We live in a connected world, where accessibility, be it to the public content, financial or classified information, personal information or government data is ubiquitous. Building mechanisms that ensure safety of this information, limit access to the intended entity and hide information from the rest of the world has been one of the greatest challenges for technology providers. The importance of information security and the risks involved in its failure are big enough to justify the spending done on security. Technology enablers like cloud, mobility, Internet of Things (IoT) are expected to give an impetus to the growth of security spending.
In this paper we shall review the overall information security landscape and discuss one of the widely used security mechanisms, i.e. Two Factor Authentication, that is becoming commonplace.
Traditionally information security was limited to securing against viruses and authentication of the users. Authentication process has to verify the authenticity of the person logging into the system. While this basic security requirement remains unchanged, the proliferation of computing systems in all walks of business has increased the size and complexity manifold. The authentication process was limited to matching the credentials supplied by the user (a user name and a password) with the values stored in a database or Active Directory. Often authorization details were part of the applications themselves, and based on the roles assigned to a user, certain functionality was made available or unavailable to them. Largely the networked systems were self-sufficient and had little connectivity with the outside world.
Advent of internet and the technologies that are inseparable part of our computing environment today changed things forever in ways no one has imagined before. Here is a glimpse of the changing information technology landscape:
- Internet made interaction across computers possible irrespective of their geographical location
- Internet also paved way for the applications that were used by masses for their day-to-day activities like booking tickets, shopping, banking transactions, trading, etc.
- Data centers were pushed to the cloud from their controlled environments
- Internet became accessible from anywhere using smart hand held devices
- Wireless communication has enabled “things” such as sensors and devices to interact with their environment
- Risk of fraudulent activities forced governments to put regulations around information security
The above list is far from complete but is enough to establish the importance of security; we need it almost everywhere and while doing anything on internet. Different scenarios face different security challenges and, therefore, many authentication technologies have evolved to cater to them. Some examples are as follows:
- Security tokens: Small hardware devices in the form of a smart card or USB drive which has some unique keys stored in it
- Soft tokens: Software based security token applications that generate a single-use login PIN and are often used for multifactor mobile authentication
- Mobile authentication: Includes text message and phone calls sent to a user, One Time Password (OTP) apps for random generation of security key
- Biometric authentication: Methods like retina scans, iris scans, fingerprint scans, face & voice recognition, hand geometry scans, earlobe geometry scans etc. that leverages the individual’s biological signatures
- GPS based authentication: Depends on the smartphones that provides location as an authentication factor
Apart from these methods organizations also use smart cards which include magnetic chip/ strip regulating the access to office premises and restricted areas.
Two Factor Authentication
To use many of the secure services on the Internet today, like online banking, online shopping or email etc. one needs to establish one’s credentials for using such services. The process is known as ‘Authentication’. Traditionally, one of the most common ways of authenticating has been a username and an associated password. This approach is simple and susceptible to breaches. An attacker needs to guess or compromise a password and they get access to the person’s online account and information. If the same set of username and password is used for multiple accounts, the loss can be even more. This threat is real because we tend to have passwords that can be guessed and also because software programs can generate possible passwords and try them out.
For a better protection of customer/user details, accounts associated with banks etc. a stronger and more reliable method is required. One of the approaches is to use of more than one factor to authenticate. This type of authentication method is known as ‘Multi Factor Authentication’.
“Two-Factor Authentication” uses not only a password but adds another factor to it. The authentication factors of a two-factor authentication scheme typically include two factors – one which the user has and the other that the user knows. These may include:
- Some physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc.
- Some secret known to the user, such as a username, password, PIN, TAN, etc.
- Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
- Some location the user has access to, such as a specific geographical location (GPS) or console terminal, etc.
How it works
Let us take a common example of two-factor authentication, an ATM card transaction. To do some transaction, you need to have something (your ATM card) and you need to know something (your PIN). If someone steals your ATM card, it is of not much use until they also know your PIN. Two-Factor Authentication works online in a manner similar to your ATM card and PIN combination. When you execute an online transaction you use your username and password. However, after you successfully provide the correct password, instead of going directly to your accounts the site requires a second factor of authentication, such as a verification code (a 4-6 digit OTP), that is often sent as SMS to your registered phone. If your password has been compromised, your account is still safe, as the attacker cannot complete the second step without having the verification code.
