Friday, August 17, 2012

Authentication services that are available for businesses

The face of hacking has morphed from isolated, simple thrill- or bragging rights-seeking pranksters to sophisticated underground networks staffed with very smart people intent on exploiting networks and devices for financial gain. As reported in several media outlets, including Wired magazine, cybercrime is an increasingly popular career choice in countries like Romania and Russia among disenfranchised youth, members of the unemployed middle class, and criminal gangs simply seeking to add a new profit center to their organizations.

This has produced a seemingly never-ending war between these black hats and security companies, with the latter always one step behind the latest exploit — usually only able to protect clients only after a threat has been unleashed and identified "in the wild,"  and even then, often failing miserably as the recent Carberp stats show: 80% of infected computers had popular antivirus software installed which should have protected them, but didn't.


Authentication, therefore, is becoming more important to online businesses to avoid issues like Apple's recent in-app purchases hack, which enabled users to get free stuff from the Apple Store. The old username/password standby is increasingly being seen as inadequate as an authentication method when used by itself, so enterprises are looking to employ additional measures.
Here are some of the more robust authentication schemes in use by businesses today.

Multi-Factor Authentication
Multi-factor authentication simply requires two or more authentication methods before granting access to a secure network or authorizing a financial transaction. This model asks for:
  • something the user possesses, as in a key, token, card or smartphone;
  • something only the user knows, such as a password, first pet's name, etc.;
  • something inherent in the user, such as a fingerprint.
MFA is obviously harder for a hacker to penetrate, thanks to the requirement that something physical be part of the authentication procedure.

Out-of-band authentication
Out-of-band authentication is a specific form of MFA where an initial authentication, such as username and password, will be backed up by secondary or even tertiary verification steps which specifically occur on a different channel than the original. Suppose a large account transfer was initiated by a user logged into his bank account. A bank using OOB authentication night simply place a phone call or send a message to a special app on the use's smartphone to verify that the transfer is legitimate.
Should the transaction be fraudulent, the user could indicate this to the bank or simply ignore it, as the bank would not process it without the extra authentication.

Biometrics authentication
The word "biometrics" literally means "to measure life," and, in regards to security, refers to using a physical feature of a user to authenticate him. Common physical characteristics used in biometrics include:
  • Voice prints
  • Fingerprints
  • Facial structure and ratios
  • Eye characteristics
Biometrics are increasingly common, with even some laptops offering built-in fingerprint scanners to protect from unauthorized users.  

Tokens authentication
Tokens are physical devices, such as magnetic cards, USB dongles, near field communication-embedded stickers, etc., which can be used alone or as part of a multi-factor authentication scheme. An example is the RSA secureID device, prevalent in large enterprises, which generates and displays on a tiny screen a one-time-use password every 30 to 60 seconds, making it impossible for anyone without the device to login (unless, of course, the authorized user reveals the OTP and other login credentials to another user).

Authentication is a fertile ground for innovation due to the coming wave of mobile and contactless payment systems, such as Google Wallet, which will require better solutions to protect customers, vendors and financial institutions from the inevitable horde of hackers who will attempt to rip them off. IT managers should take heed, and stay abreast of developments in this rapidly changing field.

About the Author: Robert Coulter reports on two-factor security measures. In his free time, he works on beefing up security to his own servers.

1 comment: