A Better Method of Authentication

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research Executive Brief

Published June 2012 sponsored by

A Better Method

of Authentication SPON

EXEC

UTI

VE

BR

IEF

SPO

N

©2012 Osterman Research, Inc. 1

A Better Method of Authentication

EXECUTIVE SUMMARY Conventional authentication using passwords based on alphanumeric characters and punctuation is fraught with difficulties and security risks: • Users often will write down passwords and/or use the same password on

multiple systems, increasing the risk to corporate application and data security. • When left to determine their own level of password strength, users often will opt

for short or simple passwords that are easy to remember, increasing the likelihood that systems can be hacked.

• Users forget passwords, prompting them to call a help desk or use password-

reset systems, which can increase support costs and reduce user productivity.

• The Bring-Your-Own-Device (BYOD) phenomenon is making the problem worse because IT has even less control over access to corporate systems and data – and the authentication methods used to access them.

Organizations need highly secure authentication under IT’s control, coupled with an access method that is very easy for users – especially users on mobile devices. This brief discusses the problem with current authentication systems and offers an overview of a more advanced and more secure system of authentication.

THE NEED FOR IMPROVED AUTHENTICATION TRADITIONAL AUTHENTICATION WORKS REASONABLY WELL FOR TRADITIONAL SYSTEMS The wide range of authentication methods currently used in most organizations runs the gamut from simple, inexpensive and relatively insecure to complex, expensive and highly secure: • Usernames and passwords are the most common approach and often used for

relatively low-security systems. Although inexpensive to deploy and familiar for users, this method provides a fairly low level of security.

• Challenge/response systems that require answers to security questions that have

been previously populated in the system are often used as a second layer of authentication or for a higher level of access.

• Even more secure systems may use one-time password tokens, out-of-band

authentication, seals, and certificate-based authentication. • The highest security solutions may employ multiple factor or biometric

authentication, such as a user’s fingerprint, face, iris, or some other physical attribute to grant access.

The level of security that an organization selects for a particular system or application will depend on several factors, including the sensitivity or confidentiality of the data being accessed, the trustworthiness of the individual accessing the information, the venue from which the accessor is attempting to enter the system, the device from which the user is accessing a system, and other factors. For traditional access of a corporate system from a desktop or laptop computer from behind a corporate firewall using a standard keyboard, these access methods work reasonably well.

Conventional authentication using passwords based on alphanumeric characters and/or punctuation is fraught with difficulties and security risks. This executive brief offers an overview of a more advanced and more secure system of authentication.

©2012 Osterman Research, Inc. 2

A Better Method of Authentication

EVEN SO, THERE ARE PROBLEMS Despite the relative ease with which users can access traditional systems using these authentication methods, there are problems with them: • Users often forget passwords and need to contact a help desk or automated

system for a password reset, which increases support costs within the organization.

• Users will typically employ the same passwords on multiple systems so they do

not have to remember a unique username/password combination for each system they access, thereby degrading the overall security of access to corporate data.

• Users will often remain permanently logged in to various systems to avoid the

difficulties associated with traditional login procedures. • Many users write down passwords because they are too difficult or too numerous

to remember.

• Static, text passwords are susceptible to keylogger malware and dictionary style brute-force attacks.

• Finally, a perennial problem is that users employ passwords that are far too

simple so that they can remember them more easily, making life for hackers that much less difficult.

DATA BREACHES ARE A SERIOUS PROBLEM There have been numerous data breaches in which usernames and passwords have been stolen. According to the 2011 Data Breach Investigations Report by the US Secret Service and Verizon, the exploitation of default or guessable authentication credentials is one of the most common causes of corporate data breaches and was a factor in nearly 35% of the data breaches investigated in the report.i For example, LinkedIn suffered a breach of 6.5 million passwords in mid-2012, hackers compromised the account credentials and information for 24 million Zappos customers in early 2012ii, and in mid-2011 Sony suffered a leak of more than 100 million user passwords and account information in a series of data breaches. It’s estimated that the data breach cost Sony at least $171 million to clean up and users did not have access to their accounts for more than one month. The Sony password breach, in particular, underscored one of the fundamental problems with a large proportion of current login credentials: weak passwords that are easy for hackers to guess. For example, an analysis of the Sony breachiii revealed that among the most commonly used passwords were “123456”, “password”, “seinfeld”, “winner” and “michael”. Moreover, the analysis found that some of the breached passwords had as few as four characters, with the two most common passwords lengths being six and eight characters. THE PROBLEMS ARE MUCH WORSE FOR MOBILE DEVICES Although users of traditional authentication find passwords to be a burden when using desktop computers or laptops, the problems are much worse for mobile users. Entering long strings of text and numbers using a mobile keyboard is not easy, particularly when a combination of upper and lower case characters must be entered. When “strong” passwords are required – involving eight or more characters including upper and lower case letters, numbers and symbols -- the problems for mobile users multiply, including mistakes entering characters that may lock users out after a limited number of retries. When authentication becomes too burdensome, users opt instead for weak passwords or they leave their devices permanently logged in, which puts data security at risk.

Although users of traditional authentication find passwords to be a burden when using desktop computers or laptops, the problems are much worse for mobile users.

©2012 Osterman Research, Inc. 3

A Better Method of Authentication

The BYOD phenomenon that is prevalent in just about every organization today is exacerbating the problem. Because users often employ their own devices to access corporate data, IT has less control over the devices and, in some cases, the authentication methods that are used for access. Among the problems introduced by the BYOD phenomenon are: • Few users – only about 30% according to a Sophos studyiv – employ passwords

on their mobile devices because typing multiple, non-alphanumeric characters on a miniature keyboard introduces yet another difficulty when using the device.

• A large number of mobile devices are lost or stolen – two million per year

according to one sourcev. Adding to the problem of lost devices is the propensity of those who find lost devices to search through them. For example, the Symantec Smartphone Honey Stick Project found that when a phone is lost, 89% of those recovering it will search through the phone for the owner’s personal informationvi.

• Tablets, in particular, represent another problem because these devices are

increasingly becoming multi-user devices, often shared among the employee’s family members. This emphasizes the critical importance of protecting corporate applications or data using password protection to ensure that family members do not inadvertently access, delete or modify important information or unknowingly introduce spyware or key loggers onto the device.

THE RISKS OF POOR AUTHENTICATION ARE SIGNIFICANT Cumbersome authentication methods for mobile access tempt users to choose weak passwords or stay logged into corporate systems. This creates some potentially serious consequences, including a greater likelihood of losing intellectual property if someone loses a device or if a hacker can determine one’s username/password combination. Data breaches can also result, triggering expensive mitigation efforts as a result of statutory notification requirements: 46 of the 50 US states now have data breach notification laws that require notification of affected parties in the event personal data is lost or stolen.

A NEW APPROACH TO AUTHENTICATION Organizations need a better way to authenticate users to corporate systems and applications in order to protect against the problems discussed above. They need an approach that is much easier for users to remember than traditional passwords, and easier to enter on mobile devices, one that is inherently more secure than text passwords, and one that will motivate users to follow best practices for strong authentication on every device and for every application. One way to do this is to use dynamic, image-based authentication instead of static alphanumeric characters. Confident Technologies offers a unique authentication technology in which users pre-select authorization categories that will be used to generate a one-time password. For example, a user may select “dogs”, “fish” and “cars” as the categories they will have to identify. When a user needs to authenticate – on a mobile phone, in a desktop application or on an iPad, for example – a randomly generated grid of images is presented to the user. The user simply selects the appropriate images that correspond to his or her pre-determined categories, which only he or she knows, and access is granted as if a conventional password had been entered. The specific pictures presented to the user are different every time, which allows the technology to create a unique, one-time access code. Although the pictures are different every time, the user will always look for their same categories (dogs, fish and cars, in this example). THE BENEFITS OF USING IMAGES Using dynamic, image-based authentication offers a number of advantages over the use of conventional passwords:

Organizations need a better way to authenticate users to corp-orate systems. They need an approach that is much easier for users to remember than traditional passwords, and easier to enter on mobile devices, one that is inherently more secure than text passwords.

©2012 Osterman Research, Inc. 4

A Better Method of Authentication

• Because humans think in pictures, it is far easier for people to remember categories and recognize images than remember passwords, particularly complex passwords consisting of long strings of alphanumeric characters and symbols. For example, one studyvii found that image-based authentication resulted in 100% recall even after 16 weeks, compared to lower recall for Personal Identification Numbers (PINs) or passwords after the same length of time. This reduces password resets and eliminates the motivation for people to choose weak passwords or use the same password on multiple systems.

• When users are presented with a grid of images, the display can jog users’

memories of which categories they initially selected as their authentication categories. In essence, the authentication secret is hidden in plain sight and only the user knows how to recognize it.

• Authentication using images is much easier than entering characters on a mobile

device keyboard, particularly a smartphone. With images, the user can simply tap a few pictures – no need to type on a tiny keypad or switch back and forth among multiple keypads.

• The level of authentication required can easily be matched to the security or

sensitivity of the application or data being accessed without the problems inherent in making users remember multiple passwords. For example, a system or data repository that requires minimal security might present a user with a grid of nine images from which he or she must identify two of their predetermined categories. A more secure system might require the user to identify three of their categories on a grid of 16 images, while a highly secure system might require identification of four categories on a grid of 25 images.

• An image-based authentication system is more resistant against dictionary

attacks and keystroke-logging malware. Because the specific images and their location on the grid are different each time, keystroke-logging malware is not useful to potential hackers, and because text passwords are not used, dictionary attacks simply don’t apply.

• The creation of a one-time password – more difficult in conventional password

schemes, but much easier with an image-based system – provides a greater level of security than any static password.

• As with conventional authentication systems, a lockout feature can be enabled if

the user enters the wrong images in a certain number of attempts. A “KillSwitch” feature can also be enabled, where a user can designate a specific image category as an automatic lockout. If a hacker or a bot selects an image associated with the KillSwitch category, the account would be immediately locked and/or it would trigger a security alert. These features prevent brute-force attacks and can dramatically reduce the impact of losing a mobile device or having an unauthorized user attempt to hack into the corporate network to steal data.

USE CASES There are a number of use cases for image-based authentication of the type discussed above. For example: • Physicians and clinicians can use image-based authentication as a secondary

form of authentication for single sign-on systems when accessing patient records or hospital records on their personal iPads or other mobile devices they bring into the organization. This is much easier and faster than using passwords on mobile devices and allows access to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Because a physician or clinician may need to log into patient or other records 50 or more times per day as they make their rounds, the speed and convenience offered by image-based authentication is very beneficial.

Authentication using images is much easier than entering characters on a mobile device keyboard, particularly a smartphone.

©2012 Osterman Research, Inc. 5

A Better Method of Authentication

• Users who must access corporate systems frequently – salespeople, police officers, warehouse managers, etc. – can use image-based authentication as their primary authentication system, as a secondary method for single sign-on systems, or as a means of easily regaining access to a system after it has timed out.

• Corporate IT departments could partition employee-owned mobile devices in

order to separate corporate applications and data from personal apps and data, granting access to the former using image-based authentication. This would allow IT to manage access to the corporate partition and remotely wipe it if the device was lost, eliminating most of the consequences of a data breach.

• The use of image-based authentication can be integrated with geolocation data,

triggering the use of an image grid for authentication only when a user was in an insecure location, such as when accessing a corporate application via a public Wi-Fi hotspot or elsewhere beyond the corporate firewall.

• Looking down the road a bit, image-based authentication could also be an

effective method of preventing unauthorized purchases from a mobile device when used as an “e-wallet”, a practice increasingly common in Scandinavia and elsewhere.

WHO SHOULD BE THINKING ABOUT THIS? Better authentication benefits everyone: • Users, who will find it easier to access corporate systems without having to

remember complicated, strong passwords; and who will be more motivated not to bypass secure access to corporate systems and data.

• Their employers, who will run less risk of users bypassing authentication

methods for the sake of convenience or otherwise engaging in poor security practices, such as choosing weak passwords, writing down passwords or using the same password on multiple systems. Stronger authentication practices help businesses to reduce the risk of security breaches, data loss, privacy violations, etc.

• Mobile application developers, who can build greater security into their

applications without imposing burdensome authentication processes on end users.

ABOUT CONFIDENT TECHNOLOGIES Confident Technologies, Inc. provides intuitive and secure, image-based authentication solutions for websites, Web applications, mobile applications and mobile devices. The company’s image-based authentication solutions enable organizations to increase security without sacrificing ease-of-use. Using patented, image-based authentication technology, Confident Technologies helps organizations: • Improve the ease-of-use for user authentication on websites, applications and

enterprise systems. • Protect confidential data and online accounts. • Improve the customer's online experience, driving loyalty and increased revenue. • Decrease IT costs and support costs related to authentication and password

issues.

The use of image-based authentication can be integrated with geolocation data, triggering the use of an image grid for authentication only when a user was in an insecure location.

©2012 Osterman Research, Inc. 6

A Better Method of Authentication

• Meet compliance with regulatory requirements for strong authentication Image-based authentication can be used as a stand-alone replacement for traditional authentication methods including as passwords, tokens, smart cards and security challenge questions. Confident Technologies' solutions can also be used in conjunction with other authentication tools to provide a layer of strong, multifactor authentication and out-of-band authentication.

© 2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

i http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-

2011_en_xg.pdf ii http://www.usatoday.com/tech/news/story/2012-01-16/mark-smith-zappos- breach-tips/52593484/1 iii http://flowingdata.com/2011/06/13/analysis-of-passwords-in-sony-pictures-security-breach/ iv http://www.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1 v http://www.infosecisland.com/blogview/13078-The-Rise-of-Smartphones-and- Related-Security-Issues.html vi http://www.symantec.com/content/en/us/about/presskits/b-symantec-smartphone- honey-stick-project.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_ linkedin_2012Mar_worldwide_honeystick vii http://www.netaro.info/~zetaka/publications/papers/awasee-UBICOMP2005.pdf