Background of a new work item
Abstract
Most
users today may use an ID/password to log into the website on the Internet.
However, such passwords may have many security concerns.
For
example, users would use easy-to-guess passwords, use the same password in multiple
accounts, write the passwords on a paper or store them on their machines, etc.
Furthermore, hackers have the tool of using many techniques to steal passwords
such as shoulder
surfing, snooping, sniffing, guessing, etc.
Single-factor authentication
methods such as the basic username/password combination are no longer secure enough.
Two-factor authentication provides a significant increase in security.
The proposed
international standard basically provides a framework for two factor authentication in the mobile environment in order to resolve
some problems in the single-factor authentication. This contribution proposes Study
Group 17 Question 7 to consider initiating a study on two-factor authentication mechanisms using
mobile devices (phones) in the mobile environment.
Background
Authentication
is defined as the use of one or more mechanisms to prove that you are who you claim to be. There are three universally
recognized authentication factors today as follows: [4]
Something the user knows (e.g.
a password)
Something the user has (e.g. a
hardware token)
Something the user is (e.g. a
fingerprint)
Recent
work has been done in trying alternative factors such as a fourth factor, e.g.
somebody you know, which is based on the notion of vouching.
Today,
single factor authentication, e.g. passwords, is no longer considered secure in
the internet and banking world. Easy-to-guess passwords, such as names and age,
are easily discovered by automated password-collecting programs.
The most dominant authentication
type in use today is to use single-factor authentication. In short,
single-factor authentication is to use user’s basic username/ password
combination. The single factor in this case is something you know; your password. Most business networks and most internet sites
use basic username/password combination to allow access to secured or private resources.
Single-factor authentication
methods such as the basic username/password combination are no longer
sufficient enough.
There are several
weaknesses in the single-factor authentication. Simply reading a post-it note
upon a colleague’s computer is a simple attack, so is the “shoulder surfing” techniques
where you watch a person log on and remember the keystrokes that are used. More
sophisticated attacks use software to capture keystrokes at logon and which
then sends them to an untrusted person for future use. Key logging software can
be installed on a computer from a virus infection, a Trojan program or a
spyware program that was automatically downloaded from a web site (these can
all happen without the user being aware). These attacks are especially serious;
as you don’t know that your password has been compromised and do have no way of
stopping it until it’s too late. Network snooping is another prevalent attack,
where programs like Cain and Able and Dsniff, capture passwords as they
traverse the network. These programs capture Web, FTP and telnet logons (telnet
is used with network communication equipment or Unix systems). They do this
very effectively and with little user set-up or intervention. [3]
Two-factor authentication is a security process that confirms user identities
using two distinctive factors – something they have and something they know.
Two-factor authentication uses a mechanism which implements two of the above mentioned factors and is therefore considered
stronger and more secure than the traditionally implemented one factor authentication
system. [1]
Two-factor
authentication provides a significant increase in security. The password or pin
number must be used in conjunction the use of tokens, smart-cards or even
biometrics. The combination of the two factors will provide companies make sure
of the people accessing secure systems.[2]
A
two-factor authentication has recently been introduced to meet the demand of
organizations for providing stronger authentication options to its users. In
most cases, a hardware token is given to each user for each account. The
increasing number of carried tokens and the cost the manufacturing and maintaining
them is becoming a burden on both the client and organization. Since many
clients carry a mobile phone today at all times, an alternative is to install
all the software tokens on the mobile phone. This will help reduce the manufacturing
costs and the number of devices carried by the client.
The
following are typical benefits of a two-factor system: [9]
Resistant to single-factor attacks including
keystroke monitoring, social engineering, man-in-the middle attacks, network
monitoring, password cracking and IT staff abuse.
Difficult for a user to deny involvement in a transaction
because users are held accountable for all actions resulting from a successful
user authentication.
Less likely to lead to fraudulent or
unauthorized access to corporate data.
Easy for end-users to use.
Durable and offers a long-term security solution.
Two
factor authentications also have disadvantages which include the cost of
purchasing, issuing, and managing the tokens or cards. From the customer’s
point of view, using more than one two-factor authentication system requires
carrying multiple tokens/cards which are likely to get lost or stolen.
There
are several commercial two factor authentication systems exist today such as BestBuy’s BesToken [7], RSA’s SecurID [6], and Secure Computing’s Safeword [5].
Mobile
phones have traditionally been regarded as a tool for making phone calls. But
today, given the advances in hardware and software, mobile phones use have been
expanded to send messages, check emails, store contacts, etc. Mobile
connectivity options have also increased. After standard GSM connections,
mobile phones now have infra-red, Bluetooth, 3G, and WLAN connectivity. Most of
us, if not all of us, carry mobile phones for communication purpose. Several
mobile banking services available
take advantage of the improving capabilities of mobile
devices. From being able to receive information on account balances in the form
of SMS messages to using WAP and Java together with GPRS to allow fund
transfers between accounts, stock trading, and confirmation of direct payments via the phone’s micro browser
Installing
both vendor-specific and third party applications allow mobile phones to
provide expanded new services other than communication. Consequently, using the
mobile phone as a token will
make it easier for the customer to deal with multiple two factor authentication
systems; in addition it will reduce the cost of manufacturing, distributing, and maintaining millions of tokens.
Proposal
With the background and discussion above, this contribution believe that
there is a strong need for framework for two-factor authentication mechanisms
using mobile devices in the mobile context. Therefore, this contribution
proposes Study Group 17 Question 7 to consider initiating a study on
two factor authentication mechanisms using
mobile devices in the mobile environment.
Note that
Annex B provides the template for the new work item.
Proposed Structure
This
Recommendation would have a following structure:
1
Scope
2
References
3
Definitions
4
Abbreviation
5
Conventions
6
Overview of a two-factor authentication mechanism
6.1
Overview
6.2
Combination of two-factor authentication mechanisms using
mobile phones(devices)
6.3
Use scenarios for two factor
authentication
6.4
Threats of two-factor
authentication
6.4.1
Key Logging Attacks
6.4.2
Lost or Stolen Mobile
Device& List of OTPs
6.4.3
Shoulder Surfing
6.4.4
Phishing/active/passive Man-in-the-Middle Attack
6.4.5
Session Hijacking and Parallel Session Hijacking
6.4.6
Denial of Service Attack
6.4.7
Formal Analysis of the Security Protocol
7
Security requirements for two
factor authentication mechanism
9
Typical two factor authentication mechanism
for mobile context:
Reference
1. Fadi Aloul, Syed Zahidi, Wassim El-Hajj, “Two Factor Authentication Using
Mobile Phones,” http://www.aloul.net/Papers/faloul_aiccsa09.pdf
2. Roger Elrod, Two-Factor Authentication, East Carolina
University
3. Andrew Kemshall, Phil Underwood, Options for Two Factor Authentication, July,
2007.
4. 2-Factor authentication for mobile applications,
DSWISS Ltd., 2010, http://pd.zhaw.ch/hop/528326154.pdf
5. Aladdin Secure SafeWord 2008. Available at http://www.securecomputing.com/index.cfm?skey=1713
6. B. Schneier, “Two-Factor Authentication: Too Little, Too Late,” in Inside
Risks 178, Communications of the ACM, 48(4S), April 2005.
7. D. Ilett, “US Bank Gives Two-Factor Authentication to Millions of
Customers,” 2005. Available at http://www.silicon.com/financialservices/0,3800010322,39153981,00.htm
8. Nima Kaviani, Kirstie Hawkey, Konstantin Beznosov, “A Two-factor
Authentication Mechanism Using Mobile Phones,” Technical report
LERSSE-TR-2008-03, University of British Columbia, August, 2008. http://lersse-dl.ece.ubc.ca/record/163/files/163.pdf
9.
iKey™ 1000 Series – Smart
Devices for Two-Factor Authentication, Rainbow Technologies, Inc.
Комментариев нет:
Отправить комментарий