cloud-computing has been the buzz word for the IT folks. It has been touted as a way to help corporations conduct business by housing data and the required hardware over the Internet.

    We have several benefits when the cloud computing is realized in a secure manner. However, we see a lot of inertia from the small businesses and big corporations alike, to put their most confidential documents on the cloud. While there are certainly many factors influencing such decisions, let us look at the most important components of the security aspects. The following are essential, but the list isn’t exhaustive at all, besides scale and economic drivers.

    • Online user authentication
    • Timely access control and management of resources and data along with the triad CIA (Confidentiality, Integrity and Accessibility/Control)
    • Data security with encryption along with safe management of encryption keys
    • Fail-over and redundancy of secure data
    • Secure access of data through appropriate network channels
    • ….

    Indeed even with advancements and the traction of PKI (public key infrastructure), when it comes to asymmetric encryption schemes, or be it symmetric encryption schemes such as AES, some one in the IT chain has to secure and maintain the private keys. Certainly, these keys are finally tied up to the humans, who maintain such secrets or confidential keys, thereby emphasizing the critical nature of the user authentication. That’s for the administrators.

    Now for the end users, who have to conduct critical business transactions in a secure way, authentication based on the traditional passwords would be disastrous. Password technology with several vulnerabilities has been broken, especially when flying around on the Internet cloud.

    Choices to secure this weakest link (users with respect to authentication) are plenty. However, the prime desirable characteristics of a solution for good adoption would be

    Convenience:

    • Nothing to carry or download any software
    • Device agnostic; just a simple SSL secure browser should do (after all we are on the cloud, and what else we expect to use other than the ubiquitous web-browsers)

    Security:

    • Resilient to replay attacks, key-logging, and Phishing (in other words access secret/password should be ever-changing)
    • Optionally, the ability to authenticate transactions

    Ease of deployment and maintenance:

    • Highly desirable for IT and System administrators for a mass roll-out
    • Bringing down capital and operating costs with excellent ROI

    Bottom-line: Replacement of password technology that addresses the vulnerabilities of the traditional passwords, and yet zero foot print solution is desirable and has to be adopted quickly.

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Leave a comment

    On secure mobile banking

    Yes, online banking and critical secure transactions will be done predominantly over the Smart-Phones in the near future. In fact the current mobile banking is exceeding the past projections done by various analysts. Tower Group’s current estimate is that 53 million users will be mobile banking by 2013 in the North American market alone.

    Main drivers behind this, among others, are:

    • Don’t have to wait to power on and boot-up laptops/PCs
    • Enhanced mobile browser (or apps) capabilities comparable to that on PCs
    • Easy to carry around and always (24×7) powered/ready-to-go smart phones

    When it comes to user authentication, one has to rely upon some form of passwords (including one-time passwords) in order to login and authorize transactions from mobile phones. The advantage of out-of-band Phone factor for the delivery of one-time access codes over SMS text message vanishes, unless (inconveniently) we use extra cell-phone/gadget to receive them.

    Moreover, it is just a matter of time that we see in the mobile world, all the hacks, malware/spyware that  are currently witnessed in the PC/laptop world.

    • SMSishing would be on the same scale as is with the current traditional e-mail Phishing.
    • Unless Appworld (third party applications) for smart-phones regulated and tightly controlled, there would be  potentially dangerous malware/spyware lurking around as vehicles for online fraud.

    As such, the following would constitute a desirable environment to carry online mobile banking securely:

    • Strong authentication with one-time pass-codes
    • Zero footprint at client’s (mobile users) end
    • Transactional verification and authentication
    • Mutual assurance between authentication server and client (transparently without much effort or outside support)

    It is further anticipated that ant-virus, anti-spyware tools and applications would be widely deployed on the smart-phones, as we do now with PCs/laptops; Nonetheless, the above recommended feature-set is becoming a must, rather than “good-to-have”!

    Summary: Secure mobile banking is the future that needs to be carefully planned and authentication (user/transaction) would be a critical component. A zero client-footprint one-time pass-codes would be ideal to enable strong authentication securing critical transactions.

    Posted in User Authentication, Phishing, Passwords, Mobile banking, online banking, online fraud | Tagged | Leave a comment