Two-Factor Authentication

Two-Factor Authentication

Two-Factor

Authentication

MARK STANISLAV

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licenses issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address:

IT Governance Publishing

IT Governance Limited

Unit 3, Clive Court

Bartholomew’s Walk

Cambridgeshire Business Park

Ely, Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernance.co.uk

© Mark Stanislav 2015

The author has asserted the rights of the author under the Copyright, Designs, and Patents Act, 1988, to be identified as the author of this work.

First published in the United Kingdom in 2015

by IT Governance Publishing

ISBN 978-1-84928-734-0

FOREWORD

If there is a more hated, feared, or otherwise misunderstood word associated with information technology than ‘password’, I don’t know it.

My authentication-security baptism occurred in 1982 during my first commercial security project fixing the 30-line password algorithm of ACF2 (SKK, Inc.). Since then, I’ve only gone further down the rabbit hole of this critical area of information security.

Because ACF2 was the leading mainframe security product, and the primary product protecting US and other Western governments, we were heavily involved with trust certifications. These included C2 and B1 levels of assurance documented in the ‘Orange Book’ in the noted ‘Rainbow Series’ from the Department of Defense (DoD).

The ‘Green Book’ in the series dealt with password controls – this is where the commercial debate began in earnest. We at SKK, Inc. broke rank with our DoD counterparts and officially told our customers that the ‘Green Book’ controls were more dangerous than helpful for security.

For instance, implementers were told to store the last ten passwords of an account to determine if password reuse was occurring. At the time, we believed that sticky-note sales would skyrocket with such guidance – little did we know just how accurate that prediction was. Against our customers’ desires, we refused to budge on this issue and instead decided to act.

We opened our development doors inviting strong-authentication vendors to solve the problem. We introduced a new feature to ACF2/MVS 3.1.5 called Extended User Authentication Exit Facility, a.k.a. EUA Exit. The more notable companies we saw participate were Gordian Systems Inc., Enigma Logic and Security Dynamics. Today, these companies collectively represent the innovators behind many of the core one-time password (OTP) technologies you will read about in this book.

I personally tried my hand with a biometric startup in 1987 called ThumbScan. Our dream could not get out of the lab so we pivoted to ‘plan B’ and bought the failing Gordian OTP product and patents. ThumbScan/Gordian unfortunately failed as well, but years later I tried again under the Value Added Systems Company (VASCO) flag and finally got it right.

Ken Hunt, the CEO of VASCO, believed that security patents might be ‘important someday’, and I was still convinced the dreaded password was a scourge to computing. We set off in 1994 to change the world and this time we accomplished our goal by protecting banks across the globe – except for the US. We scratched our heads on that one for years.

Even as products were refined over the years, the industry barely noticed. Sure, some of us were successful but in the grand scheme of things the problems far outpaced solutions – things got worse, not better. Considering that, why are passwords so damning still today?

Foremost, the problem isn’t the idea of a password but rather that most passwords are created and managed by humans. A computer can generate and store a great password but humans will often create passwords that can be committed to memory. This leads to poor password selection and a high amount of reuse across systems.

Second, the number of accounts being created and maintained has exacerbated the aforementioned problems. We’re at a point where a social network for knitting could have its passwords stolen and criminals will drain bank accounts around the US.

Lastly, we have all underestimated pain thresholds – just how bad does it have to get? Our craziest fear-mongering marketers at VASCO couldn’t have written the headlines we see today. This last point, I’m afraid to say, is still with us, but a divide is happening where competitive advantages will separate winners and losers along trust lines.

The FIDO (Fast IDentity Online) Alliance – a not-for-profit consortium focused on open standards and interoperability around authentication security – has done a fantastic job in bringing many stakeholders to the table with the stated objective of killing passwords. Does anyone believe passwords will actually be ‘killed’? Of course they don’t. Can we bring far better solutions collectively to the industry than any one company? Absolutely.

The industry call to action is that application owners become activists. While no one entity can solve this, a class of entities can. It takes an activist, however, to start the ball rolling and two notable FIDO participants are PayPal and Google. When application owners realise that millions of