Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » Guidance on Multi-factor Authentication » 5. Detailed Discussion of Authentication Keys

5. Detailed Discussion of Authentication Keys

This section looks at the advantages and disadvantages of each of the authentication keys listed earlier and considers the attacks that specific authentication keys help to counter. Note that hardware tokens, software tokens and one-time passwords are usually used in conjunction with a password and/or a biometric and this is assumed to be the case in this Guidance. Such combinations result in at least two-factor authentication. Authentication keys, including ones not specifically covered by this Guidance, are discussed in [1, 4, 15-21].

Passwords

Description

A password is a secret that is shared by the verifier and the customer. It is usual for the verifier to keep the passwords protected on their system by storing them in encrypted or hashed form and in this form they may still be used in the authentication process. So the verifier usually only has encoded copies of the passwords. Passwords are normally made up from the characters available on a standard keyboard. Other options exist, such as visual passwords, but these are not widely used.

Advantages

  1. Password based online authentication is easy to deploy, as special software does not need to be installed on the customer’s computer.
  2. Password systems are familiar to customers, systems administrators and managers. The security and management issues are well understood.
  3. Passwords can (and should) be encrypted or hashed when stored on the verifier’s system. There is no need for them to ever reside on the verifier’s system in the clear (not encrypted or hashed).

Disadvantages

  1. People have difficulty recalling strong passwords and often forget them, adding to management overheads.
  2. People will use the same or similar passwords across different systems without regard for the risks involved: the systems may use different levels of protection for the passwords.
  3. People write down their passwords and leave the written copy in places that are accessible to others.
  4. People use passwords that are easy to remember, which often means they are also easy to guess (and so are weak passwords).
  5. People share their passwords. The sharing of a password does not stop the password owners from continuing to use their password. Those with whom the password is shared have access until the password is changed.
  6. An attacker may obtain a customer’s password without the customer being alerted. It is possible to implement customer self-audit functions (where the customer checks recent activity against their account) but the customer will not necessarily use these.

Attacks mitigated

The reality is that passwords alone do not mitigate any of the attacks listed in Table 2. Provided customers follow good password practices, password discovery, phishing, and shoulder surfing attacks can be mitigated. However, anecdotal evidence shows that a significant proportion of customers will not follow good password practices. Using communication channel protections can mitigate eavesdropper, replay and session hijacking attacks.

Attacks not mitigated

Some of the possible attacks are listed below. It is important to note that most attacks result in the attacker obtaining a copy of the password, a severe breach of the authentication system.

  1. Customer fraud – The occurrence of such attacks is difficult to determine, but invariably occurs to some degree. Most banks currently refund customers for disputed Internet banking transactions claims, some of which may be fraudulent.
  2. Insider attacks – The verifier or systems managers who have access to the password file may conduct such attacks. Even when the passwords are stored in encrypted or hashed form, passwords may still be recovered by conducting a dictionary attack on these files.
  3. Keyboard logging attacks – In the form of malicious code attacks, these have been used in New Zealand (see the section on trends). Hardware based key loggers have been used elsewhere, but are less common.
  4. Man-in-the-middle attacks – These attacks require the attacker to intercept the authentication exchange. The use of communication channel protection increases the difficulty of conducting man-in-the-middle attacks.
  5. Social engineering attacks – Examples of these attacks against passwords include shoulder-surfing and phishing attacks. Phishing attacks have become popular (see the section on trends) and such attacks can be mounted remotely and automated. Shoulder-surfing attacks have been adapted to take advantage of modern technology; these attacks are now being conducted via the use of hidden video devices.
  6. Verifier impersonation attacks – Attacks are possible even when standard communication channel protections are used (for example, with TLS, manually entering the URL and checking for the padlock does not entirely prevent such attacks). Verifier impersonation has been used in a number of phishing attacks.

Summary

Passwords have high customer and verifier acceptance, and such authentication systems are well understood. The problems with passwords result from them:

  • being based on a shared secret – to use multiple verifiers you need to have a different one for each verifier
  • relying on the customer’s memory and adherence to good password practices – if the password is use infrequently it may be forgotten and people do not generally follow good password practices.

Attacks usually work by obtaining the password. This is a severe breach of security as the attacker is then able to operate as the customer until the breach is discovered.

