What will happen with authentication and passwords? Javelin Report Translation “Strong Authentication Status” with comments
Spoiler from the title of the report "The number of cases of using strong authentication has grown due to threats of new risks and the requirements of regulators."
The research company Javelin Strategy & Research published the report The State of Strong Authentication 2019 (the original in pdf format can be downloaded here ). This report says: what percentage of US and European companies use passwords (and why few people use passwords now); why the percentage of using two-factor authentication based on cryptographic tokens is growing so fast; why one-time codes sent via SMS are unsafe.
Everyone who is interested in the topic of present, past and future authentication in enterprises and user applications is welcome.
The second part of the report
Alas, the language by which this report was written is quite “dry” and formal. And the fivefold use of the word “authentication” in one short sentence is not the crooked hands (or brains) of the translator, but the whims of the authors. When translating from two options - to give readers more close to the original, or more interesting text, I sometimes chose the first, and sometimes the second. But be patient, dear readers, the content of the report is worth it.
Some of the insignificant and not necessary for the narrative pieces were removed, otherwise the majority would not have mastered the entire text. Those who wish to read the report “without banknotes” can do this in the original language by clicking on the link.
Unfortunately, the authors are not always accurate with the terminology. So, one-time passwords (One Time Password - OTP), they are sometimes called "passwords", and sometimes "codes". Authentication methods are even worse. It is not always easy for an untrained reader to guess that “authentication using cryptographic keys” and “strong authentication” are one and the same. I tried to unify the terms as much as possible, moreover, in the report itself there is a fragment with their description.
Nevertheless, the report is highly recommended for reading, because it contains unique research results and the right conclusions.
All figures and facts are presented without the slightest change, and if you do not agree with them, it is better to argue not with the translator, but with the authors of the report. And here are my comments (made up as citations, and marked in the textItalian ) are my value judgment and for each of them I will be happy to argue (as well as the quality of the translation).
Nowadays, digital business channels of communication with customers are more important than ever. And inside the enterprise, communication between employees is more focused on the digital environment than ever before. And how secure these interactions will be depends on the chosen method of user authentication. Attackers use weak authentication to mass-hack user accounts. In response, regulators are tightening standards to make businesses better protect user accounts and data.
The threats associated with authentication extend not only to consumer applications; attackers can gain access to an application running inside the enterprise. Such an operation allows them to impersonate corporate users. Attackers using weak authentication access points can steal data and perform other fraudulent activities. Fortunately, there are measures to combat this. Strong authentication can significantly reduce the risk of an attacker attacking both consumer applications and enterprise business systems.
This study examines: how enterprises implement authentication to protect user applications and enterprise business systems; factors that they consider when choosing an authentication solution; the role that strong authentication plays in their organizations; the benefits that these organizations receive.
Since 2017, the percentage of using strong authentication has risen sharply. With the growing number of vulnerabilities affecting traditional authentication solutions, organizations are enhancing their authentication capabilities with strong authentication. The number of organizations using multi-factor authentication using cryptography (MFA) has tripled since 2017 for consumer and has increased by almost 50% for enterprise applications. The fastest growth is observed in mobile authentication due to the growing availability of biometric authentication.
Here we see an illustration of the saying "until the thunder strikes, the man does not cross himself." When experts warned of password weaknesses, no one was in a hurry to implement two-factor authentication. As soon as hackers began to steal passwords, people began to implement two-factor authentication.
True, individuals are much more active in introducing 2FA. Firstly, it’s easier for them to calm their fears, relying on the biometric authentication built into smartphones, which is actually very unreliable. Organizations need to invest in the purchase of tokens and conduct work (actually quite simple) on their implementation. And secondly, only the lazy one did not write about password leaks from services such as Facebook and Dropbox, but the IT directors of these organizations will not share stories about how passwords were stolen (and what happened next) in organizations.
Those who do not use strong authentication underestimate their risk to businesses and customers. Some organizations that currently do not use strong authentication tend to consider logins and passwords as one of the most effective and easy to use user authentication methods. Others do not see the value of digital assets they own. After all, it is worth considering that cybercriminals are interested in any consumer and business information. Two-thirds of companies that use only passwords to authenticate their employees do this because they think the passwords are good enough for the type of information they protect.
