Secure remote access and web applications with two-factor authentication
Ticket Control
User authentication is all about finding out whether users really are who they claim to be. Given that unsuspecting users can fall into the trap of confusing a smartphone with an Internet hotspot, giving the hacker an easy vector for stealing their passwords, relying on usernames and passwords to access confidential information alone, is basically irresponsible. The remedy could lie in the use of additional authentication factors.
Authentication Methods
Various authentication methods can be categorized into the groups "knowledge," "possession," and "biometrics" (Table 1). These groups, also called factors, constitute the basis of any authentication method.
Table 1
Authentication Methods
Factor | Examples | Advantages | Disadvantages |
---|---|---|---|
Knowledge | Password, PIN, response to security question | Low costs, easy to manage | Security depends on quality; can be guessed, sniffed, forgotten, or disclosed |
Possession | Certificate, TAN list, chip card, one-time password token | Usually unique and therefore cannot be copied | High cost of acquisition and management; can be passed on |
Biometric characteristic | Fingerprint, voice or facial recognition, DNA | Easy to use, cannot be passed on | Biometric factors are subject to change – for example, wear on fingerprints or voice changes with age; might violate data protection legislation |
Despite serious drawbacks, passwords remain the most widely used authentication method. After all, practically any software product offers this method free of charge as a standard procedure. However, admins should bear in mind a rule of thumb for information protection and access rights: The greater the value of the protected information is, the more secure the authentication method needs to be. Many of the problems with passwords can be avoided if a dynamic instead of a static password is used and if the dynamic password can be used only once. Perhaps you cannot prevent passwords from being sniffed, but the authentication information stolen in this way will be worthless for the attacker.
Multifactor Authentication
The security of authentication processes can be increased significantly by a combination of several factors (multifactor authentication). For example, the debit card has always combined the factors of "knowledge" and "possession" because the user needs both possession of the card with a magnetic strip/chip and the associated PIN.
Even more secure is a process in which three factors are used – knowledge, possession, biometrics. For example, "QTrust 2go Smart" [1] combines all three factors, with the user first typing a username in the login screen (knowledge) and then scanning a QR code from the screen with a smartphone, from which the smartphone app then generates a one-time password (possession). For final authentication, the user then needs to perform face recognition with the smartphone camera (biometric feature) and type the one-time password into the login box.
Good Enough
For most security requirements, however, two-factor authentication is more than adequate. The Payment Card Industry Data Security Standard (PCI DSS) – a binding regulatory framework for the processing of credit card payment transactions – calls for a two-factor authentication solution for network access by administrators, staff, and external third parties [2].
Many two-factor authentication solutions are available on the market (see the "Commercial Two-Factor Authentication Solutions" box). Anyone planning to use such a solution should, therefore, decide in advance whether they want to work with certificates, one-time passwords, or both. Certificate-based two-factor authentication typically uses digital PKI certificates based on the X.509 standard. These are typically stored on a hardware certificate storage medium known as the security token. To authenticate, the user must connect the security token for the device to the service and then activate the saved certificate by entering a PIN or password. Only then can the VPN client, for example, open a connection to the target system.
Commercial Two-Factor Authentication Solutions
Vasco is a Belgian manufacturer of two-factor authentication solutions and supplies (e.g., eBay/PayPal's GO 3 token, known as a "security key"). At the heart of two-factor authentication is the Identikey server, which – in the basic version – comprises a RADIUS interface and various web plugins for Windows Terminal Services, Citrix, Outlook Web Access, and so on. Client-side Vasco provides one-time password (OTP) tokens of various designs under its DIGIPASS brand – for example, as hardware tokens, mobile tokens, or as a SIM application. The latter is available under the name DIGIPASS Nano as a thin film bearing a chip (Figure 1). The film is then inserted with the SIM card into the phone and thus upgrades a cellphone to a hardware token.
RSA Security [3] is a subsidiary of EMC and is probably the best known manufacturer of OTP solutions internationally with its "SecurID" product. The manufacturer gained notoriety in March 2011, when the company lost important material to a hacker; exactly what material was lost was never officially announced. However, the company replaced 40 million hardware tokens globally, suggesting, that the algorithm and the seeds used to calculate the one-time passwords were stolen.
SafeNet [4] is an American manufacturer of security solutions that acquired Aladdin and Rainbow and their encryption solutions in 2004 and 2009. SafeNet offers certificate- and PKI-based solutions and OTP authenticators.
SMS Passcode, Denmark's PASSCODE A/S [5], offers one-time password authentication on the basis of text messages.
Zyxel [6], the Taiwanese network equipment manufacturer, has a two-factor authentication solution in its portfolio. It provides VPN access to the company's own ZyWALLs.
Special USB sticks or smart cards are typically used for storing electronic certificates and passwords. The practical advantage of USB tokens over smart cards is that the USB port on the local machine can be used, whereas smart cards require an additional card reader.
One-time password generators (OTP tokens) provide an alternative to certificates. OTPs are available in various form factors: hardware, software, grid cards, and "as a service," which is typically in the form of SMS (see the "Free OTP Systems" box). OTP tokens provide the user with a short-lived one-time password for the login.
Free OTP Systems
S/KEY/OPIE is an older security method that gives Unix-style operating systems one-time password authentication. The OPIE implementation (One-Time Passwords in Everything) [7] includes a client and a server application and a PAM module. OTPs can either be generated in advance and printed (e.g., a TAN list) or be generated on the fly with S/KEY generators.
Google Authenticator provides an OATH-compliant [8] two-factor authentication solution and HOTP/TOTP implementation. This method was primarily developed for authentication against Google's own services, but they also offer a PAM module for authentication on Unix systems.
The OpenKubus stick [9] is a USB flash drive with a free hardware layout that can generate one-time passwords. OpenKubus provides libraries for C, Perl, and PHP, as well as a server and a PAM module.
LinOTP [10] is a back-end system for connecting various authentication solutions and vendors. The community edition includes, among other things, a PAM module and a web API and supports numerous OTP tokens. The Enterprise Edition also allows access to directory services such as Microsoft Active Directory, Novell eDirectory, SQL, and OpenLDAP.
Mobile-OTP [11] is a free OTP implementation that includes a J2ME MIDlet on the server side and a shell script for integration with free RADIUS servers (e.g., XTRadius). On the client side, many free OTP tokens are available for all major mobile and operating system platforms.
Depending on the manufacturer and the method used, a distinction is made between time-based or time-synchronized tokens, TOTP (time-based one-time password algorithm, as defined in RFC 6238 [12]), and event-based tokens, HOTP (HMAC one-time password algorithm, per RFC 4226 [13]). Hardware-based, time-based tokens are usually more expensive because they require an accurate clock as a counter, which must be installed in addition to hardware.