Alas, the language in which this report is written is rather “dry” and formal. And the fivefold use of the word “authentication” in one short sentence is not the curved arms (or brains) of the translator, but the whim of the authors. When translating from two options - to give readers more close to the original, or a more interesting text, I sometimes chose the first, and sometimes the second. But be patient, dear readers, the content of the report is worth it.
')
Some insignificant and unnecessary for the narrative pieces were removed, otherwise most would not have mastered the entire text. Those who want to get acquainted with the report "without cuts" can do it in the original language, following the link.
Unfortunately, the authors are not always careful with the terminology. So, one-time passwords (One Time Password - OTP), they are sometimes called "passwords", and sometimes "codes." Authentication methods are still worse. It is not always easy for an unprepared reader to guess that “authentication using cryptographic keys” and “strong authentication” are one and the same. I tried to maximally unify the terms, moreover, in the report itself there is a fragment with their description.
Nevertheless, the report is highly recommended for reading, because it contains unique research results and correct conclusions.
All the facts and figures are given without any changes, and if you disagree with them, then it’s better not to argue with the translator, but with the authors of the report. But my comments (made up as quotations, and in the text are marked by Italian ) are my value judgment and for each of them I will be happy to argue (as well as on the quality of the translation).
Here we see an illustration of the saying “until the thunder clap - the peasant does not cross.” When experts warned of the unreliability of passwords, no one was in a hurry to implement two-factor authentication. As soon as hackers started stealing passwords, people began to implement two-factor authentication.
True individuals are much more active in introducing 2FA. Firstly, it is easier for them to calm their fears, relying on the biometric authentication built into smartphones, in fact, very unreliable. Organizations need to invest in the acquisition of tokens and carry out work (in fact, very simple) to implement them. And secondly, about the leakage of passwords from services such as Facebook and Dropbox did not write just lazy, but the stories about how they stole passwords (and what happened next) in organizations, the CIOs of these organizations will not share under any circumstances.
The difference in the approaches of the Russian and US-European legislators to the protection of personal data of users of programs and services is clearly noticeable. Russian say: dear owners of services, do what you want and how you want, but if your admin merges the base, we will punish you. They say abroad: you must introduce a set of measures that will not allow you to merge the base. That is why requirements for the presence of strong two-factor authentication are being implemented there with might and main.
True, it is far from a fact that at one point our legislative machine will not come to its senses and will not take into account western experience. Then it will turn out that everyone needs to implement 2FA, which complies with Russian cryptographic standards, and urgently.
It is impossible not to notice that the receipt of codes via SMS or Push-notifications, as well as the generation of codes using programs for smartphones - this is the use of those most one-time passwords (OTP) for which we are offered to prepare for sunset. From a technical point, the decision is very correct, because a rare cheater does not try to find out a one-time password from a trusting user. But I think that manufacturers of such systems will cling to the dying technology to the last.
For example, with 2FA “password + smartphone”, an attacker can perform authentication by looking at the user's password and making an exact software copy of his smartphone. And it is much more difficult than just stealing a password.
But if a password and a cryptographic token are used for 2FA, the copying option does not work here - it is impossible to duplicate the token. The scammer will need to steal the token from the user unnoticed. If the user notices the loss in time and notifies the admin, then the token will be blocked and the fraudster’s works will be in vain. That is why for the ownership factor you need to use specialized protected devices (tokens), not general devices (smartphones).
Using all three factors will make this authentication method quite expensive to implement and rather uncomfortable to use. Therefore, two of the three factors are commonly used.
The principles of two-factor authentication are described in more detail here in the “How two-factor authentication works” block.
Let's take a closer look at these numbers. As we see, the percentage of private traders using multifactor authentication increased by an impressive 11% over the year. And it happened, obviously, at the expense of password lovers, since the numbers of those who believe in the security of push notifications, SMS and biometrics have not changed.
But with two-factor authentication for corporate use, everything is not so good. First, judging by the report, only 5% of employees were transferred from password authentication to tokens. And secondly, the number of those who in the corporate environment uses alternatives to the MFA has grown by 4%.
I'll try to play analytics and give my interpretation. In the center of the digital world of individual users is a smartphone. Therefore, it is not surprising that most of them use the capabilities provided by the device - biometric authentication, SMS and Push notifications, as well as one-time passwords generated by applications on the smartphone itself. People usually do not think about safety and reliability when using their usual tools.
That is why the percentage of users of primitive "traditional" authentication factors remains unchanged. But those who previously used passwords understand how much they risk, and when choosing a new authentication factor, they stop at the newest and most secure version - the cryptographic token.
As for the corporate market, it is important to understand which system is being authenticated. If the login to the Windows domain is implemented, cryptographic tokens are used. Opportunities for their use for 2FA are already laid in Windows and Linux, and the alternative options are long and difficult to implement. Here you have the migration of 5% from passwords to tokens.
And the implementation of 2FA in the corporate information system very much depends on the qualifications of the developers. And developers are much easier to take ready-made modules for generating one-time passwords than to understand the work of cryptographic algorithms. As a result, even incredibly security-critical applications like the Single Sign-On or Privileged Access Management systems use OTP as the second factor.
Here the author is a little mistaken. Delivery of one-time passwords via SMS has never been a two-factor authentication. This is in its pure form the second stage of two-stage authentication, where the first stage is to enter a login and password.
So, follow the plot. The American regulator rightly recognizes that the outdated technology is not capable of ensuring the safety of users and introduces new standards. Standards designed to protect users of online and mobile applications (including banking). The industry is wondering how much money it will have to pay for the purchase of truly reliable cryptographic tokens, for reworking applications, for deploying a public-key infrastructure and “rearing”. On the one hand, users were convinced of the reliability of one-time passwords, and on the other hand, attacks on NIST were underway. As a result, the standard was softened, and the number of hacks, password theft (and money from banking applications) increased dramatically. But the industry did not have to shell out.
Awesome logic. That is the truth is only AT & T's fault? No, the fault of the mobile operator is that the sellers in the salon of communication issued a duplicate of SIM cards, undoubtedly. What about the cryptocurrency exchange authentication system? Why didn't they use strong cryptographic tokens? Money for the introduction was a pity? And Michael himself is not to blame? Why did he not insist on changing the authentication mechanism or not using only those exchanges that implement two-factor authentication based on cryptographic tokens?
The introduction of truly reliable authentication methods is delayed because of the fact that before the hacking, users show amazing carelessness, and after that they blame anyone and everything except their ancient and “holey” authentication technologies for their troubles
When the Sberbank application in your smartphone blinks with a green icon in the status bar, it also searches for malware on your phone. The purpose of this event is to turn the untrusted execution environment of a typical smartphone into, at least some sideways, trusted.
By the way, a smartphone, as an absolutely untrusted device, on which anything can be performed, is another reason to use only hardware tokens for authentication, which are protected and free from viruses and trojans.
I repeatedly encountered this type of fraud in person, for example, when I tried to sell something on a popular online flea market. I myself really mocked the scammer who tried to fool me. But alas, I regularly read the news as another victim of fraudsters "did not think," the confirmation code reported and lost a large amount. And all this because the bank simply does not want to get involved in the implementation of cryptographic tokens in its applications. After all, if something happens, then the customers "are to blame."
Authentication | Factor | Description | Key Vulnerabilities |
Password or PIN | Knowledge | A fixed value, which may include letters, numbers and a number of other characters | Can be intercepted, overlooked, stolen, picked up or hacked. |
Knowledge Based Authentication | Knowledge | Questions, answers to which only a legal user can know | Can be intercepted, picked up, obtained using the methods of social engineering |
Hardware OTP ( example ) | Possession | Special device that generates one-time passwords | The code can be intercepted and repeated, or the device can be stolen. |
Software OTP | Possession | Application (mobile, accessible through a browser, or sending codes by e-mail), which generates one-time passwords | The code can be intercepted and repeated, or the device can be stolen. |
SMS OTP | Possession | One-time password delivered via SMS text message | The code can be intercepted and repeated, either a smartphone or a SIM card can be stolen, or the SIM card can be duplicated. |
Smart cards ( example ) | Possession | A card that contains a cryptographic chip and secure key storage that uses a public key infrastructure for authentication. | Can be physically stolen ( but the attacker will not be able to use the device without knowledge of the PIN code; in the case of several incorrect input attempts, the device will be blocked ) |
Security keys - tokens ( example , another example ) | Possession | A USB device that contains a cryptographic chip and secure key storage that uses a public key infrastructure for authentication. | Can be physically stolen (but the attacker will not be able to use the device without knowledge of the PIN code; in the case of several incorrect input attempts, the device will be blocked) |
Snapping to device | Possession | A process that creates a profile, often using JavaScript, or using tokens such as cookies and Flash Shared Objects to ensure that a particular device is used. | Markers can be stolen (copied), also the characteristics of a legal device can be imitated by an attacker on his device. |
Behavior | Integrity | Analyzed how the user interacts with the device or program. | Behavior can be simulated |
Fingerprints | Integrity | The stored fingerprints are compared with read out optically or electronically. | The image can be stolen and used for authentication. |
Eye scan | Integrity | The characteristics of the eye, such as the pattern of the iris of the pupil, are compared with the new scans obtained by the optical method | The image can be stolen and used for authentication. |
Face recognition | Integrity | Characteristics of the face are compared with the new scans obtained by the optical method | The image can be stolen and used for authentication. |
Voice recognition | Integrity | The characteristics of the recorded voice sample are compared with the new samples. | Record can be stolen and used for authentication, or emulated |
Source: https://habr.com/ru/post/449442/