However, passwords are on their way to the grave.Over the past year, password dependence has significantly decreased, both for consumer and corporate applications (from 44% to 31%, and from 56% to 47%, respectively), as organizations are expanding the use of traditional MFA and strong authentication.
But if you evaluate the situation as a whole, then vulnerable authentication methods still prevail. For user authentication, about a quarter of organizations use SMS OTP (one-time password) along with security questions. As a result, additional means of protection have to be implemented to protect against vulnerabilities, which increases costs. Using much more reliable authentication methods, such as hardware cryptographic keys, is much less common, in about 5% of organizations.
The evolving regulatory environment promises to accelerate the implementation of strong authentication for consumer applications. With the introduction of PSD2, as well as new data protection rules in the EU and several US states, such as California, companies feel that it is getting hot. Almost 70% of companies agree that they face strong regulatory pressure to provide strong authentication for their customers. More than half of enterprises believe that in a few years their authentication methods will not be sufficient to meet regulatory standards.
The difference in approaches of Russian and US-European legislators to the protection of personal data of users of programs and services is clearly noticeable. The Russians say: dear service owners, do what you want and how you want, but if your admin merges the base, we will punish you. They say abroad: you must implement a set of measures that will not allow the base to be merged. That is why the requirements for the presence of strong two-factor authentication are being introduced there with might and main.
True, it is far from a fact that our legislative machinery at one point will not come to its senses and will not take into account Western experience. Then it turns out that everyone needs to implement 2FA corresponding to Russian cryptographic standards, and urgently.
Creating a solid authentication foundation allows companies to shift their focus from regulatory compliance to customer satisfaction. For those organizations that still use simple passwords or receive codes via SMS, the most important factor when choosing an authentication method will be compliance with regulatory requirements. But those companies that already use strong authentication can focus on choosing those authentication methods that increase customer loyalty.
When choosing a method of corporate authentication within an enterprise, the requirements of regulators are no longer a significant factor. In this case, ease of integration (32%) and cost (26%) are much more important.
In the era of phishing, cybercriminals can use corporate e-mail for fraud in order to fraudulently access data, accounts (with the appropriate access rights), and even to convince employees to transfer money to his account. Therefore, corporate mail accounts and portals should be especially well protected.
Google has strengthened its security with strong authentication. More than two years ago, Google published a report on the implementation of two-factor authentication based on cryptographic security keys according to the FIDO U2F standard, reporting impressive results. According to the company, not a single phishing attack was conducted against more than 85,000 employees.
Implement strong authentication for mobile and online applications. Multifactor authentication based on cryptographic keys protects against hacking much more than traditional MFA methods. In addition, the use of cryptographic keys is much more convenient, because you do not need to use and transmit additional information - passwords, one-time passwords or biometric data from the user's device to the authentication server. In addition, standardization of authentication protocols makes it much easier to implement new authentication methods as they become available, reducing usage costs and protecting against more complex fraud schemes.
Get ready for the sunset of one-time passwords (OTP).Vulnerabilities inherent in OTP are becoming more apparent when cybercriminals use social engineering, smartphone cloning and malware to compromise these authentication tools. And if OTP in some cases has certain advantages, then only from the point of view of universal accessibility for all users, but not from the point of view of security.
It is impossible not to notice that receiving codes by SMS or Push-notifications, as well as generating codes using programs for smartphones - this is the use of those same one-time passwords (OTP) for which we are offered to prepare for sunset. From a technical point of view, the solution is very correct, because a rare fraudster does not try to get a one-time password from a gullible user. But I think that manufacturers of such systems will cling to the dying technology to the last.
Use strong authentication as a marketing tool to increase customer confidence. Strong authentication can not only improve the actual security of your business. Informing customers that your business uses strong authentication can strengthen the public perception of the security of this business - an important factor when there is a significant customer demand for reliable authentication methods.
