A 'Token' Debate

By Peter Tippett

(Back to article)

Multi-factor authentication is gaining considerable momentum with more organizations announcing the adoption of tokens, certificates or other log-in complements to enhance security in e-commerce environments.

For identity-related attacks today and for those likely over the next several years, multi-factor authentication mechanisms will offer significant improvement over basic user ID and password approaches.

As more companies consider the deployment of multi-factor mechanisms, it is important to understand the real costs and benefits of the various choices in order to arrive at the most effective, efficient strategy to meet security challenges.

A Layered Approach

Modern attacks are complex and relatively sophisticated. Phishing, for example, is a multi-step process that typically involves planning, setup, lure, collection, trade, fraud and laundering phases. Malcode that is successful at identity fraud includes similar phases: planning, setup, distribution, infection, capture, phone-home, trade, fraud and laundering.

As with other threat types, successfully fighting these identity attacks requires effective complementary work at many different layers. Intervention at any of the above steps will significantly diminish the success rate of the overall attack.

Countermeasures that work at more than one step, or different countermeasures that work independently on the same step, will have “synergistic effectiveness.” Take two different countermeasures, for example: If each reduces the likelihood of success by 90%, together they will reduce the likelihood of a successful attack by 99%.

This kind of layered, pragmatic approach is key to a successful security strategy.

Sophisticated, customized intelligence, fraud detection, forensics and law enforcement activities help most in the first and last several attack steps. Improvements in user education and next-generation browser feedback will reduce the success rate of the "lure" phase further while improvements in network provider, operating system and application security will reduce the likelihood of initial malcode infection.

For example, only a small fraction of users are either successfully lured to click on the link of a phishing scam, or are infected by malcode-borne identity attacks.

For that small percentage of users who succumb or are infected, the simple user ID and password is either captured during a scam login (phishing), or is captured by a keystroke logger (malcode). When successful, the criminal collects the data for later use, or trades the captured identity data to another criminal who uses this identity information to login, transfer money and then launder it.

Almost any additional authentication “factor” will significantly reduce the likelihood of success of the collection or capture phases of the phishing or malcode identity attacks.

Physical tokens, soft tokens, simple client side certificates, smart cards with certificates, bingo card schemes, out-of-band authentication using SMS (short message service), client profiling, choice of recognized faces and many other technologies can all provide significant protection, and thus, significant risk reduction.

Any of these would likely reduce risk by perhaps 100- to 1,000-fold for current and next-generation identity attacks.

Culture Clash

Unfortunately, we security professionals typically compare the options and start looking for perfection in any one technology or process. If we find hypothetical attack scenarios that could “defeat” a mechanism, we tend to completely reject the approach, or to accept it only with additional layers of complexity and cost.

This thinking drives us to ever more “perfect” technologies. All too often the “more secure” approaches we eventually choose are plagued with large initial costs, implementation challenges, user

behaviour and acceptance issues, out-of-site support costs, huge implementation delays or other problems. In the end, we wind up with no progress at all, with a failed implementation or with a total cost that exceeds the risk we intended to mitigate.

Instead of dwelling on hypothetical attack scenarios we should consider the total costs. These costs include the hard dollars of implementation, support and training, and time to market, as well as other soft costs like user acceptance, loss of competitive advantage and reputation.

The user acceptance of hardware tokens, for example, is especially poor. Users lose, misplace or destroy them, causing productivity problems and ample frustration.

Although conceptually simple, the extra work of using a token to login requires a significant change in user behaviour. This leads to frustration and increased support costs. The initial cost of hardware is also quite high, typically well above $10 per user in volume.

Other techniques like out-of-band SMS messages, bingo cards and even soft tokens typically raise user ire and support beyond initial projections. Seemingly very light-weight techniques like user profiling and invisible client certificates utilized as cookies tend to have the lowest overall costs, and require the lowest user behaviour changes.

Of the two, light-weight client certificates are probably stronger, but both can significantly reduce risk in typical settings. Additionally, they can be used together “synergistically” and almost invisibly to yield higher risk reduction than when used alone.

IT and security leaders should consider all of the options, but should give high consideration to solutions that provide good risk reduction with minimal initial costs, support and user infringement.

Look for several approaches to apply technology synergistically at more than one step or at different phases of the threat scenario. It is common to find several inexpensive, non-infringing technologies, processes or methods that, together, provide more risk reduction and significantly less cost than any one silver bullet.

Peter Tippett is CTO of security vendor Cybertrust and chief scientist for ICSA Labs, a division of Cybertrust. He specializes in the utilization of large-scale risk models and research to create pragmatic, corporate-wide security programs.