Figure 1: Two Factor Authentication
Various vendors have created mobile apps that use standard encryption mechanism and OTP generation logic for implementing Two Factor Authentication. Google and Microsoft both have downloadable apps that allow implementing it. The service provided (i.e. the program implementing the authentication) generates a secret key and that key when provided to the app will provide a 6 digit random code. This random code can be used by the user along with the password. The code is generated randomly and changes every few (20 to 30) seconds. So user has to submit the value within that timeframe.
One-Time Password Algorithms
There are two types of one-time password algorithms, Time-Based one-time password (TOTP) and HMAC-based one-time password (HOTP). The HOTP algorithm specifies an event-based OTP algorithm, where the moving factor is an event counter. It bases the moving factor on a time value. A time-based variant of the OTP (TOTP) algorithm provides OTP values, which will be valid for a short time and preferable for enhanced security.
HMAC-based One-Time Password Algorithm
This algorithm relies on two factors: a shared secret and a moving factor (counter). As part of the algorithm an HMAC SHA1 hash (hash-based message authentication code) of the moving factor will be generated using the shared secret. This algorithm is event-based, meaning that whenever a new OTP is generated, the moving factor will be incremented; hence the subsequently generated passwords would be different each time.
Time-based One-Time Password Algorithm
Similar to HOTP: it also relies on a shared secret and a moving factor, which works differently. In case of TOTP, the moving factor constantly changes based on the current time. The HMAC SHA1 is calculated in the same way as with HOTP.
The main difference between HOTP and TOTP is that the HOTP passwords can be valid for a certain time, while the TOTP passwords keep on changing and are only valid for a short window in time. Validity for a given short period makes TOTP considered as a more secure One-Time Password solution.
As a part of IGATE’s Research & Innovation group, we have worked on a Proof of Concept solution for two factor authentication. We developed a web application, which requires a TOTP for a successful login as a second factor of the authentication process. When a new user registers, the registration process generates a QR code of unique secret key based on user’s credentials. User can scan the QR code with the authenticator app on their smartphone (Android/ Windows phone). After scanning that code, the app generates a 6-digit Time-based One-time Password (TOTP) on demand. This code changes every few seconds. Post registration when a user tries to login, they have to provide the OTP along with the user id and account password. If there is any mismatch amongst these three credentials, login will fail. To make the process more fluid, we added one more feature to the application. If user doesn’t have a smartphone, server can send an email or a text message on registered mobile number by clicking on ‘Generate OTP’ button. Since the process is based on TOTP, the time on smartphone will be sync with the server time, only then the authenticator app will generate correct password.
Adoption of Two-Factor Authentication
Financial services institutions need to look at two-factor authentication, which offers the capabilities to keep identities, data and connections more secure, whether completing a transaction in a retail branch or via a mobile app. There is no significant adoption of two factors Authentication in North America and Europe. Adoption will need the support of compliance laws within one country.
In India, The Reserve Bank of India has played an important role in promoting the adoption of Two Factor Authentication and does not allow any circumvention of the same in transactions in which both payer and receiver of funds are Indians. For credit card transactions, when a credit card holder fills up the credit card number, the bank sends a ‘one time password (OTP)' on the registered mobile phone and helps complete the transaction when OTP is entered. With the requests for making electronic payments better, there are requests to relax the norms for Two Factor Authentication like not applying it for small value transactions or using near-field communication (NFC) technology etc. RBI has mandated that all the ATM transactions where the card is not available will continue to use Two Factor Authentication.
Peep into the Future
As discussed above, it is very clear that the speed at which online access of data is growing, more secure authentication processes will be required. In this article, we focused more on “TOTP” based “Two Factor Authentication”. Apart from this, there are many other ways to implement two factor authentication. It can be implemented with wireless sensors, mobile phones, personal computers etc. Recently Microsoft has introduced Windows Hello in its latest OS Windows 10. Windows Hello is a more personal way to sign in to your Windows 10 devices with just a look (iris scanner) or a touch (finger scanner).
In future, security would be part of our most of the activities- office work area, cashless counters in retail outlets, advanced vehicle control systems, financial transactions and so on. It will definitely be a daunting task to implement it and one solution will not fit all the problems. It might happen that an enterprise security system will be a synchrony of multiple security mechanisms. It will be an area of exploration and interest not only for the hackers, but more for the security architects and developers.