Thursday, September 27, 2007

Humanity versus Security - Part 2: MFA

This is the second installment in a multi-part string of articles discussing how security affects the 'human' aspect of computing. Security is a very important issue in computing in this day and age. This is especially true on systems in which personal data about customers will be stored or handled.

As such, we try hard to increase the security of our systems, making it more difficult for hackers or other unsavory people from acquiring information they don't have a right to read. Sometimes however, making systems more secure and less simple for users makes systems less secure in the long run.

Multi Factor Authentication

Most everyone is used to the standard form of authentication in the digital world, a password. It turns out though, that there are multiple ways to authenticate someone. There are three very clear types of authentication:
Something you know - Such as a password or PIN (often times referred to Out of Wallet)
Something you have - A physical object (such as your ATM card or RFID badge)
Something you are - Something about the actual user (such as fingerprint, retinal scan)

Simply put, Multi Factor Authentication is using more than one of these to ensure that someone is really who they say they are. In order to be MFA, they must be authenticated by at least two categories of authentication. Authenticating twice from the same category is NOT MFA.

In 2005 the USA Federal Government mandated that all financial institutions must use MFA to reduce identity theft and increase the safety of members/customers while on the internet. This was in place outside the internet without anyone really noticing (such as your ATM card and PIN). They also require all financial institutions to use encryption.

The problem

There is the issue that it is not easy to implement MFA. It is a regulation that is not possible at this point in time. The government has mandated a form of security that is not practical to implement. And more importantly, it is not something that most people want to deal with.

The simplest form of "something you know" is a password. This can be in the form of a PIN, password, mother's maiden name, or complicated pass phrase. This is supposed to be something that is secure, and something other people would not guess. It should be "Out of Wallet", meaning that it is not something that could be guessed if someone were to compromise your wallet. But identity thieves are a tricky group. They can likely figure out who your mother's maiden name is easily using the internet, or perhaps observe you typing your PIN while at the ATM. Not only that, but the system is depending on the user picking a good secure password.

"Something you have" is harder to implement. In the physical world these can be security badges, ID's, RFID's, and cards with magnetic strips (such as Credit Cards). On the internet it is not so easy; in fact it is downright hard. Currently for high security systems (such as VPN's for large corporations or government) the users are given devices. Sometimes these devices are USB dongles, or smart cards. My personal favorite is the device that generates pseudo-random numbers. It will generate a number (as will the server, using the same time synced algorithm), which the user will enter in. Mostly I just like that one because it feels very James Bond. Of course, it's not practical to give every customer/member one of these devices. This form of authentication is not useful for the mainstream audience over the internet.

"Something you are" is indeed even harder. Usually this is employed using biometrics. The most common of which is the fingerprint. It turns out however that fingerprint readers are easy to fool (and the methods to fool them well publicized by Mythbusters). Voice recognition is not effective since it is a simple matter to record. Retina scanners are bulky and expensive. It is almost impossible to use this authentication over the internet. Not only that, but if biometrics are compromised, they are compromised forever (you can't simple change your fingerprint as you can with a password). The best option is to give a device to users that scan their fingerprint. This of course can't be given out to all the members of a financial institution.

So what do the banks and credit unions do? They require a password, your mother's maiden name, ask you what your first dog's name was, and a bunch of other questions. Is that MFA? No, it is not. Have I ever seen a true large scale MFA solution? No, I have not. MFA is effective in small scales only.

The biggest part of the problem though is that it is flat out annoying to have to jump through hoops to authenticate yourself. We all don't want the big bad wolf stealing our stuff, but we also don't want to be living in fear, or have to spend twice as much time just getting to our financial records. Why don't you frisk us when we walk into the nearest branch of our bank/CU while you are at it?

The Solution

Give up. No seriously, I mean it. MFA is not possible with our current technology. There are too many combinations of proprietary hardware out there to come out with a standard option (does that USB dongle work on mac/linux/windows/iPhone/Blackberry/Wii?). We do not have the technology out there for everyone to be scanning, encrypting, and transmitting their fingerprints to the servers for authentication. Devices get lost, fingerprints lifted.

When possible we should encourage small scale groups to use MFA, especially if they have access to other people's info. However it is not practical to use MFA for every single user. Not only is it impractical, it's impossible. We should not be pushing regulations that are impossible to enforce. We should of course try research how and implement MFA in the future, but we also need to recognize that what we use in most cases now is not MFA.

Most importantly, users should be encouraged to choose good passwords that are truly secure. Don't write your PIN on your ATM card. Don't tell everyone your password. Protect it.


jbfraz said...

How do you feel the continual push for MFA will impact member satisfaction levels for other products like Audio banking, handheld banking and improved email triggered Account inquiries?

Blue Sun said...

I don't like the push for MFA for any of the member services. Increased security is good, but at what cost? Are these increases in security actually making things secure, or just annoying our members?

I would love for someone to show me an MFA system that is easy for the members that increases security. But I have yet to see such an animal.

Blue Sun said...

Hey here is a nice little article someone posted on a mailing list I frequent. I like it: