Two-Factor Authentication on the Web

My company does online loan applications. Various agencies and customers have demanded we comply with FFIEC
guidelines[0] regarding two-factor authentication.  Now the guidance describes many different types of factors that
could be used, such as Tokens/Biometric/Out-of-Band/etc.

Now the specs I've received from our analysts indicate they have chosen the 'shared secret' as a second factor. It's a
secret question like 'What is your favorite food?' that is supposed to augment the existing username and password.

Here's the problem -- a password is also one considered a shared secret -- so this isn't really two-factor, more like 2
one-factors.  Since the factors have identical characteristics, if one is compromised, the other will surely follow.

Now the guidance doesn't see that as a problem: "The use of multiple shared secrets also provides increased security
because more than one secret must be known to authenticate."  Seems to me if an attacker found a password written on a
post-it note, they'd  find "cookies" as well.

Now I can see why this route was chosen -- most of the other factors require some hardware -- and distributing any sort
of physical device is not an option.

My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!

[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf

--
rsd@...
SDF Public Access UNIX System - http://sdf.lonestar.org

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

I find your analysis to be correct.  Multiple shared secrets seems
marginally more secure than a single shared secret.  You are correct
in identifying this solution as "not two-factor" as two-factor is by
definition something you have, and something you know.  Ie: token and
password/passphrase.

The viable solutions I can think of off the top of my head are:
smart cards
tokens
a type of PKI using digital certs

Since smart cards would require the user to have a smartcard reader,
that is likely not an option.  Tokens are pretty popular and they're a
great way of doing two-factor, also not as expensive as you might
imagine.  There are lots of articles on why PKI isn't as great as
everyone chalks it up to be, but nevertheless if you can find a
product that works well for you, you can sign a cert and give it to
your clients, and they will be able to authenticate based on
"something they have, and something they know" (digital
cert/password).

I do not know names of PKI products off the top of my head
unfortunately as we deal mostly with token-based two-factor.

Hope this helps,
Pete

--
Peter J. Morgan
Information Security Analyst
Exceed Security
Appleton, Wisconsin



On 6/28/06, RSD <rsd@...> wrote:
-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Multiple shared secrets are not any more secure. Infact they
inconveneince the user.

If you don't want to distribute hardware tokens, take a look at
https://www.entrust.com/eval/demoguard/ Identity Guard by entrust
or Software Tokens by RSA

The Identity Guard is a real 2-factor authentication solution, but
instead of a hardware token it uses a paper card with numbers on it.
Each banking customer will have a unique card. However, unlike the
hardware token, the attacker can xerox the identity guard, without the
knowledge of the user. But this is still far better solution then
using "2 shared secret" scheme.

Software Tokens by RSA merely protect against password replay attacks.

-
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

The guidelines are about protecting consumers, their identities, and  
the value of the transaction, not generally access to the account  
itself or saving your firm's bottom line. So instead of worrying  
about adopting yet another stale technology which does not solve  
phishing or identity theft, seize the opportunity to move to the next  
step and reduce identity theft and fraud.

Q&A's (shared secrets) are truly appalling. They should not be used  
under any circumstances. Most of the questions are on the public  
record (DMV, voter registration records, births/deaths/marriages,  
etc). Many of the others can be found using Google (what's my pet's  
name... hint you do not have to look hard. For extra points, what's  
the color of my other cat?), and some questions like what's your  
favorite color is usually "red" about 75% of the time, "blue" the  
next 20% of the time, and then a smattering of other colors. Good  
Q&A's are open ended questions which are hard to find out, lots of  
answers, but easy to remember... like where did you take your first  
holiday. Which as a question sucks if you're a famous author like  
Gerrard Durrel (the answer is Corfu). So basically, once you  
eliminate all the well known Q&A's people CANNOT remember the answers  
to them. Strike round one.

Online loan apps are particularly hard to secure - they are prime  
phishing targets. If you know a lot about your customer already (as  
in they already have a relationship with you), do NOT ask for any  
information you already have, and do not show it. This makes it less  
likely that phishers will target you.

