Multi-factor authentication

The Accredited Standards Committee X9 develops American National Standards for the financial services industry. One of these standards, ANS X9.49, Secure Remote Access Mutual Authentication, is undergoing its mandatory 5-year review now. In a recent X9 meeting when we discussed updating this standard, we had an interesting discussion about exactly what “multi-factor authentication” is. Everyone agreed on the two following points:

  1. It’s not really defined in any standard

  2. The generally-accepted definition and its interpretation is really the result of vendors’ marketing efforts rather than anything substantial

Many books, articles, etc., define three “factors of authentication” which are typically defined roughly as:

  1. Something that you know, like a password

  2. Something that you have, like a token of some sort

  3. Something that you are, like a biometric

There’s clearly some fuzziness here because of the way these are defined. One type of biometric is a behavioral biometric, like biometrics that look at how you type on a keyboard or write with a pen. Within this framework, you could argue that a password is just a behavioral biometric that tests whether or not you can remember a particular string. You could even argue that proving possession of a cryptographic key, like you do in the X.509 authentication protocol, is just like a behavioral biometric that tests whether or not you can flip a coin and get a particular series of heads and tails, although you probably wouldn't get many people to agree with you at this point.

Multi-factor authentication is usually assumed to be a technique that uses more than one of these factors. It’s often claimed that multi-factor authentication is inherently more secure than single-factor authentication, but if you look at the history of this claim, it actually came from a vendor that wanted to make their multi-factor authentication product sound better than competitors’ products.

Is there any substance to this claim?

Let’s compare two authentication schemes:

Scheme A, which requires a username/password plus a biometric 

Scheme B, which requires two different username/password combinations

Which one is more secure and why? Is there any reason to say that one is inherently more secure than the other? Particularly because it’s easy to force people to use reasonably strong passwords but essentially impossible to get the same level of security from biometrics, does using a biometric just because it’s a different authentication factor really add anything? Or will it actually provide an overall weaker authentication scheme when it's used?

Nobody at the X9 meeting was convinced that authentication using two or more authentication factors is actually any more secure than authentication using two or more independent means of authentication that happen to be the same factor, so the updated standard will probably reflect this. I’m looking forward to seeing the comments on this when the document gets voted on.

  • Matt Flynn

    Interesting post Luther. I posted a few thoughts on my blog.
    http://360tek.blogspot.com/2009/04/on-multi-factor-authentication.html
    Isn’t the point of multi-factor mainly about subverting brute-force or other password-related attacks? I don’t think having users carry around two sets of credentials for each system will be nearly as secure as a traditional two factor solution.

    Reply

  • Luther Martin

    Matt,
    One problem with the claim that multi-factor authentication is inherently better in some way seems to be that there’s no clear threat model that it’s defending against. If you’re worried about an adversary beating two passwords out of someone, then you might think that two passwords are not as good as a password plus some sort of token. But if you also have a token that creates a new passphrase every minute or so, the same thugs that could beat the passwords out of someone could also take the unlucky person’s token from him. Or they could force the person’s thumb onto the thumbprint reader.
    If you’re just worried about defending against brute-force attacks, it seems that the chances of any particular random attempt at authentication succeeding is what’s important because that’s what tells you how likely a brute-force attacks is to succeed. That’s how FIPS 140-2 compares authentication methods, for example. So if you have a FMR of 0.01% with a biometric, that’s what’s relevant. If you have a password, the chances of guessing it are what’s relevant.
    But if the chances of succeeding by a brute-force attack are the same for two means of authentication, why is using two different factors to authenticate any more secure than using two means of authentication that happen to be the same factor? If I have a 1 in 1 million chance of guessing a password and also have a 1 in 1 million chance of guessing the temporary passphrase that my hardware token shows me, don’t the two provide the same level of security?
    Luther

    Reply

  • Matt Flynn

    Well, you can’t brute-force attack a token that changes every minute. At least, not with today’s hardware. And a good token system would have a switch that disables the account after x number of attempts — and wouldn’t accept multiple logon attempts within that minute. So, it’s actually much more secure in reality than typical password systems.
    And you can’t brute-force a finger print because theoretically you would need to be local to the device.
    Sure, if you physically kidnap a person, you can beat biometric or just about any of these methods, but that’s a pretty unlikely scenario. I’m mostly thinking about remote hacker scenarios — maybe with use of a botnet to break a given account.
    And I don’t agree that “the chances of any particular random attempt at authentication succeeding is what’s important”. In a brute-force dictionary attack, you just keep trying passwords until one works. Adding the second factor makes that kind of attack impossible. Adding a second password would just make it take longer.
    I do agree that if guessing biometric fingerprint input is just as easy (same number of possible values) as guessing a password (and I doubt that’s true), then it’s no more *inherently* secure to use the biometric. BUT, I think that analysis leaves out the human element. It IS more secure in the real world. People carrying two passwords is less secure because they’re more likely to write them down or require resets (which are often sent via plain-text email).
    What do you think? I’m not claiming to know for sure – just thinking it through.

