“The Future of Multi-Factor Authentication is Hardware.” (From our Forums.)
Text originally published by Saroj Kumar on the Cyber Secure Central Forums.
Exceeding username and password are a necessity. But how is it possible to implement effective protection of multi-factor credentials?
In 81% of cases, computer system breaches are caused by the theft of passwords or the use of ‘weak’ credentials. A very well-known problem, whose solution is equally obvious. It is to abandon the authentication systems based on username and password to switch to the multi-factor.
However, this small revolution is still struggling to take hold and for the moment its implementation is still based on two elements that we can define as voluntary — the preparation of a system by those who provide services or manage infrastructure and users’ adherence to the other.
The fact that there are no standard tools for multi-factor authentication usually limits the choice to the classic verification system by sending a code via SMS, certainly safer than using the password but too cumbersome for become a daily procedure.
Furthermore, in a business environment, the use of similar solutions would be unthinkable. Even those based on software, such as tokens or code generators on smartphones, leave too many spaces to the possibility that an attacker will be able to bypass the controls using specially designed malware.
To overcome all these obstacles, the best solution is to abandon the software technologies to switch to systems managed directly at the hardware level. A philosophy espoused with great conviction by Intel, which has introduced in its Intel vPro platform a series of multi-factor authentication solutions that offer a series of advantages that can change the cards on the table.
Authenticate Solution provides several alternative authentication tools — from face recognition to reading the fingerprint, via interaction with mobile devices (via Bluetooth connection) and logical verification of the position.
The advantages of biometric systems
If it is true that a 100% security level is always excluded as a concept, to get closer to the 99% represents the best possible result. The most effective solution is to create customized solutions that combine different tools.
In this way it is possible to request, in addition to something you know (for example a PIN), something you have on your devices and some authentication based on biometric system. The cutting edge of the authenticate solution platform is precisely the availability of biometric authentication systems (fingerprint scanning and facial recognition) integrated directly into the computer.
These are techniques that combine a high level of security with the ease of use indispensable for everyday use in a business environment.
From the standpoint of safety, beyond the merits of more or less fanciful alarms launched on the possibility of deceiving the systems with images treated in a particular way or through casts of fingerprints silicone, it has first of all a decisive element.
An intruder, even if he finds a method to circumvent the controls, should guarantee physical access to the terminal.
In terms of practicality of use, they provide such rapid procedure that they represent an ideal solution even in a business environment, where more complex systems (such as the use of tokens) would become terribly frustrating for those who must use them.
Naturally, the use of these authentication systems also opens up another question- the choice of the architecture to be used. Network-level management allows system administrators greater control over access and security policies, but there is a downside.
First of all, the fact that biometric data are considered sensitive information and must therefore be managed and protected following the directives and legislation on data protection.
Secondly, the preservation of such data at the corporate network level opens up the possibility that an attack targeting the biometric data management system will open the door to an intruder, thwarting the reasoning regarding access needs at the devices.
Keeping the data on the device represents a more practical solution (no need to worry about legal compliance) and safe. Especially since the storage of data in a hardware section completely separate from the system represents an additional level of protection.
The solution for local conservation is the one recommended by the FIDO Alliance, made up of IT companies such as Microsoft, Google and Intel, but also by Mastercard and other financial sector operators.
The content of this article does not reflect the official opinion of Cyber Secure Central. Responsibility for the information and views expressed in the article lies entirely with the author(s).