three-factor Authentication

Apparently the National Australia Bank (NAB) are looking at moving to three factor authentication. For those who are unaware, 'multi-factor' authentication involves authenticating a subject through a variety of different methods, most commonly 2 of the below:

  • Something you know (eg: a password)
  • Something you have (eg: a security pass or token)
  • Something you are (eg: biometric security such as a fingerprint or iris scan)
and occasionally adding:
  • Somewhere you are (only allowing access from a specific place, such as using a RAS call-back system)
Multi-factor is generally considered more secure than single-factor authentication as an impersonator must capture or reproduce more than just a password (the most common single factor authentication mechanism)

So if two factors is more secure than one then three must be even better right? Well that all depends on a number of factors (excuse the pun!).
The more factors you add to the equation, the more inconvenient authentication becomes to the end user. Convenience is important. This is why passwords are still so popular, despite being shown to be extremely weak security in that many people will give away their password for a candy bar (especially if you are a woman apparently!)

So when implementing two factor authentication, convenience needs to be taken into account. RSA tokens that can attach to a keyring and One Time Passwords (OTP) that are send via SMS to a registered mobile phone are examples of incorporating a reasonable measure of convenience into the authentication process. I know HSBC uses the RSA tokens for their internet banking login authentication and NAB take a different approach, using only a password for login, but a OTP sent via SMS to verify any money transfers (for personal customers anyway. Business customers get a token)

All sounds terribly secure right? Well no. As security guru Bruce Schneier commented back in 2005 in refernce to 2-factor security: " solves the security problems we had ten years ago, not the security problems we have today".
He was, and still is, right. Phishing attacks and Man-in-the-middle (MITM) attacks are examples of very old attacks that can defeat 2-factor authentication by targetting the user. If you can fool the user into providing you with the information you need, you can fool the authentication mechanism.

So if two-factor authenticaion is broken, three-factor authentication will save us! Right?
I'm not convinced. The original article mentions using voiceprint identification for the third factor (something you are). Hmmm.
Biometrics are tricky to say the least. Faces change over time as people age, gain/lose weight and other conditions such as lighting and distance can distort the image viewed by facereadering cameras and lead to false-positives or false-negatives. Fingerprints can change due to accidents or even minor injuries (papercut) and many fingerprint readers have been shown again and again to be easily defeated. Iris scans are very accurate and don't tend to change, but are hardly easily portable or suitable for mobile or home internet banking.
As for voiceprints, well ever had a laryngitis? No? A cold? Bad phone reception?
I'm not convincd they're the way to go and neither are some experts who state: "There is no such thing as a voice print, it's a very very dangerous term. There is no single feature of a voice that is indelible that works like a fingerprint does."

The other unanswered question is what does the NAB hope to achieve by adding a third factor to their authentication? "More security" is not much of an answer, is it anything more than a marketing one-up on their competitors? ("We're the only one who uses three-factor security! bank with us!")
It all seems a bit more like security theatre than real security. Perhaps NAB need to look at their internal security first...

0 Response to "three-factor Authentication"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme