Identity Blogger has an interesting post today on how HSBC is moving towards ‘out of band’ 2-factor authentication to improve the overall security of its banking services. The bank wants to reduce the risks by having the customer enter their one time PIN over a phone channel.
The main risk is that of a compromised PC being used to enter the PIN, as it would with RSA, Secure Computing, Entrust or most other solutions. But hasn’t the trojan already got the easy secret, the password, and will it now only get the one-time password? How is that improving the overall security for the session? I suppose it assures HSBC that the second factor is collected on a ‘secure’ channel, thereby proving the use is who they claim they are…
Problem: I think my daughter, after much over-the-shoulder surfing, has my password figured out. Last I checked she answers the phone in our house. Fast forward a few years when she’s short on cash and going out for the evening (and perhaps not the angel she is today…) — does this proposed solution by HSBC now not make it easier for her to gain access to my account?
Of course, the main use case for HSBC would be two-factor for large value commercial transactions, so my teen-age scenario may not apply. But surely those that are interested in gaining access to such a commercial account can be just as cunning as a 14 year old…
I mentioned in the last post that we recently reviewed hardware and software that could work well for solutions that converged authentication, building access and (potentially) entitlements. Two stood out from the rest: HID Crescendo cards and Aladdin’s USB eTokens.
Building access cards are ubiquitous in companies that have secured buildings and offices. HID Corp. are the defacto building access solution (at least around here) and many large companies have a significant investment in HID products. The Crescendo card has two proximity anttenae and a smart chip for storing digital certificates or other data. In our project, we were able to (quite easily) prove that the card would gain access to our building, and provide strong authentication during network login. Other potential uses include:
- Preboot authentication
- Storage of entitlements, e-cash or other pre-payment data
- Employee picture ID card
- Disk encryption
Aladdin’s USB eToken has similar capabilities, albeit in a different form factor. We proved that it can provide strong authentication to Windows using Aladdin’s replacement login utility. It can support all the same features as the HID solution — yes, even a proximity component for building access is possible — except, obviously, the picture ID.
The point of this post isn’t to promote these products — there are others that can produce the same results — but rather to illustrate how technology can support convergence use cases. Users don’t want a card for building access, another for picture ID, a fob for network access and a USB for pre-boot authentication.
Convergence of these capabilities into a single form-factor should be the goal for the simple reason that it increases acceptance of the IT security solution being implemented. Greater acceptance = higher usage and better security.
Recently, I had a mid-sized municipal government ask us to help them discover different technologies for strong authentication. The great part about this project was that they were very keen to find out how the actual products worked – as a result we were immersed in gadgets and slick software for over two months.
The purpose of the project wasn’t to pick a solution or prepare requirements for a future tender. Rather it was to enable the client to experiment with different solutions – and to validate the claims of assorted strong authentication vendors. Another interesting aspect of this work was the inclusion of physical building access and transit entitlements, with the goal of uncovering what convergence options there were for this family of technology.
We had a solid lineup of vendors on our test bed: Entrust, Secure Computing, HID, Aladdin and RF Ideas. Operating systems included Microsoft Server 2003 and Red Hat Linux. We looked at USB tokens, fobs, grid cards, SMS messaging, proximity cards, smart cards and combination cards. Much fun was had…
Over the next few weeks I’ll share some of the learnings of this project, but the first finding was this: Authentication, physical access and entitlement technologies can be converged into single solutions.