Hardware tokens

Description

In this Guidance, hardware tokens are viewed as being specialised hardware devices (with integrated chips) that protect cryptographic keys and perform cryptographic operations within this protected boundary. Here, it is assumed that the use of the hardware token requires the entry of a password or biometric so that the hardware token provides at least two-factor authentication.

NOTE – Hardware one-time password devices exist and share some of the properties of hardware tokens, see below.

There are many different hardware tokens, but the most important differences arise from the security functions supported and the protections provided for the cryptographic keys and operations. These protections are referred to as tamper resistance. Protections may include:

  • chip design that aims to thwart internal analysis
  • the use of glues that are stronger than the chip, so the chip breaks first when anyone tries to separate is from its casing
  • measures to prevent password experimentation
  • features to clear the memory or self-destruct if internal analysis attacks are detected.

The cryptographic functions of hardware tokens support strong mutual authentication between the customer and the verifier. Hardware tokens can be used for one-way authentication, but the analysis below assumes that mutual authentication is used; otherwise verifier impersonation and man-in-the-middle attacks are not mitigated.

Advantages

  1. Hardware tokens are physical objects, so a customer should notice if it is stolen.
  2. As the hardware device is used in conjunction with a password and/or biometric, the authentication solution is at least two-factor and possession of the device alone is not enough to authenticate.
  3. Some hardware tokens support the on-token generation of cryptographic keys and, if public key cryptography is used, such secrets can remain within the protected boundary of the token at all times. NOTE – It is important that sound generation methods are used, as cryptographic keys must not be predictable.
  4. Hardware tokens are comparatively well understood in terms of their tamper resistance. This is due to active research in this area over the last 10-20 years, which has led to design improvements. Ongoing analysis will lead to further improvements. This research provides confidence that developments in hardware token security are staying ahead of developments in attacks, at least in terms of tamper resistance. Similar research is occuring for hardware token APIs.
  5. Most hardware tokens come with warranties covering consumers against malfunction.
  6. Some tokens require a special reader. Although this adds to costs it does improve security. This is because the password or biometric can be entered through the reader, bypassing the customer’s computer, where it is exposed to key logger attacks.

Disadvantages

  1. Hardware tokens require special software to be installed on the customer’s computer.
  2. Some hardware tokens require special external hardware readers (the advantages of these are already discussed above), which increases the overall cost. This is being addressed as some computers now come with in-built readers and other form factors, such as USB tokens, that do not require special readers are becoming more widely available.
  3. Verifiers will need to install specialised software and/or hardware.
  4. Management for cryptographic keys, readers, tokens and associated passwords or biometrics must be implemented. These tasks complex tasks, but are critical for security.
  5. Research shows that people sometimes have difficulty using the functions of hardware tokens. Customer training would be required.
  6. If the hardware token is lost or misplaced by the customer, or it is broken, then the customer is unable to authenticate until it can be replaced.
  7. The token can be shared. This is easier when it is used with a password. Unlike the case for single-factor passwords, the legitimate owner must also give up their ability to authenticate, which can act as a deterrent to sharing.
  8. Some hardware tokens have internal batteries, which limits their lifetime.

NOTE – Such hardware tokens may come with additional protections based on the internal battery.

Attacks mitigated

As with passwords, using communication channel protections can mitigate eavesdropper, replay and session hijacking attacks. However, unlike passwords, the functions of the hardware token can be employed in these protections.

It is possible to mitigate almost all of the listed attacks using the hardware token functions, except those noted directly below. Although it would still be possible to mount a customer fraud attack, tamper-resistant hardware tokens are designed to defend against attacks where it is assumed that the attacker has control of the token. Customer fraud attacks are therefore less likely to succeed with hardware tokens than with the other authentication keys.

Attacks not mitigated

  1. Malicious code attacks – These attacks come in many forms. Hardware tokens are susceptible to malicious code attacks that can prompt the token for an authentication request. Even when the hardware token is protected with a password or biometric, the attackers code can either gather this data on entry or wait until the customer activates their token. To defend against the second attack, some hardware tokens require activation with a password of biometric at each use. However, such measures have poor customer acceptance. Although no authentication key provides complete protection against malicious code attacks, it is important to note that hardware tokens still provide good protection for the cryptographic keys: generally it is not feasible for them to be recovered by an attacker – effectively this means while in theory it is possible to extract the cryptographic keys, this would require significant knowledge, equipment and/or time resources.
  2. Insider attacks – Authorised insiders abusing their privileges may be able to obtain stored cryptographic keys. Additional protections need to be in place to prevent such attacks. NOTE – Cryptographic keys generated and stored solely on the hardware token and not susceptible to this type of attack.
  3. Specific cryptosystem or token attacks – Attacks against cryptosystems and tokens are occasionally discovered. Public attacks have so far come from the research community and have been addressed before any major security issues arise.