Conduct a thorough inventory and assessment of the importance of corporate data and protect it according to importance. Even low-risk data, such as customer contact information ( no, however, the report says “low-risk”, it is very strange that they underestimate the importance of this information), can bring scammers significant value and cause problems for the company.
Use strong authentication in the enterprise. A number of systems are the most attractive targets for criminals. These include internal and Internet-connected systems such as an accounting program or corporate data storage. Strong authentication does not allow attackers to gain unauthorized access, and also allows you to accurately determine which of the employees committed the malicious activity.
What is strong authentication?
When using strong authentication, several methods or factors are used to authenticate a user:
- Knowledge factor: a shared secret between the user and the user authentication subject (e.g. passwords, answers to secret questions, etc.)
- Ownership Factor: A device that only a user possesses (e.g., a mobile device, cryptographic key, etc.)
- Inalienability factor: the user's physical (often biometric) characteristics (e.g., fingerprint, iris pattern, voice, behavior, etc.)
The need to hack several factors significantly increases the likelihood of failure for attackers, since circumvention or deception of various factors requires the use of several types of hacking tactics, for each factor separately.
For example, with 2FA “password + smartphone”, an attacker can authenticate by looking at the user's password and making an exact software copy of his smartphone. And this is much more complicated than just stealing a password.
But if a password and a cryptographic token are used for 2FA, then the copy option does not work here - it is impossible to duplicate the token. The fraudster will need to quietly steal the token from the user. If the user notices the loss in time and notifies the admin, the token will be blocked and the fraudster’s work will be in vain. That is why for ownership factor it is necessary to use specialized protected devices (tokens), and not general-purpose devices (smartphones).
Using all three factors will make this authentication method quite expensive to implement and quite inconvenient to use. Therefore, usually two of the three factors are used.
The principles of two-factor authentication are described in more detail here in the section “How two-factor authentication works”.
It is important to note that at least one of the authentication factors used in strong authentication must use public key cryptography.
Strong authentication provides much more protection than single-factor authentication based on classic passwords and traditional MFA. Passwords can be spied or intercepted with the help of keyloggers, phishing sites or attacks based on social engineering (when the deceived victim sends her password herself). Moreover, the owner of the password will not know anything about the theft. The traditional MFA (including OTP codes, binding to a smartphone or SIM card) can also be easily cracked, because it is not based on public key cryptography (By the way, there are many examples where, using techniques of the same social engineering, fraudsters persuaded users to give them a one-time password ).
Fortunately, since last year, the use of strong authentication and traditional MFA is gaining momentum in both consumer and enterprise applications. The use of strong authentication in consumer applications has grown particularly fast. If in 2017 it was used by only 5% of companies, then in 2018 it is already three times as much - 16%. This can be explained by the increased availability of tokens that support Public Key Cryptography (PKC) algorithms. In addition, the increased pressure of European regulators after the adoption of new information protection rules, such as PSD2 and GDPR, had a strong effect even outside of Europe (including in Russia ).
Let's take a closer look at these numbers. As we can see, the percentage of private individuals using multi-factor authentication for the year grew by an impressive 11%. And this happened clearly at the expense of password lovers, since the numbers of those who believe in the safety of Push notifications, SMS and biometrics have not changed.
But with two-factor authentication for corporate use, everything is not so good. Firstly, judging by the report, only 5% of employees were transferred from password authentication to tokens. And secondly, the number of those who use alternative MFA options in the corporate environment has increased by 4%.
I'll try to play analytics and give my interpretation. In the center of the digital world of individual users is a smartphone. Therefore, it is not surprising that most use the features that the device provides them with - biometric authentication, SMS and Push notifications, as well as one-time passwords generated by applications on the smartphone itself. People usually don’t think about safety and reliability when using their usual tools.
That is why the percentage of users of primitive “traditional” authentication factors remains unchanged. But those who previously used passwords understand how much they risk, and when choosing a new authentication factor, they stop at the newest and safest option - a cryptographic token.
As for the corporate market, it is important to understand in which system authentication is carried out. If logging into a Windows domain is implemented, then cryptographic tokens are used. The possibilities for using them for 2FA are already incorporated in both Windows and Linux, and it is long and difficult to implement alternative options. So much for the migration of 5% from passwords to tokens.
And the implementation of 2FA in the corporate information system very much depends on the qualifications of the developers. And it’s much easier for developers to take ready-made modules for generating one-time passwords than to understand the work of cryptographic algorithms. As a result, even security-critical applications like Single Sign-On or Privileged Access Management use OTP as a second factor.
Many vulnerabilities in traditional authentication methods
Although many organizations remain dependent on legacy single-factor systems, vulnerabilities in traditional multi-factor authentication are becoming increasingly apparent. One-time passwords, usually six to eight characters in length, delivered via SMS, remain the most common form of authentication (of course, in addition to the password knowledge factor). And if the words “two-factor authentication” or “two-step verification” are mentioned in the popular press, then they almost always refer to authentication using one-time SMS passwords.
Here the author is a little mistaken. Delivering one-time passwords via SMS has never been two-factor authentication. This is in its pure form the second stage of two-step authentication, where the first stage is to enter the login and password.
In 2016, the National Institute of Standards and Technology (NIST) updated its authentication rules to exclude the use of one-time passwords sent via SMS. However, these rules were substantially relaxed after protests in the industry.
So, follow the plot. The American regulator rightly recognizes that outdated technology is not able to ensure the safety of users and introduces new standards. Standards designed to protect users of online and mobile applications (including banking). The industry is wondering how much money will have to be spent on buying truly reliable cryptographic tokens, on remaking applications, on deploying a public key infrastructure, and “standing on its hind legs”. On the one hand, users were convinced of the reliability of one-time passwords, and on the other hand, there were attacks on NIST. As a result, the standard was softened, and the number of hacks, theft of passwords (and money from banking applications) increased sharply. But the industry did not have to shell out.
Since then, the weaknesses inherent in SMS OTP have become more apparent. Fraudsters use various methods of compromising SMS messages:
- SIM card duplication. Attackers create a copy of the SIM (with the help of employees of the mobile operator, or independently, using special software and hardware ). As a result, an attacker receives an SMS with a one-time password. In one particularly well-known case, hackers were even able to compromise the AT&T account of cryptocurrency investor Michael Turpin and steal almost 24 million dollars in cryptocurrencies. As a result, Terpin said that AT&T was to blame for the weak verification measures that led to the duplication of the SIM card.
Awesome logic. That is, only AT&T is really to blame? No, the fault of the mobile operator in the fact that the sellers in the communication salon issued a duplicate of the SIM card is doubtless. What about the cryptocurrency exchange authentication system? Why didn’t they use reliable cryptographic tokens? Money for the introduction was a pity? Isn't Michael himself to blame? Why didn’t he insist on changing the authentication mechanism or didn’t use only those exchanges that implement two-factor authentication based on cryptographic tokens?
The introduction of truly reliable authentication methods is delayed precisely because before hacking, users are strikingly reckless, and after that they blame anyone and anything except ancient and "holey" authentication technologies
- Malicious programs (malware). One of the earliest functions of mobile malware was to intercept and forward text messages to cybercriminals. Also, man-in-the-browser and man-in-the-middle attacks can intercept one-time passwords when they are entered on infected laptops or desktop devices.
When the Sberbank application in your smartphone blinks a green icon in the status line - it is also looking for “malware” on your phone. The purpose of this event is to turn an untrusted runtime of a typical smartphone into a trusted one, at least somehow.
By the way, a smartphone, as an absolutely untrusted device on which anything can be executed, is another reason to use only hardware tokens for authentication that are protected and free of viruses and trojans.
- Social Engineering. When fraudsters know that the victim has one-time SMS passwords enabled, they can directly contact the victim by posing as a trusted organization, such as her bank or credit union, to trick the victim and provide him with the code just received.
I have repeatedly come across this type of fraud personally, for example, when trying to sell something at the popular online flea market. I myself scoffed at the scammer trying to fool me. But alas, I regularly read in the news as the next victim of fraudsters “didn’t think”, reported a confirmation code and lost a large amount. And all this is because the bank just does not want to mess with the implementation of cryptographic tokens in its applications. After all, if something happens, then the customers are "to blame."
While alternative methods for delivering one-time passwords can mitigate some vulnerabilities in this authentication method, other vulnerabilities remain. Standalone code generation applications are the best protection against interception, since even malicious programs can’t directly interact with the code generator ( seriously? Did the report author forget about remote control? ), But OTP can still be intercepted when entering the browser ( for example, using keylogger ), through a hacked mobile application; and can also be obtained directly from the user through social engineering.
Using multiple risk assessment tools such as device recognition (identifying attempts to perform operations from devices not belonging to a legal user ), geolocation (a user who was just in Moscow trying to perform an operation from Novosibirsk ) and behavioral analytics are of great importance for eliminating vulnerabilities, but none of the solutions is a panacea. For each situation and data type, it is necessary to carefully assess the risks and choose which authentication technology should be used.
No authentication solution is a panacea
Figure 2. Table of authentication options
Security keys, the tokens specified in the report, are created according to FIDO standards (U2F or FIDO2). Tokens made in accordance with this standard really do not have any protection, just like the hardware OTPs do not have it either - anyone who steals or finds a device will be able to act on behalf of the rightful owner (unless, of course, he finds out the password).
|Password or PIN||Knowledge||A fixed value, which may include letters, numbers, and a number of other characters||Can be intercepted, spied, stolen, picked up or hacked|
|Knowledge Based Authentication||Knowledge||Questions that only a legitimate user can know answers to||They can be intercepted, picked up, received using methods of social engineering|
|Hardware OTP ( example )||Possession||Special device that generates one-time passwords||The code may be intercepted and repeated, or the device may be stolen|
|Software OTP||Possession||An application (mobile, accessible through a browser, or sending codes by e-mail) that generates one-time passwords||The code may be intercepted and repeated, or the device may be stolen|
|SMS OTP||Possession||One-time password delivered via SMS text message||The code can be intercepted and repeated, either a smartphone or SIM card can be stolen, or the SIM card can be duplicated|
|Smart cards ( example )||Possession||A card that contains a cryptographic chip and secure key memory, using the public key infrastructure for authentication||It may be physically stolen ( but an attacker will not be able to use the device without knowing the PIN code; in case of several incorrect attempts to enter the device, it will be blocked )|
|Security keys - tokens ( example , another example )||Possession||A device with a USB interface that contains a cryptographic chip and secure memory with keys, which uses the public key infrastructure for authentication||It may be physically stolen (but an attacker will not be able to use the device without knowing the PIN code; in case of several incorrect attempts to enter the device, it will be blocked)|
|Behavior||Inalienability||It analyzes how a user interacts with a device or program.||Behavior can be simulated|
|Fingerprints||Inalienability||Stored fingerprints are compared with read optically or electronically||Image can be stolen and used for authentication|
|Eye scan||Inalienability||Characteristics of the eye, such as the pattern of the iris of the pupil, are compared with new scans obtained optically||Image can be stolen and used for authentication|
|Face recognition||Inalienability||Facial characteristics are compared with new scans obtained optically||Image can be stolen and used for authentication|
|Voice recognition||Inalienability||The characteristics of a recorded voice sample are compared with new samples.||The record can be stolen and used for authentication, or emulated|
But classic cryptographic tokens and smart cards are protected by a PIN code. Before starting work, the user connects his token to the device via USB, Bluetooth, NFC or via SmartCard Reader. Next, he enters a PIN code that unlocks access to the protected token memory and allows authentication. The PIN code is not transmitted to the server, which means it cannot be intercepted during transmission. Unlike a password, it can be simple and easy to remember. This PIN-code is a knowledge factor, which makes it easy to organize two-factor authentication using cryptographic tokens / smart cards.
Thus, almost any authentication method has flaws, with the exception of cryptographic tokens.
In the second part of the publicationthe most delicious is waiting for us - figures and facts, on which the conclusions and recommendations given in the first part are based. Authentication in user applications and corporate systems will be discussed separately.