Friday, December 18, 2009

Gartner on beating strong two-factor authentication

Gartner just released a document titled “Where Strong Authentication Fails and What You Can Do About It”. Various articles have been published reporting on Gartner’s findings including here, here and here. Most of Gartner’s comments and guidance revolve around protecting yourself from “man-in-the-browser” attacks. If you don’t know what an MitB attack is here’s a link to Wikipedia’s MitB definition – check it out. A good example of an MitB program is “Silentbanker” (click to link to Symantec’s description of it).

The author’s advice is:

Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transactions.

I completely agree with the advice but also want to point out that last phrase “high risk transactions”. I hope everyone recognizes that security is graduated. That means for high risk transactions that you are placing much more security around those types of transactions while for low risk or no risk transactions you are placing lower levels of security around them. After all, the best security against MitB attacks would be not to be connected to the Internet but that’s probably not what companies have in mind. Hopefully, consumers and are all running up-to-date anti-virus software that helps to prevent and eradicate these types of attacks and companies are doing the same for their employees.

So does this mean that strong two-factor authentication is of no value anymore? Not at all but we all should be re-evaluating our security posture based on risks and threats. The author emphasizes the use of out-of-band authentication due to growing MitB attacks. If your evaluation of this new risk versus your current security – two-factor or otherwise – leads you to believe you need to ratchet your security tighter then that’s good advice for you. Security should always be evaluated against risk. If you are never going to drive 200 MPH then why buy a car that can drive this fast? It’s the same concept for security.

 

1 comment:

Joseph said...

Thanks much for the excellent perspective. I work for VeriSign and we've been talking about this issue a LOT in the last few weeks, as you can imagine. Good points here:

That means for high risk transactions that you are placing much more security around those types of transactions while for low risk or no risk transactions you are placing lower levels of security around them.

Yes, but I think that the way credentials are "shared" across various clouds has changed this somewhat. The reality is that some people are using the same log-in for their email as they are for their bank -- for the sake of convenience and maximum security we're getting to the point where virtually all online "transactions" need to be protected at some level.

Also, the key is here is not relying entirely on a single safety method. 2FA has its place, as does Extended Validation SSL, as does anti-virus software. Treating any single one as a panacea is a fallacious approach.