    Reply

  • Luther Martin

    Matt,
    I’ll admit that I’m looking at this through the bias of someone who thinks about cryptography too much. In that context, the strength of a key is determined by the work needed to find it, which is related to what your chances of guessing it at random are. The people at NIST who wrote FIPS 140-2 (more crypto people) seem to have the same bias, but that doesn’t mean that we’re right, or that it’s the only point of view.
    The reason that I like this is that point of view is that it provides a good way to compare the strength provided by different mechanisms.
    Suppose that you have a token that gives you a six-digit number that changes every minute. This means that an attacker has a 10^-6 chance of guessing it at random, and they have that same chance every time that they guess it. You could probably even create a botnet that would do this.
    With biometrics, the false match rate is probably the most relevant value. If I have a biometric with an FMR of 10^-6, that gives me the same strength as the token that I mentioned above, even though there are many more biometric patterns than 10^6. (This is actually fairly optimistic for a biometric that’s being used outside ideal conditions in a lab. An FMR of 10^-4 to 10^-5 is probably more realistic.) In this case, every time an attacker presents biometric data to the biometric device, they have a 10^-6 chance of being incorrectly authenticated.
    In each of these cases, there’s the same chance per attempt of a correct authentication as there is with guessing a six-digit password. So I can guess the number that the token is showing at any given time, or I can give a fake pattern to a biometric, or I can make a guess of the password, and each of these has the same chances of succeeding. I don’t know if this can be automated by a botnet. If a biometric authentication system is designed properly, it probably can’t.
    So if I give a user the same three strikes and your out in each of these cases, the chances of an attacker defeating each factor of authentication is the same.
    That may be a big assumption, of course.
    There are biometrics that you can pay lots of money for that don’t provide any more security than a four-digit PIN does, but they cost much more. In that case, why not save the money and use a password plus a PIN instead of a password plus a biometric?
    It seems that having a way to compare the strength of different authentication mechanisms provides a good framework for making decisions like this. If you don’t use such a metric, how would you compare the strength of different authentication systems? This method isn’t perfect, but I don’t know of a better way.
    I suppose that it all comes down to your threat model. My model assumes that an adversary can find a way to do lots of guesses and we try to keep his chances of succeeding at this low. Is there a better threat model to use?
    Luther

    Reply

  • Matt Flynn

    Interesting. I see how each method (bio, token, password) may be equally secure in the scenario of someone making a single random guess. But that scenario represents a limited viewpoint.
    If I had 3 attempts to crack a password, I wouldn’t try random characters. I would look for written notes, or take a guess of child names, sports teams, etc. That should improve my chances. I might also call the person and pretend to be helpdesk. Or put up a phishing site to capture the password. One-time use tokens can’t be beat with these techniques. So, they may be cryptographically as-secure. But, not as secure in practice.
    But, I get your point. Thanks for all the clarification.

    Reply

  • Jeff

    Hey guys this was an interesting thread. I just started up a blog recently and commented on this.
    http://identityproductmanagement.blogspot.com/
    Here is the meat of it…
    ~~~~~~~~~~
    A very thought provoking position and I 100% agree with Martin’s position that a uniform model is required to measure authentication strength. But there are a couple of points to throw into the mix…
    The basis of his claim is that a biometric has at best a 10^6 FMR (false match rate) or a 1 in a million chance that you will authenticated when you should not have been.
    Firstly, Biometric systems are tuned to achieve certain performance metrics depending on the balance between security and convenience. It is possible to achieve a better FMR if you are willing to give up convenience (increase the FNMR). The FNMR measures the times you didn’t authenticate when you should have. If you tighten up the system you can drop down the FMR drastically at the expense of a user possibly having to present their fingerprint more than one time when they should have succeeded the first time. The result is a much, much less likely chance someone is incorrectly authenticated. The authors model holds and Scheme A wins out.
    Second, related to the biometric, this FMR is for a single finger print. A fingerprint is one kind of biometric and it is one of ten (generally) you have of that type. With two fingers it gets better, other biometrics (e.g., iris) it can be much better. Scheme A would be way better if the second factor is iris. Of course, there is a cost tradeoff here but the model does not take cost and convenience into account.
    The fourth point to make is where does the authentication occur? In scheme B the authentication is server side making it much easier to attack. In scheme A with a biometric or frankly with any OTP device it needs to involve the local workstation making it much harder to attack. A authentication strength model should take into account how easy it is to conduct an attack.
    The third point to make is the one of practicality. The subsequent discussion touches on this but doesn’t go much further. What is the real likelihood a user will remember two username/password combinations? More likely they will remember them but writing them down on a yellow sticky note attached to the monitor. It is harder to put this in a model but does assume that it more likely the chances of getting to a password or two are much easier that we think it should be.

    Reply

  • Austin Carey

    Hello,
    My name is Austin, I have recently read one of your past Articles.
    I contract I.T. Services to a company that owns exclusive marketing rights to a new Multifactor Authentication product called Virtual Token ™ (formerly, PhishCops®) that we will be pushing out into the public’s eye soon. I would like to see if I can get a professional opinion on our product and a general comparison to RSA’s current solution. We believe our product eliminates the current methods of phishing and stealing Information via the simplest method possible. Removing the personal information from the equation used in multifactor Authentication. Also our product not only meets but exceeds the regulations handed down for multi factor authentication.
    “Something the user has”
    “Something the user knows”
    A True multi Factor Authentication, Rather than a Multi Tiered Single Factor Authentication.
    a link to our information site. http://www.sestus.com/vt
    I would sincerely appreciate you taking a look at this product and sending me a response as only you can.
    We have a few small banks interested in the product, However we would like to welcome “the big fish” banks also.
    I would like to thank you in advance for your time,
    My Contact information is as follows;
    -Austin D Carey
    acarey (a-t) portunitedinc (d-o-t) com
    (If you would like to, you may request additional contact information via email and I will gladly forward it on to you.)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *