1. Executive Summary

This Guidance on Multi-factor Authentication examines the issues with the use of multi-factor authentication keys. It does not prescribe the use of any particular authentication key, as it has been developed as an information resource to supplement the Authentication Keys Strengths Standard [1], one of the New Zealand E-government Interoperability Framework (NZ e-GIF) authentication standards [2]. This Guidance is intended for anyone looking for further information on selecting multi-factor authentication keys, especially those with responsibility for information technology systems and their security.

Authentication consists of two processes:

• evidence of identity
• ongoing confirmation of identity, for example using a username and password to logon.

This Guidance focuses on the second process above.

Authentication keys are called multi-factor when they use more than one of the factors of authentication: something you know, have or are – where “are” in this context means a physical or behavioural characteristic of a person. The most common example of a single-factor authentication key is a password – something you know. Sometimes passwords, by themselves, do not provide sufficient confidence in the identity of transacting parties, and stronger forms of authentication, usually involving multi-factor authentication keys, are required.

Multi-factor authentication can improve security. However, this usually comes with an increase in cost and system complexity. For these reasons, the authentication key must be selected based on the risks to be addressed. Authentication key requirements are set out in the NZ e-GIF authentication standards. This Guidance assists with the selection of an authentication key by discussing the various merits of the following authentication keys:

• passwords
• hardware tokens
• software tokens
• one-time passwords
• biometrics.

These authentication keys represent the major ones used today and are the ones identified in the NZ e-GIF Authentication Key Strengths Standard [1]. Passwords are common single-factor authentication keys and are included here for comparison.

Selection of an appropriate authentication key is only one aspect of securing online services. Agencies will also need to use other measures (briefly referred to in Section 3.2). In particular, agencies must comply with the manual Security in the Government Sector [3] and the New Zealand Government Information Technology Security Manual – NZSIT 400 [4].

A brief summary of each of the authentication keys discussed in this Guidance is included below. This Guidance assumes that one-time passwords, software tokens and hardware tokens are used in conjunction with a password or biometric, to deliver multi-factor authentication. This is normally (but not always) the case with these authentication keys.

Passwords

The use of passwords for authentication is widely established; both implementers and customers accept them, with the various issues being well documented and understood. However, password systems are susceptible to many attacks and attacks against passwords are generally serious as they usually recover the password. Additional protections for the communication channel can be used to protect the password, but this still does not prevent all attacks.

Many security experts now regard passwords, by themselves, as insufficient for online authentication for anything other than low risk services. The NZ e-GIF authentication standards take this approach.

Hardware tokens

This Guidance regards hardware tokens as being specialised hardware devices that protect secrets (normally cryptographic keys) and perform cryptographic operations. The cryptographic operations support authentication of both parties and the protection of the communication channel used for the authentication exchange.

Drawbacks of hardware tokens, compared to other authentication keys, include:

• increased cost, implementation and deployment complexity
• reduced ease of use for customers.

Software tokens

Software tokens are essentially software implementations of hardware tokens and so share many of the advantages of hardware tokens. As with hardware tokens, software tokens support authentication of both parties and protection of the communication channel used for the authentication exchange.

The major issues with software tokens are:

• the potential for them to be copied
• they may be copied without the owner’s knowledge.

This results from the lack of a physical container protecting the secrets. The main advantage, compared to hardware tokens, is the lower cost.

One-time passwords

One-time password systems rely on a series of passwords generated using special algorithms. Each password of the series is called a one-time password as it is distinct from the others generated and can only be used once. A wide variety of one-time password systems exist that provide varying protection against attacks. Common advantages for one-time passwords systems are:

• they are easy for customers to use
• they have relatively low implementation costs and complexity, when compared to software and hardware tokens.

Some of the attacks used against traditional passwords are mitigated with one-time passwords. For example, with discovery attacks (attacks that recover passwords such as phishing attacks):

• any (one-time) password obtained may be used only once
• with some systems, the (one-time) password obtained can be used only within a very limited time frame.

Authentication of the verifier is not usually supported, which can be exploited in attacks. The exposure to copying attacks (where the one-time password device itself is copied) depends on the actual solution used.

Biometrics

Biometrics are well suited to local access control (as with passports in border control) but not as well suited to remote authentication. One of the main reasons is that biometric data is personal data and significant privacy issues arise with the collection, storage and use of such information. With remote authentication, this means special care must be taken to protect transmitted biometric data.