Summary

Hardware tokens are generally considered to support stronger security, but this comes with an increase in cost. Nevertheless, systems requiring a high level of security will invariably be based on hardware tokens, as the reduction of risks in this case justifies the costs.

Software tokens

Description

Software tokens are essentially software implementations of hardware tokens: pieces of software that protect cryptographic keys and perform cryptographic operations. Most vendors of hardware tokens also provide software versions. The major advantage is the lower cost. Again, it is assumed that the functions supporting mutual authentication are used and the software token is protected with a password and/or biometric so that it supports at least two-factor authentication.

Advantages

  1. Software tokens are portable in the limited sense that they may be copied onto other platforms provided those platforms have had the necessary supporting software installed.
  2. Distribution can be simpler when compared with hardware tokens, but still needs to be adequately controlled and administered to ensure security is not degraded. For example, software tokens could be encrypted and emailed. Then the system needs to support the recovery of the software token by the intended recipient.

Disadvantages

  1. As with hardware tokens, some training would be required for customers to correctly use and protect the software token.
  2. Software would need to be installed on the customer’s computer.
  3. Software tokens are more easily copied than hardware tokens. If an attacker can obtain a copy of the customer’s activation data (password and/or biometric), then the attacker may fraudulently authenticate. The customer may not even be alerted to the loss of their authentication key. Another option for the attacker is to wait until the software token is activated and copy the cryptographic keys while in use. The attacker may even be able to extract the activation data from the software token’s files or use these to conduct a brute force attack on a copied token.
  4. The owner can share a copy of their software token and activation data (again easier with passwords) without losing their ability to authenticate. The supporting software also needs to be available to those who take a copy.
  5. Verifiers will need to install special software and/or hardware, and implement management controls for the cryptographic keys and software tokens.

Attacks

In terms of attacks, software tokens are very similar in their capabilities to hardware tokens. The distinctions arise from the fact that a software token may be copied and/or the cryptographic keys gained without alerting the customer to the loss. Software tokens offer significantly lower capabilities in terms of protection for the cryptographic keys. A much wider variety of software attacks can be remotely launched and automated, whereas attacks on hardware tokens usually require gaining physical control of the token.

As software tokens are more susceptible to copying attacks, customer claims of compromise hold more weight; making customer fraud attacks more viable than with hardware tokens.

Summary

The main advantage of software tokens is the ability to obtain similar functionality to hardware tokens at a lower cost. Management and distribution overheads can be reduced. However, distribution procedures still need to be carefully managed to avoid degrading security.

The trade-off for lower costs is the copying attacks that become viable. The environment in which the software token will be used is therefore critical to accessing the risks. For example, using a software token in a controlled hardened computing environment does not pose the same sort of risk as using one in a cybercafé.

One-time passwords

Description

One-time password systems generate a series of passwords using special algorithms. Each password of the series is called a one-time password, as it can only be used a single time and it is distinct from the other passwords (or at least distinct with very high probability over a given cycle). There are many different one-time password systems available. The comments concerning hardware tokens above also apply to hardware one-time password devices, except those relating to communication channel protections. Tamper resistance varies across products and this market is still maturing in its use of tamper resistance features.

Many one-time password methods are based on a static base secret that is shared between the customer and the verifier. The series of one-time passwords is then generated using this base secret, a nonce (a value that is different with each authentication, preventing replay attacks) and a one-way function. These one-time password systems come as two basic variants, depending on whether the nonce is based on:

  • a time value – This requires the device to contain a clock and therefore a battery to run the clock. A window exists for which the one-time password can be used (from 30 seconds to a few minutes). Re-synchronisation procedures are employed to handle clock drift.
  • a counter – The counter is incremented at each use.

Solutions also exist that use a combination of these two variants.

Other systems are based on a collection of passwords shared between the customer and verifier that are generated and distributed by the verifier. In this case the collection itself is the base secret. Others use challenge/response with a shared or known function. The function may be simply a printed table or a more sophisticated system based on a one-way function. There is a range of one-time password systems available and the above is only a brief introduction.

Advantages

  1. One-time password systems can be easy to deploy and may not require any special software to be installed on the customer’s computer. NOTE – Some use one-time passwords generated on a hardware device that is communicated directly to the computer, say through a USB port. This option requires software to be installed.
  2. One-time password systems are generally acceptable to customers, due to their similarity to password systems.
  3. One-time password clock-based devices and challenge/response systems can be used across multiple systems (whereas counter-based solutions cannot without complicated re-synchronisation). It is necessary that these are trusted systems, as each has the capability to impersonate the customer to the others. In practice, clock-based systems may also require time synchronisation to work effectively.
  4. With hardware one-time password devices and printed lists, the customer is likely to notice the loss if they are stolen.

Disadvantages

  1. The verifier will need special software and/or hardware. Protected storage and management of the base secrets is required.
  2. A disadvantage with clock-based one-time passwords used across multiple systems is that there is a window of exposure: when a one-time password is used it can be used with any of the other systems if an attacker obtains it. Shorter windows reduce the scope of such attacks. Also, these attacks may be countered by protecting the communication channel.
  3. Most hardware one-time password devices do not provide the same level of tamper resistance, and thus protection for the base secret, as hardware tokens do. This may change in the future as the hardware one-time password device market matures.
  4. Systems based on shared printed tables, sometimes called bingo cards, have the same problems as written-down passwords: they may be copied or discovered and used without the customer’s knowledge. Loss of the authentication key itself is a much more severe breach of security than the loss of any single one-time password. NOTE – Shared tables exist that conceal the numbers under a coating, called scratchy cards, with the customer removing the coating to reveal each one-time password. These cards defend against copying attacks. They may still be stolen and used, although the customer would be expected to notice the loss of their card.
  5. With authentication key sharing, the extent of the problem here would relate to how easy it is to copy. If copying is easy, then the customer can share their authentication key without losing the ability to authenticate. If copying is not feasible, then this may deter customers from sharing their authentication key, as they must also give up their ability to authenticate.

Attack mitigated

One-time passwords in general mitigate replay, eavesdropper, key logger and shoulder-surfing attacks, because once a one-time password is used it cannot be used again. One-time passwords used across multiple systems cannot completely mitigate against these attacks without further protection measures being in place. Using communication channel protections mitigates session hijacking attacks.

Attacks not mitigated

Other attacks are not mitigated by one-time passwords themselves. Systems should employ further protections for the communication channel. The scope of customer fraud attacks would depend on the actual product (primarily this relates to the easy of copying and tamper resistance features). An important distinction with passwords is that a phishing attack only gains a single one-time password, which greatly decreases the scope of these attacks when compared to passwords.

Summary

One-time passwords systems are relatively simple to use and deploy. There is a wide variety of systems available that range from bingo cards through to hardware devices that compute the one-time passwords. There is therefore a wide range in their strength against attacks. All one-time password systems need to be used in conjunction with communication channel protections. As mutual authentication is not supported, verifier impersonation attacks are possible. This means there is some exposure to the phishing attacks, although the potential for success with such attacks is far more limited than with password systems. The exposure to coping attacks depends on the product.

Biometrics

Description

Biometrics rely on physical or behavioural characteristics of a person. The fingerprints, hand geometry, retina pattern, iris pattern, face, voice pattern, written signature dynamics and keyboard typing patterns of a person are just some of the examples. An initial record, called a template, is taken from a person. To authenticate, a biometric reading is taken and matched against their template. Readings and templates are discrete subsets of a person’s original biometric, with the reading being a smaller subset of the template. It is not practical to reverse the process from a reading or template to the original biometric (although it may be possible to construct a copy good enough to fool the authentication system).

As readings will not always be identical (due to environmental or other factors), the matching function must include a tolerance for discrepancies. Usability and security are balanced in any biometric system by adjusting this tolerance, namely by adjusting what are known as the false acceptance rate and the false rejection rate.

Advantages

  1. Biometric technologies are sometimes favourably compared with other authentication keys because it is not possible to forget them and they cannot be easily lent. NOTE – The metaphor “the body is the password” is often used by vendors. However, this is confusing, as passwords and biometrics are based on different factors and have somewhat different properties.
  2. Some biometrics are very stable; they do not change a great deal over the lifetime of the individual.

Disadvantages

  1. Unlike other authentication keys, biometrics are not based on secrets. Attacks to replicate some biometrics for individuals exist and are relatively low cost [22]. More expensive systems include additional protections against attacks, such as liveness checks that aim to determine if the reading is from a living person.
  2. Matching the biometric reading to the record can fail if the biometric is damaged or if the biometric changes. Biometrics vary in their stability and systems can use adaptation. Higher tolerances in the biometric system lead to lower assurance that the customer is who he or she claims to be (as the probability of false acceptance increases).
  3. Biometric authentication using an unprotected communication channel is insecure. So, further protections must be in place to secure the communication channel.
  4. Loss of biometric data (even from a reading) is a severe breach: not only does it have the same problem as for passwords (the attacker obtains the data and can authenticate at will, while the customer may not be aware of this loss) but, unlike a password, it is impractical to change the original biometric. As the biometric is personal information, the loss of even a subset may breach the customer’s privacy.
  5. Verifiers need to store the biometric templates and must use the original template to enable authentication. Therefore the biometric templates cannot be stored using a hash function. The templates can be stored encrypted, as then the record can be recovered for authentication. The storage and control of biometric templates by those other than the customer raises concerns about privacy and function creep. Again, any attacks against biometrics are more severe than attacks against other authentication keys, because the loss of even part of someone’s biometric data breaches their privacy and it is not practical to change a person’s biometric.
  6. A biometric stays largely the same over time. Indeed it is impractical to change them. For passwords and cryptographic keys, it is common security practice to change them within set timeframes in order to limit their vulnerability to discovery. Discovery with biometrics is quite different from secrets like passwords or cryptographic keys. However, the strength of cryptographic protections used to exchange biometric recordings needs to take into account the fact that they are (subsets of) personal information that is largely static.

Attack mitigated

Biometrics do counter keystroke logging, password discovery and shoulder-surfing attacks. By themselves, biometrics do not mitigate any of the other attacks listed in Table 2 and so additional protections need to be in place. For example, it is important to protect the communication channel.

Attacks not mitigated

As with passwords, the result of a successful attack is generally severe: the attacker obtains a copy of the customer’s biometric, a biometric reading, or the biometric template. Any may be used to fraudulently authenticate, potentially without the customer being alerted.

An additional problem is that the biometric cannot be replaced in the same way that other authentication keys can. Biometrics share many of the problems of personal information discussed following Table 1. Biometric information is:

  • restricted in scope
  • usually static (original cannot be changed)
  • degraded for authentication purposes as more organisations collect it
  • not secret and therefore vulnerable to being copied.

Summary

Biometrics have traditionally been used for local access control (for example, the photographs in passports). Their use is well established in such situations and the issues are understood. They are not well suited to remote authentication and need to be used in conjunction with other protections to ensure biometric data is not captured. This would include cryptographic authentication of the verifier (to avoid phishing of the biometric), requiring the customer to have at least a software token. This in part supersedes the use of a biometric-based authentication system for remote authentication.

Even when communication channel protections are used, biometrics are still susceptible to attacks that copy the biometric. Such attacks are likely to become more popular if biometrics are more widely used. Because biometrics are personal data, they have many of the problems relating to authentication methods that rely on personal information.

Privacy is an issue with regard to the storage, use and transfer of biometric data. The Biometrics Institute in Australia has a draft Privacy Code [23] that is currently being reviewed by the (Australian) Office of the Privacy Commissioner prior to final publication. The draft has already been issued for public comment. The Department of Internal Affairs is developing a similar document for New Zealand government agencies. This document is intended for release by late 2006. Further references and information for biometrics can be found in [24].

Remarks

In general, authentication keys cannot be cleanly delineated into the factor categories. For example:

  • Passwords can be used in the standard way, stored in a protected software module on a computer (usually protected using a master password), or stored on a hardware device. In the later two cases, the password is no longer something the customer knows, but something they have.
  • A one-time password can be generated by a customer using a known base secret. In this case, the authentication key is something the customer knows rather than has.

For simplicity, the above section has not considered these and other variants.

References relating protections for hardware tokens, software tokens and one-time password devices are included separately in Appendix A.

[ Previous ] [ Next ]