The constant growth of e-commerce transactions puts to the forefront the security of critical Internet services, such as credit card payments and any other transfer of business information across the Internet.
Since a worrying variety of techniques is currently available for identity theft, the risk of fraud can never be deemed negligible. Among the set of security measures an IT professional should evaluate and apply to mitigate the risk of identity theft and fraud, multifactor authentication (also widely known as strong authentication) plays a key role.
Unfortunately, in spite of its prominence, little guidance is available on a correct implementation of strong authentication techniques. At present, neither a standard nor a commonly shared definition exists in workable terms.
Beyond the usual reference to authentication factors chosen among “something you know, something you own or something you are” that can be found in the few available sources, an in-depth analysis shows that the combination of factors, different in nature, is aimed at preventing the chance that a single vulnerability could undermine the security of the whole authentication procedure, thus allowing intruders to impersonate legitimate users. From this assumption, it follows that each selected authentication factor needs to feature sound security characteristics and that all factors should be truly independent, so that the compromise of one element does not impact the protection level offered by the other elements.
An analysis of well-known solutions claimed to be strong shows how tricky it can be to stick effectively to these requirements. For instance, with respect to certain possible attacks (and in absence of compensating countermeasures) a solution only based on a one-time password (OTP) could even be more vulnerable than traditional authentication via username and password.
A clear understanding of the strong authentication concept can be helpful in evaluating the features and the residual risk of the different solutions available; thus, pursuing stronger security is vital for critical services that are exposed over the Internet.
Read Alessandro Campi’s recent Journal article:
“How Strong Is Strong User Authentication,” ISACA Journal, volume 5, 2012