Safeguarding the future: next-generation multifactor authentication | SC Media
Architecture, Network security

Safeguarding the future: next-generation multifactor authentication

August 19, 2014

Security breaches and identity theft are on the rise as the implementation of remote access services and cloud applications have become essential to how enterprises conduct business. Not only have these attacks become more prevalent, hackers are becoming increasingly savvy and sophisticated in their deployment of these attacks. Authentication tokens are increasingly outdated and unreliable in fending off malicious actors. It is clear that the industry is ripe for a next-gen approach that delivers truly secure, real-time multifactor authentication.  

The surge of remote access

Online services have become an integral part of the enterprise over the past decade as remote access has become the default way for employees to access systems and conduct business. As organizations have integrated cloud apps into their business models, identity theft has become a significant threat with astonishing complexity and speed. As a result, there is an increased demand for modern mobile phone-based multifactor authentication.

The evolution of the remote access industry has brought about an increase in threats as well as their complexity. Initially, online services only utilized usernames and passwords as the sole form of authentication. Hackers either used brute-force attacks or dictionary attacks to guess the username or password.

Eventually, systems evolved and locked the account down after a few faulty attempts, leading hackers to develop new techniques such as key loggers. Today, phishing and pharming are the most commonly used attacks. These methods lead users to a fake website that appears to be identical to the original, thereby fooling the user into entering his or her username and password. Some of the more strategic attacks send stolen data to the hackers in real time via a small instant message program, compromising commonly used two-factor authentication tokens.

Making matters worse, malicious actors have developed more sophisticated approaches of intercepting user interactions with online services, including man-in-the-middle and man-in-the-browser attacks, along with session hijacking. Traditional two-factor authentication tokens are no longer guaranteed to safeguard the identity of a user against these latest threats. However, many organizations are left in the dark, unaware that traditional tokens can be compromised, posing a significant security risk.

To prevent these kinds of outcomes, organizations must constantly evaluate their level of investment in security measures considering today's evolving threat environment. However, putting the best protection into effect on a wide scale can be out of the price range for many organizations, forcing them to make a compromise somewhere. To address the challenge of safeguarding organizations within budgetary constraints, a number of authentication solutions have hit the market, including biometric scanning, identity cards, certificates, hard- and software tokens, with the latter being the most dominant technology. Although certificates are often considered the ideal way to connect two devices with a secure identifiable connection, there are frequently errors in implementation. Certificates run a high risk of being copied without the user's knowledge. Furthermore, the certificate authority might be compromised as well.

Biometric scanning has also been seen as a very secure alternative. However, relying on always having a functioning finger or iris scanner is unrealistic, and the resulting scan itself produces a digital file that can itself be compromised. Another alternative is the identity card, which in a world of bring-your-own-device (BYOD), has proven to be impractical since users require access from an ever-changing variety of devices. Therefore, a new approach is necessary.

Changing the rules

Many organizations have begun using multifactor authentication based on mobile networks with the goal of providing users with simple, flexible solutions that combat today's modern threats.

There are two main drivers for the adoption of the latest generation of multifactor authentication: first, the need to deliver hardened security that mitigates innovative threats; and second, the desire to implement increased security easily and at a low cost. The device used in the authentication process needs to be unique to the user in question and be connected to the network in real-time.

If the authentication engine sends a regular token via SMS, however, today's malware threats can easily acquire the code. Therefore, to effectively protect against sophisticated threats, organizations must opt for strategies that operate efficiently in a message-based environment. To get the highest possible level of security, the one-time password (OTP) must both be generated in real-time and be specific (locked) to the particular session, as opposed to tokens that use seed files where the passcodes are stored. In support of real-time code delivery the organization also needs robust and redundant server-side architecture along with multiple delivery mechanism support, regardless of geographic location. Last but not least, the strategy should take into account existing user infrastructure for simple management for both users and IT managers alike.

Identity theft threat vectors have exceeded the sophistication of many of the defense technologies available today, resulting in a wildly lucrative industry on the black market. This calls for a new generation of multifactor authentication solutions. Organizations can protect their employees, users and data by implementing solutions that deliver session- and location-specific codes to the user's mobile phone in real-time.
prestitial ad