User Authentication: Know who you're letting in

COMMON AUTHENTICATION MECHANISMS

Username/Password
This is the most common form of authentication. A username and a password are used to verify the user. Free email sites use this form of authentication. The strength in this method lies in how private and protected the username and the password are. Publicly available usernames, such as phone number or email address, expose the customer to the risk of fraud particularly from known people. Financial websites that use this form typically use the Social Security Number, account number or user generated name as the username. Financial websites often specify parameters that the password has to meet, such as minimum length and types of characters. They may also set passwords to expire after a certain time period. It is also a good practice to send the email address on a file a notice whenever the password is reset. 

The primary basis for security in this form of authentication is the password. This form is also known as one factor authentication and is a weak authentication process. As people tend to use the same usernames and passwords for different sites, this method is not among the more secure. Some websites tweak this process by adding a third input, such as a PIN number or ZIP code. This makes attacks from brute force or forgery more difficult, but does not help against replay attacks such as data capture or interception or against a total break.

Revolving Questions
This is a further improvement upon the username/password form of user verification. In this method a third question is asked. The third question is chosen from a set of questions, such as ZIP Code, First 4 of Social Security Number, Last 4 of Social Security Number, Last 3 of ZIP etc. Since the attacker typically does not know what the question is, this captured information cannot be replayed effectively. The capture information will successfully permit access sometimes, but not every time. The probability of getting through depends on the number of question that is available to be chosen from. However, this method is still open to be compromised by individuals who know the customer.

Variable PIN Pad
In this method, the user is presented with a PIN pad on the screen. Below each number is a letter. The user has to enter the letters that correspond to his PIN into a text box. The letters that are presented below each number changes very frequently. This is similar to the revolving question process, but reduces the probability of getting through exponentially. This method will also be compromised if a someone is able to guess the user’s PIN.

Two Factor Authentication (TF-A)
Two-factor authentication that requires two forms of authentication to access a system. Typically one factor is something the user knows, like a password or PIN and the second factor is something they have like a hardware token or credit card or a fingerprint or retinal pattern. Examples would be an ATM transaction, where the card is the second factor, RSA’s SecureID, IBM ThinkPad or PayByTouchwith a fingerprint reader or Entrust’s IdentityGuard that uses a card sized grid.

Since the second factor usually changes with time or is tied to the user, replay attacks are thwarted. This protocol is more expensive to implement as the second factor needs to be incorporated.

Challenge Questions
In this verification process, the user is presented with a series of ‘out-of-wallet’ questions which only he or she will know the answers to, such as, car loan or mortgage information. A fraudster with the users driver’s license and social security card will not be able to answer these questions. Strikeforce, Experian and Lexis Nexis offer such services. These services are expensive and also cumbersome for a customer to go through at each login. Currently, these are more suited for account creation or prior to making changes to personal information.

Multi-Protocol Authentication
A separate communication mechanism such as a telephone or cell phone is used to confirm a login attempt. Strikeforce and iverify offer such services. Like challenge questions, this method is expensive and places a higher burden on the consumer. 

Many websites use cookies to store and reuse authenticators. A temporary cookie (stored only as long as the brower is open) should be used. For authenticators that are stored in user cookies, the cookie expiration field should not be relied on. Since the client is responsible for ensuring expiration, malicious software can modify the lifetime. Even if a cookie has expired, if the authenticator was stored on and leaked, the authenticator can be reused. It might be necessary to store recently used authenticators and verify that new ones are not replays. The secure flag on cookies should be set to true so that they are transmitted only through SSL. 

<previous