IMHO, for online banking, the day of the password has been over for  
about two years now. OTPs alone is rapidly approaching the same end  
zone. However, you *should* be using one time passwords (ie token  
login) with limited time outs for authenticating to your service on  
to deter batched / delayed MITM and replay attacks. However, OTP will  
not prevent phishing attacks logging onto your customer's accounts  
and pharming the details found within.

So:

a) access to information inside the account which is useful in a  
online loan application should be utterly minimized or completely  
eliminated, or at worst only available via transaction  
authentication. This diminishes the phishing information gathering  
surface area for your app and phishers will choose weaker or stupider  
targets

b) value transactions which are hard to reverse, such as pay anyone,  
should be performed via transaction authentication. Your  
institution's taste for risk will determine how often and which  
destinations attract transaction authentication. My preference is do  
'em all. But that might be a PITA. For example, paying a "bill" to a  
Western Union destination is basically asking to be phished, whereas  
paying a bill to a trusted utility which does not offer cash  
reversals once a bill is overpaid is unlikely to be phished and you  
may let that go.

c) Applications for credit should be rare enough that taking a hit  
for a OTP or transaction authentication is a really good idea.

Always think in terms of authenticating the transaction, not the  
person. The person should possess the means of authenticating the  
transaction, such as a transaction signing calculator or mobile  
phone. I am sure phishers will work out a script or scenario for  
these babies eventually, but that day is not today.

Tokens which are capable of OTP and transaction signing are not that  
much more expensive than pure OTP tokens, and they are cheaper than  
USB connected tokens, which are no better than hard certs (ie smart  
cards). Connected tokens are the devil's work, and should be avoided  
as they do not prevent the user pressing "yeah, whatever" whenever  
you ask for a transaction to be signed. That's not transaction  
signing, that's a recipe for phishing, particularly if your app asks  
for trx signing on a regular basis.

Pay Bill 1 - yeah, whatever.
Pay Bill 2 - yeah, whatever.
Pay Phisher - year, whatever.
Pay Bill 3 - yeah, whatever.

It happens in MacOS X, and it'll happen in Vista. It's human nature  
not to read the security prompts. Make the human part of the  
transaction, and not "yeah, whatever."

SMS texting works *really* well... As long as you have a solid way of  
registering the mobile phone and as long as the local carriers have  
phone cloning under control. Phishers think nothing of ringing up a  
bored $4.95/hr help desk jockey, and making several guesses as to  
your pet's name and favorite color (red! no blue!) and changing your  
cell phone number to their own stolen or throw away pre-paid phones.  
Registering or changing the number should be done in person, with a  
strong emphasis on showing lots of photo ID.

thanks,
Andrew

Risk based authentication is the way to go.  Many company's offer this.
Similar to the way credit card companies monitor transactions for "odd
ball" stuff.

Matthew

-----Original Message-----
From: RSD [mailto:rsd@...]
Sent: Wednesday, June 28, 2006 9:31 AM
To: webappsec@...
Subject: Two-Factor Authentication on the Web

My company does online loan applications. Various agencies and customers
have demanded we comply with FFIEC guidelines[0] regarding two-factor
authentication.  Now the guidance describes many different types of
factors that could be used, such as Tokens/Biometric/Out-of-Band/etc.

Now the specs I've received from our analysts indicate they have chosen
the 'shared secret' as a second factor. It's a secret question like
'What is your favorite food?' that is supposed to augment the existing
username and password.

Here's the problem -- a password is also one considered a shared secret
-- so this isn't really two-factor, more like 2 one-factors.  Since the
factors have identical characteristics, if one is compromised, the other
will surely follow.

Now the guidance doesn't see that as a problem: "The use of multiple
shared secrets also provides increased security because more than one
secret must be known to authenticate."  Seems to me if an attacker found
a password written on a post-it note, they'd  find "cookies" as well.

Now I can see why this route was chosen -- most of the other factors
require some hardware -- and distributing any sort of physical device is
not an option.

My questions:
-Is my analysis correct?
-Are multiple shared secrets any more secure?
-What viable solutions are there?
Thanks!

[0] http://www.ffiec.gov/pdf/authentication_guidance.pdf

--
rsd@...
SDF Public Access UNIX System - http://sdf.lonestar.org

------------------------------------------------------------------------
-
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
------------------------------------------------------------------------
--
 
 
 
LEGAL DISCLAIMER
The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.
 
Seeing Beyond Money is a service mark of SunTrust Banks, Inc.
[ST:XCL]
 
 
 
 

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Risk Based Authentication is a good idea as it goes back to 'why spend
more on security controls then the value of the data'. I got to check
out Ira Winkler's speech the other week and he made an interesting
comment in that money for security, most of the time, comes out of the
IT budget. The problem with that is the cost of securing the data may
cost more then what the IT budget can afford. If you are responsible
for securing data that could cost tens or hundreds of billions, why
would you only use 5% of the IT budget to protect that investment?

That said, with all of the risks of personal information being stolen
these days it is not unreasonable to demand two-factor authentication
for banking web apps. Here is an excerpt from the FFIEC document (keep
in mind this whole document is for AUTHENTICATION):

Authentication Guidance (2001)
Summary of Key Points
The agencies consider single-factor authentication, as the only
control mechanism, to be inadequate for high-risk transactions
involving access to customer information or the movement of funds to
other parties. Financial institutions offering Internet-based products
and services to their customers should use effective methods to
authenticate the identity of customers using those products and
services. The authentication techniques employed by the financial
institution should be appropriate to the risks associated with those
products and services. Account fraud and identity theft are frequently
the result of single-factor (e.g., ID/password) authentication
exploitation. Where risk assessments indicate that the use of
single-factor authentication is inadequate, financial institutions
should implement multifactor authentication, layered security, or
other controls reasonably calculated to mitigate those risks.

This was appended not too long ago by the following document, which is
what is stirring up the banking community (in the US):
FIL-103-2005
http://www.fdic.gov/news/news/financial/2005/fil10305.html

Summary:   The Federal Financial Institutions Examination Council
(FFIEC) has issued the attached guidance, "Authentication in an
Internet Banking Environment." For banks offering Internet-based
financial services, the guidance describes enhanced authentication
methods that regulators expect banks to use when authenticating the
identity of customers using the on-line products and services.
Examiners will review this area to determine a financial institution's
progress in complying with this guidance during upcoming examinations.
Financial Institutions will be expected to achieve compliance with the
guidance no later than year-end 2006.

Highlights:

    * Financial institutions offering Internet-based products and
services should use effective methods to authenticate the identity of
customers using those products and services.
    * Single-factor authentication methodologies may not provide
sufficient protection for Internet-based financial services.
    * The FFIEC agencies consider single-factor authentication, when
used as the only control mechanism, to be inadequate for high-risk
transactions involving access to customer information or the movement
of funds to other parties.
    * Risk assessments should provide the basis for determining an
effective authentication strategy according to the risks associated
with the various products and services available to on-line customers.
    * Customer awareness and education should continue to be
emphasized because they are effective deterrents to the on-line theft
of assets and sensitive information.

Here is what I don't get:
"Where risk assessments indicate that the use of single-factor
authentication is inadequate, financial institutions should implement
multifactor authentication, layered security, or other controls
reasonably calculated to mitigate those risks."

What other controls, other then multifactor authentication, can
mitigate that risk?



On 6/28/06, Harper.Matthew <Matthew.Harper@...> wrote:

--
Tim Van Cleave, CISSP, NSA IAM, CXE
AIM - pand0rausa
MSN - m0rt15
Yahoo - pand0ra_usa

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

I concur with Andrew - shared secrets are not 2FA. I think some OWASP
guidance on implementing 2FA for web applications, and information about
some of the available options would be very valuable.

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj@...]
Sent: 28 June 2006 15:19
To: rsd@...
Cc: Webappsec Mail List
Subject: Re: Two-Factor Authentication on the Web

The guidelines are about protecting consumers, their identities, and  
the value of the transaction, not generally access to the account  
itself or saving your firm's bottom line. So instead of worrying  
about adopting yet another stale technology which does not solve  
phishing or identity theft, seize the opportunity to move to the next  
step and reduce identity theft and fraud.

Q&A's (shared secrets) are truly appalling. They should not be used  
under any circumstances. Most of the questions are on the public  
record (DMV, voter registration records, births/deaths/marriages,  
etc). Many of the others can be found using Google (what's my pet's  
name... hint you do not have to look hard. For extra points, what's  
the color of my other cat?), and some questions like what's your  
favorite color is usually "red" about 75% of the time, "blue" the  
next 20% of the time, and then a smattering of other colors. Good  
Q&A's are open ended questions which are hard to find out, lots of  
answers, but easy to remember... like where did you take your first  
holiday. Which as a question sucks if you're a famous author like  
Gerrard Durrel (the answer is Corfu). So basically, once you  
eliminate all the well known Q&A's people CANNOT remember the answers  
to them. Strike round one.

Online loan apps are particularly hard to secure - they are prime  
phishing targets. If you know a lot about your customer already (as  
in they already have a relationship with you), do NOT ask for any  
information you already have, and do not show it. This makes it less  
likely that phishers will target you.

IMHO, for online banking, the day of the password has been over for  
about two years now. OTPs alone is rapidly approaching the same end  
zone. However, you *should* be using one time passwords (ie token  
login) with limited time outs for authenticating to your service on  
to deter batched / delayed MITM and replay attacks. However, OTP will  
not prevent phishing attacks logging onto your customer's accounts  
and pharming the details found within.

So:

a) access to information inside the account which is useful in a  
online loan application should be utterly minimized or completely  
eliminated, or at worst only available via transaction  
authentication. This diminishes the phishing information gathering  
surface area for your app and phishers will choose weaker or stupider  
targets

b) value transactions which are hard to reverse, such as pay anyone,  
should be performed via transaction authentication. Your  
institution's taste for risk will determine how often and which  
destinations attract transaction authentication. My preference is do  
'em all. But that might be a PITA. For example, paying a "bill" to a  
Western Union destination is basically asking to be phished, whereas  
paying a bill to a trusted utility which does not offer cash  
reversals once a bill is overpaid is unlikely to be phished and you  
may let that go.

c) Applications for credit should be rare enough that taking a hit  
for a OTP or transaction authentication is a really good idea.

Always think in terms of authenticating the transaction, not the  
person. The person should possess the means of authenticating the  
transaction, such as a transaction signing calculator or mobile  
phone. I am sure phishers will work out a script or scenario for  
these babies eventually, but that day is not today.

Tokens which are capable of OTP and transaction signing are not that  
much more expensive than pure OTP tokens, and they are cheaper than  
USB connected tokens, which are no better than hard certs (ie smart  
cards). Connected tokens are the devil's work, and should be avoided  
as they do not prevent the user pressing "yeah, whatever" whenever  
you ask for a transaction to be signed. That's not transaction  
signing, that's a recipe for phishing, particularly if your app asks  
for trx signing on a regular basis.

Pay Bill 1 - yeah, whatever.
Pay Bill 2 - yeah, whatever.
Pay Phisher - year, whatever.
Pay Bill 3 - yeah, whatever.

It happens in MacOS X, and it'll happen in Vista. It's human nature  
not to read the security prompts. Make the human part of the  
transaction, and not "yeah, whatever."

SMS texting works *really* well... As long as you have a solid way of  
registering the mobile phone and as long as the local carriers have  
phone cloning under control. Phishers think nothing of ringing up a  
bored $4.95/hr help desk jockey, and making several guesses as to  
your pet's name and favorite color (red! no blue!) and changing your  
cell phone number to their own stolen or throw away pre-paid phones.  
Registering or changing the number should be done in person, with a  
strong emphasis on showing lots of photo ID.

thanks,
Andrew

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

Harper.Matthew wrote:
Seems to me that transaction analysis would be tough to do on a credit
application.  Where is the history? (I assume your company only does
online credit apps.) Any 2FA system might also be problematic: how do
you do the initial validation & credentialing?  If you can do the
initial validation securely, why not use that as the risk mitigation
method? Seems to me this is a good opportunity for a credit bureau to
partner with an authentication vendor to offer initial
validation/credentialing and 2FA.

nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------

I don't see the credit bureau's jumping on that wagon. Currently there
is no risk to them and they are making money hand-over-fist because of
ID theft. Since there is no risk why would they shell out tons of
money to come up with a solution for someone elses problem?
I do agree that the initial validation of someones identity is
problematic. The document here is talking about authentication, which
is related to the initial validation and trying to initially validate
every user through a definite means is impractical. Since names and
social security numbers and other similar concepts are labels that we
apply to ourselves the only way I see that you can accurately validate
someone would be through biometrics (something you are) . Granted
there can be issues with replay attacks but it could be used for
initial identification. There is no way you can really validate
someones identity without them being there in person (start the flame
war). Sure, you can lie when you go in but the risk of being caught is
much higher. I see one of the problems being that a financial
institution has to find a balance that is cost effective and can
reasonably validate someones identity remotely. Sorry about some of
the fragmented sentences, but I have ahd enough fun for one day.



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

Wouldn’t biometrics be intercept-able as data transmission packets and faked when used over a civilian network?

-----Original Message-----
From: Tim [mailto:pand0ra.usa@...]
Sent: Friday, 30 June 2006 9:04 AM
To: Nick Owen
Cc: Harper. Matthew; RSD; webappsec@...
Subject: Re: Two-Factor Authentication on the Web

I don't see the credit bureau's jumping on that wagon. Currently there
is no risk to them and they are making money hand-over-fist because of
ID theft. Since there is no risk why would they shell out tons of
money to come up with a solution for someone elses problem?
I do agree that the initial validation of someones identity is
problematic. The document here is talking about authentication, which
is related to the initial validation and trying to initially validate
every user through a definite means is impractical. Since names and
social security numbers and other similar concepts are labels that we
apply to ourselves the only way I see that you can accurately validate
someone would be through biometrics (something you are) . Granted
there can be issues with replay attacks but it could be used for
initial identification. There is no way you can really validate
someones identity without them being there in person (start the flame
war). Sure, you can lie when you go in but the risk of being caught is
much higher. I see one of the problems being that a financial
institution has to find a balance that is cost effective and can
reasonably validate someones identity remotely. Sorry about some of
the fragmented sentences, but I have ahd enough fun for one day.



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

On 30/06/2006, at 4:03 PM, Tim wrote:

>  the only way I see that you can accurately validate
> someone would be through biometrics (something you are)

This is not possible, as:

All devices in general are tamperable and not trustworthy when in the  
hands of the attacker

Biometric devices have a long history of being little more than snake  
oil or toys. The good ones are significantly more expensive than ANY  
other form of actual 2FA authentication device

Many attacks against existing biometric devices are so trivial as to  
be a complete joke. Check out this page:

http://www.heise.de/ct/english/02/11/114/

Lastly, trustworthy biometric registration requires an in-person  
visit, thus negating any possibility of remote authentication.

No matter what 2FA device you use, evidence of identity is only as  
strong as the registration process. I'd prefer to see the initial  
registration (and recovery of registration) done only in-person.  
Otherwise the process is open to abuse by definition.

thanks,
Andrew

Hi,

> What other controls, other then multifactor authentication, can
> mitigate that risk?

I was hoping to see a good answer to this question.

While there are quite a few ways one can "authenticate" the root
problem, to me, is Identification and Authorization which make up
Authentication.  If the same source for Identification is used and the
same Authorization means is granted then any additional authentication
factor really is kind of the same thing over the net.  Sure, a token,
dongle, fingerprint, timezone, location, software, etc. make things more
difficult to make the attack, if the attacker can usurp the identity and
the client, then the attack success is very high.  Meaning, if you break
into the house and use the banking info on that computer to make the
attack your success chances will be much higher.

An additional channel whether it be SMS or telephone call-back can
improve the chances authentication, this is still not even close to the
type of authentication one can get in person.

Further discussion however, will show that physical presence is often
over-rated because the people who do the identification and grant
authorization can also be easily fooled.  Risk of getting caught is not
much higher for those people but the speed to repercussion is. Over the
net, there is much less repercussion if denied: the difference between
"Access Denied" on-line and "Hey, wait a minute while I get my manager"
(as guard approaches).

I've been doing a lot of researching into Trusted Computing for the
OpenTC project and it's clear that TC may not have the answer either,
but it's not as bad.  At least it closes the link between person and
computer a bit better for the sake of identification.

I am interested in hearing from others though on replacement or
enhancement security for authentication where identification and
authorization are not weak links or the speed or level of repercussion
is up there with the physical world.

-pete.

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

What I was trying to say is that you can only authenticate someone
through biometrics because it is something that they are. I do not
dispute that technology can be subverted or that people can be
manipulated. What I am trying to say is that a label (name, ssn)
cannot be trusted, especially nowadays. I feel the same in that
regristration would have to be done in person but again that is
impractical. Again, I am not saying that the current biometrics
technology is an adequate solution. Just that the concept of
biometrics is the only way to validate someone's identity.

You seem to be very familiar with biometrics, can you provide some
examples of products that you have experience with that you would
consider to be a scam and what ones (regardless of expense) are
adequate?

On 6/30/06, Andrew van der Stock <vanderaj@...> wrote:
-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

The best I have seen is the Digital Security Device used in conjunction with
username, password and pin# by www.kmdo.com.  The Pin and DSD#s (changes
every 16 seconds and good for only one access for each number) is never made
available online and does not reside on your computer for others who know
how to access.  I am confident this is 100% secure and access by anyone
other than the user is not possible.   Need to know more?  Go to:
https://app.kmdo.net/servlets/com.komodo.servlet.registration.RegistrationSe
rvlet?a=i

LM

-----Original Message-----
From: Pete Herzog [mailto:lists@...]
Sent: June 30, 2006 8:36 AM
To: Tim
Cc: Harper.Matthew; RSD; webappsec@...
Subject: Re: Two-Factor Authentication on the Web

Hi,

> What other controls, other then multifactor authentication, can
> mitigate that risk?

I was hoping to see a good answer to this question.

While there are quite a few ways one can "authenticate" the root
problem, to me, is Identification and Authorization which make up
Authentication.  If the same source for Identification is used and the
same Authorization means is granted then any additional authentication
factor really is kind of the same thing over the net.  Sure, a token,
dongle, fingerprint, timezone, location, software, etc. make things more
difficult to make the attack, if the attacker can usurp the identity and
the client, then the attack success is very high.  Meaning, if you break
into the house and use the banking info on that computer to make the
attack your success chances will be much higher.

An additional channel whether it be SMS or telephone call-back can
improve the chances authentication, this is still not even close to the
type of authentication one can get in person.

Further discussion however, will show that physical presence is often
over-rated because the people who do the identification and grant
authorization can also be easily fooled.  Risk of getting caught is not
much higher for those people but the speed to repercussion is. Over the
net, there is much less repercussion if denied: the difference between
"Access Denied" on-line and "Hey, wait a minute while I get my manager"
(as guard approaches).

I've been doing a lot of researching into Trusted Computing for the
OpenTC project and it's clear that TC may not have the answer either,
but it's not as bad.  At least it closes the link between person and
computer a bit better for the sake of identification.

I am interested in hearing from others though on replacement or
enhancement security for authentication where identification and
authorization are not weak links or the speed or level of repercussion
is up there with the physical world.

-pete.

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.8/380 - Release Date: 30/06/2006
 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.8/380 - Release Date: 30/06/2006
 


-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

Hello:
   But even when biometric authentication "works", it still does not prove my _identity_, it just proves that I am who *I said* I am, which is another thing entirely; and some might say is its most obvious point of failure.  What's worse, as opposed to other 2-factor authentication methods (e.g. something I have, something I know), the "something I have" with biometrics, or as you say the "something I am" is not easily or practically replaceable if by chance it gets subverted.  And thus, given its inherent value and importance to its owner (I'm pretty sure we all want to keep all our fingers, eyes, etc.), the more value placed on the payload it guards (i.e. bank account, medical records, credit history, etc.), the higher the risk increases for its owner; as not only can someone clean up your savings account, but they will necessarily have to kill, maim, or otherwise molest of you in the process.
 
       -dZ.

________________________________

From: Tim [mailto:pand0ra.usa@...]
Sent: Fri 06/30/2006 11:45
To: Andrew van der Stock
Cc: Webappsec Mail List
Subject: Re: Two-Factor Authentication on the Web



What I was trying to say is that you can only authenticate someone
through biometrics because it is something that they are. I do not
dispute that technology can be subverted or that people can be
manipulated. What I am trying to say is that a label (name, ssn)
cannot be trusted, especially nowadays. I feel the same in that
regristration would have to be done in person but again that is
impractical. Again, I am not saying that the current biometrics
technology is an adequate solution. Just that the concept of
biometrics is the only way to validate someone's identity.

You seem to be very familiar with biometrics, can you provide some
examples of products that you have experience with that you would
consider to be a scam and what ones (regardless of expense) are
adequate?



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

The 3 factors of authentication are:
Something you have (i.e. a token, card, etc)
Something you know (i.e. a password)
or
Something you are (i.e. a fingerprint, DNA, etc)

"But even when biometric authentication "works", it still does not
prove my _identity_, it just proves that I am who *I said* I am, which
is another thing entirely;"
Umm... I don't follow. How could your DNA (I would waver on this one
since I heard somewhere that twins could have the same DNA),
fingerprint, retinal scan, etc, not be unique to you and only you? Nor
am I buying the movie version of someone getting their finger cut off
by a thief for accessing their bank account or maybe I am
misunderstanding what you are trying to say. Currently, with ID theft
you don't see bad guys walking up to people on the street, point a gun
at them and demand their SSN, or credit cards do you?

Based on history, the tendency is to subvert the technology, not
attack people (in regards to personal information). Also, from what
some vendors have told me is that the technology requires blood
pressure in order to work correctly (but I have read that it can be
subverted by silly putty). Remember I am not saying that the
technology is perfect, I am saying the concept of biometrics is what
can valdate someones identity because it is something of us.

On 6/30/06, James Pujals <james.pujals@...> wrote:
-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

>
>"But even when biometric authentication "works", it still does
>not prove my _identity_, it just proves that I am who *I said*
>I am, which is another thing entirely;"
>Umm... I don't follow. How could your DNA (I would waver on
>this one since I heard somewhere that twins could have the
>same DNA), fingerprint, retinal scan, etc, not be unique to
>you and only you?

I think the idea is that the concept of 'identity' which we are
attempting to authenticate is not an inherent characteristic of our
bodies, but something that has been officially associated with a given
biometric by the issuing authority, e.g. my SSN, Account Name, etc...are
not in my DNA.  

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

A biometric in practice is NOT your DNA, fingerprint, etc., but some data representation of
something like this, the way it gets used in computers. That can be tied to an individual PROVIDED someone is making very very sure that individual generates the signal that goes into the representaion, and PROVIDED nothing is interfering with the translation. People leave their fingerprints and DNA all over the place, so that obtaining a fake input for a sensor is relatively easy. Also, how often do people using fingerprints actually watch those entering them, or better yet inspect their fingers? (Play-Doh fake fingerprints might show, but transparent ones made of gel?) Worst thing about biometrics is they must be guarded so that fakes cannot be gathered for ~100 years. I do not relish the prospect of needing to wear gloves the rest of my life, and have no idea how anyone could prevent collection of his DNA.

A signature is actually a better biometric in that it requires conscious effort to produce, and a copied one can sometimes be identified by pointing out it is identical to the original. Trouble is that it does not lend itself to electronic testing. I would suggest though that anything that is to be used as a "signature" should require conscious activity by the subject, which should make it harder for others or their mechanized agents to "authenticate" as someone without the someone's knowing.

Glenn Everhart

-----Original Message-----
From: Gaydosh, Adam [mailto:GaydoshA@...]
Sent: Sunday, July 02, 2006 6:10 PM
To: Webappsec Mail List
Subject: RE: Two-Factor Authentication on the Web


>
>"But even when biometric authentication "works", it still does
>not prove my _identity_, it just proves that I am who *I said*
>I am, which is another thing entirely;"
>Umm... I don't follow. How could your DNA (I would waver on
>this one since I heard somewhere that twins could have the
>same DNA), fingerprint, retinal scan, etc, not be unique to
>you and only you?

I think the idea is that the concept of 'identity' which we are
attempting to authenticate is not an inherent characteristic of our
bodies, but something that has been officially associated with a given
biometric by the issuing authority, e.g. my SSN, Account Name, etc...are
not in my DNA.  

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------



**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************


-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

In reading this thread, one thing that strikes me is that there is an
inconsistent merging of the various aspects of the problem.  First,
IMHO, we need to recognize that each of us as carbon based life forms
have various identities, not just one.  I may have an identity as an
employee, a customer, etc.  That should remain unique and distinct from
the way that I can prove and re-prove that I am the "owner" of a given
identity consistently and with an appropriate level of integrity within
the context of what I'm trying to do.

So, given this is a two-factor authentication on the web thread, the
discussion is really based on increasing the integrity of the
authentication as compared to traditional single factor (e.g. static
password) methods.  Let's not confuse the notion that I may want to be
daffyduck@..., strongly authentication (or stronly anonymous as
the case may be) vs. Joe Smith, credit card holder.  

Having stated that, there is a progression of means to increase the
integrity of the reuse and reverification of an established identity.
The combination of the two is what provides me the baseline of my
security decision.  But the answers of which security method is better
than another is relative for the purpose in which it's being used.  To
respond more specifically to the notion that biometrics "prove" or don't
prove who you are, they really only establish a verification to the
bound underlying identity in a fairly secure manner (when properly
implemented, see legal disclaimer below, your results may vary, not
available in every state so the exclusions may not apply to you)

-----Original Message-----
From: Gaydosh, Adam [mailto:GaydoshA@...]
Sent: Sunday, July 02, 2006 6:10 PM
To: Webappsec Mail List
Subject: RE: Two-Factor Authentication on the Web


>
>"But even when biometric authentication "works", it still does
>not prove my _identity_, it just proves that I am who *I said*
>I am, which is another thing entirely;"
>Umm... I don't follow. How could your DNA (I would waver on
>this one since I heard somewhere that twins could have the
>same DNA), fingerprint, retinal scan, etc, not be unique to
>you and only you?

I think the idea is that the concept of 'identity' which we are
attempting to authenticate is not an inherent characteristic of our
bodies, but something that has been officially associated with a given
biometric by the issuing authority, e.g. my SSN, Account Name, etc...are
not in my DNA.  

------------------------------------------------------------------------
-
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically

comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

My main concerns with biometric devices are:

they are extremely dangerous to clients for value transactions.  
People have already lost fingers to them (reference: http://
news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm ). Therefore, they  
are completely unsuitable for high value transactions, as the danger  
to the client exceeds the value of the item being protected

the lack of backup credentials when a credential has to be repudiated  
(say your index finger has been copied using a gel copy, you have to  
re-enrol another finger. What happens if someone works out how to  
fake your face for a facial recognition device, such as using a photo  
of you? You have NO backup faces to enrol)

the relative expense of "good" (ie better than cereal toy decoder  
ring) biometric devices wastes valuable security investment when you  
can buy say 40 transaction signing calculators for the cost of a  
single relatively secure biometric device. If I had a million  
customers to enrol (and many of us work for places that have more  
customers than this...), I'd rather spend the 1/40th the money and  
get more trustworthy security, thanks.

Others have made the point that unless you strictly control the  
device and monitor enrolment, such as the US customs enrolment at  
airports, there is no safe way to remotely enrol and trust biometric  
authentication, particularly if the devices are trivially spoofable.  
And to date, they are trivially spoofable, most particularly the  
cheapest devices costing about 1.5-4 times the price of a trx signing  
calculator.

Lastly, biometrics when the false positive accept rate within your  
user population does not exceed tolerable levels. When you have a  
million customers, no biometric device today has the necessary false  
accept positive rate. Such a user base with the best devices has a  
few users who will authenticate as someone else, which if it was Joe  
Bloggs logging on to his finger print reader and gets unauthorized  
accesses a high value customer like Bill Gates, I'm sure the lawyers  
would have a feeding frenzy. Heads would roll, in a different sense  
to my first point.

thanks,
Andrew