SlideShare una empresa de Scribd logo

1208 wp-two-factor-and-swivel-whitepaper

Hai Nguyen
Hai Nguyen
Tecnología
1 de 9
Descargar para leer sin conexión
Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide a strong, cost-effective authentication solution that is easy to use and to manage. 2012
White Paper Heading 2 Contents  Introduction .............................................................................................................................3 Single-Factor Authentication............................................................................................4 Threats against Usernames and Passwords............................................................4 Malware Attack ..................................................................................................................5 Guess the Password .........................................................................................................5 Steal the Password ...........................................................................................................5 Shoulder Surfing ................................................................................................................5 Phishing.................................................................................................................................5 Dual-Factor Authentication...............................................................................................6 Attacks against Dual Factor Authentication...........................................................6 Steal the Token ..................................................................................................................6 Phishing.................................................................................................................................6 Dual-Factor Authentication and Swivel....................................................................6 Tokenless..............................................................................................................................7 One-Time Code Extraction............................................................................................7 Attacks against Swivel ........................................................................................................8 Stealing the token .............................................................................................................8 Phishing.................................................................................................................................8 Conclusion................................................................................................................................9
White Paper Heading 3 Introduction The increasing use of remote access and web-based commerce has increased the need for convenient, cost-effective, yet strong authentication models. Relying on a single factor of authentication, i.e. username and password, is no longer appropriate for many applications. This has led to the increasing use of multi-factor authentication; whereby authentication requires the user to know something (e.g. a password) and possess something (e.g. some form of authentication token). Swivel’s approach to two-factor authentication has the advantage that the user does not need a dedicated authentication token. Add to this PINsafe, our patented one-time code extraction protocol, Swivel can provide a strong, cost-effective authentication solution that is easy to use and to manage.
White Paper Heading 4 Single-Factor Authentication When a user authenticates they need to present credentials to the authentication server. A credential maybe based on:  Something they know, e.g. a password  Something they have, e.g. a security string provided by a token  Something they are, e.g. a finger print or retina scan. Each one of these is a factor of authentication. In the early days of authentication (and in many systems still today) authentication is based upon just a single factor of authentication, specifically a combination of a username and a password (UNP). There is an increasing awareness that this is not sufficient for many systems. This realisation is showing itself not only in the increasing number of organizations that are moving to multi-factor authentication but also in more regulations and legislation that are mandating multi-factor authentication. There are three driving forces are behind this. Firstly the increasing value of the systems being protected by authentication systems, secondly the increasing availability and variety of tools that can be used effectively against simple UNP authentication, and thirdly the increase in cybercrime. Threats against Usernames and Passwords One of the weaknesses of UNP is the fact that the password is static; i.e. it does not change from one authentication attempt to the next. Administrators may insist that passwords are changed every 3 months, or even every month, however that still gives an attacker a significant amount of time to aim at a stationary target. Another issue with passwords is that users and helpdesk administrators want them to be easy to remember but IT managers and security managers want them to be difficult to guess. These requirements tend to work against one another. It is much easier to remember words than it is a series of random characters, but it is much easier to guess a word than a series of random characters. Or order for users to help themselves remember more complex passwords they are more inclined to re-use the same password for different applications and interfaces. One final weakness of UNP as an authentication model stems from the fact that username and passwords have been around for so long. This means there are many software-based attacks out there that are, thanks to the internet, widely available. So what are the threats against username and password? The following list is not meant to be exhaustive; it focuses on technical attacks against the
White Paper Heading 5 client rather than attacks against server or social engineering based attacks such as con-tricks, blackmail etc. Malware Attack Deploy malicious code on target’s computer, for example, a key logger that records a user’s keystrokes. By looking at the details of the keys pressed so the password can be determined. Searching the log for a username and the password is likely to follow. Some software attacks are more sophisticated and look for specific actions before starting to log, e.g. accessing banking URL. The static nature of passwords means that this form of attack can be very effective. Guess the Password There are a range of guessing attacks against passwords which are based on how much or how little information the attacker has about the target. On one extreme there is a brute force attack whereby an attacker just guesses different possibilities until they succeed; not very effective but can be used if the attacker can gain access to the file of encrypted passwords. Slightly more targeted is a dictionary attack, where rather than just guess random values, the attacker restricts the attack to words or phrases that are likely, as most people choose passwords that are words. Finally, if the attacker knows personal information about the target, they may try their favourite sports teams or their children’s names as password. The need to make passwords memorable makes this kind of attack an option. Steal the Password One way of satisfying the IT security manager’s insistence on a complicated password is to write it down somewhere; in an envelope in the desk drawer etc. Whereas this form of attack requires physical access, it is surprisingly common practice for people to write passwords down unencrypted. Shoulder Surfing To find out what someone’s password is you just watch them type it in. Another attack that requires physical access, but as passwords are static, you have plenty of attempts at watching the user type in their password to manage to discern the whole thing. This form of attack has become more recognised since the use of Chip and PIN technology with people being asked to hide their fingers as they type in their PIN. Phishing It is particularly difficult to defend against phishing attacks, partly because it is so easy to mount such an attack. You can get all the corporate imagery you need from the real website to build a mocked-up site then you can mass email a mock email to any valid email address. The user goes to the mock site and enters their username and password. The attacker then has the password that they need and they can do what they will with it.
White Paper Heading 6 Dual-Factor Authentication Adding another factor of authentication adds another task for the attacker to complete before their attack is successful. The basic model is that the token provides the user with a one-time code that they must enter in order to authenticate; the security string is dynamic in that it is different for each authentication. We can see that there are many and varied ways of gaining one factor, the password, but having succeeded in that what does an attacker need to do in addition to succeed in defeating two-factor authentication systems? Attacks against Dual Factor Authentication There would appear to be two obvious approaches: Steal the Token An attacker may be lucky in that the token may be kept in the same drawer as the user’s password! But clearly an attack that combines a software attack determining the password and physically obtaining the token could be a successful attack. The first element being straightforward, the second one less so, however in an e-commerce B2C scenario with many tokens being physically distributed; there may be vulnerabilities that could be exploited. Phishing Phishing can still have some success even against dual factor authentication as the attacker obtains the users password and one-time code and can therefore use those credentials to fraudulently authenticate as the user. Unlike the phishing attack for single factor this does not allow the attacker to steal the user identity as the user still has the token. This means the attacker cannot re-authenticate without re-phishing the required one-time code. This means that a web application that requires repeated authentication provides a good defense against phishing attacks. For example a banking website that requires authentication for every monetary transaction. Dual-Factor Authentication and Swivel Swivel authentication platform is a dual factor authentication solution with subtle but important differences. As with many dual factor authentication systems, Swivel sends a security string to the user that the user needs to authenticate but security strings are sent to the user’s mobile phone either in the form of a voice call, SMS or via a mobile app; therefore there is no need for dedicated security tokens.
White Paper Heading 7 The received security string is not entered by the user; it is combined by the user with a PIN to extract the one-time code which is then entered. The advantages of these differences are described below. Tokenless The fact that Swivel does not require a dedicated security token (it uses the mobile phone as a token) has a number of advantages. There is nothing that needs to be physically distributed; therefore you are not at the mercy of postal systems etc. to provision users. Users can be provisioned instantly. Just as importantly there is nothing to physically reclaim once a user no longer requires access. This is particularly relevant where you have a population of users that has a high churn rate such as an academic institution. People treat their mobile phone as something vital; they need it for business but also to keep in contact with their friends and families when they are at work. They are less likely to leave it behind; or leave it in a pocket of a garment destined for the laundry. They are also more likely to notice when they have lost it or it has been stolen. As Swivel reuses an existing device as a security token there is no additional cost. If someone loses of damages their mobile phone a replacement is borne by the telecoms budget; not the security budget! One-Time Code Extraction The use of the Swivel one-time code extraction protocol means that both factors of authentication can be combined into a single credential. This means:
White Paper Heading 8 The user only needs a 4 digit one-time code to authenticate; (Swivel can be configured to use PINs of 4 to 10 numbers long and it can also be used in conjunction with a password). As the PIN is never entered the attacks described earlier, such as key loggers, cannot be used to ascertain one of the two factors of authentication. So the use of Swivel Dual Factor solution makes some of the attacks discussed before even harder. There is no physical token to distribute, the loss of a mobile phone is likely to be noticed and reported sooner than a security token. In the event that an attack gains access to a mobile phone, security is still not compromised as the attack still needs the PIN, and the PIN cannot be ascertained by key- logging attacks as it is never entered by the user. Attacks against Swivel Stealing the token In the Swivel example this attack still leaves the attacker the problem of the PIN, as the PIN is never entered it cannot be obtained via key logging type attacks. Phishing No authentication product is immune from attack. Forms of phishing attacks may have some success against Swivel; it is very difficult to stop users entering credentials onto a mock web site as discussed before. Once entered these valid credentials can be used by the attacker; as before this does not allow the attacker to steal the account as they cannot re- authenticate without the mobile phone. A mock web site can send a user a false security string and by examining the returned one-time code ascertain the user’s PIN. However this requires knowledge of the target’s mobile phone number and the means to send an SMS. Once the PIN is known, physical access to the mobile phone is still required.
White Paper Heading 9 Conclusion Two-factor authentication is a much stronger form of authentication than single-factor. Swivel’s implementation of two-factor authentication, with its unique one-time code extraction protocol and its use of the mobile phone as a security token, provides a number of advantages including increased strength of authenticated and decreased running costs.

Recomendados

M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
Olger Hoxha, CISSP CISM
 
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALSECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
cscpconf
 
Sms based otp
Sms based otpSms based otp
Sms based otp
Hai Nguyen
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyFrost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed Cryptography
EMC
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 

Recomendados

M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_Final
Olger Hoxha, CISSP CISM
 
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALSECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
cscpconf
 
Sms based otp
Sms based otpSms based otp
Sms based otp
Hai Nguyen
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyFrost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed Cryptography
EMC
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of Internet
Mohit Kanwar
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET Journal
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Hai Nguyen
 
C0210014017
C0210014017C0210014017
C0210014017
researchinventy
 
I1804015458
I1804015458I1804015458
I1804015458
IOSR Journals
 
E0962833
E0962833E0962833
E0962833
IOSR Journals
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
CMR WORLD TECH
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS Location
IRJET Journal
 
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
IOSR Journals
 
120 i143
120 i143120 i143
120 i143
Hai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
Hai Nguyen
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison study
acijjournal
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
ijceronline
 
Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...
IEEEFINALYEARPROJECTS
 
76 s201923
76 s20192376 s201923
76 s201923
IJRAT
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
C02
C02C02
C02
newbie2019
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 

Más contenido relacionado

La actualidad más candente

AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
IJNSA Journal
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Hai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
Hai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison study
acijjournal
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
 

La actualidad más candente (19)

AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of Internet
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
C0210014017
C0210014017C0210014017
C0210014017
 
I1804015458
I1804015458I1804015458
I1804015458
 
E0962833
E0962833E0962833
E0962833
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS Location
 
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
 
120 i143
120 i143120 i143
120 i143
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison study
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...
 
76 s201923
76 s20192376 s201923
76 s201923
 

Similar a 1208 wp-two-factor-and-swivel-whitepaper

Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System Authentication
IJERA Editor
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docx
susanschei
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Evelyn Donaldson
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
IJNSA Journal
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and pass
IJNSA Journal
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
IJNSA Journal
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
ijistjournal
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and security
ijsptm
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
banda5630
 

Similar a 1208 wp-two-factor-and-swivel-whitepaper (20)

Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 
C02
C02C02
C02
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System Authentication
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper Example
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docx
 
Strong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakersStrong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakers
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor Authentication
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and pass
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
Class paper final
Class paper finalClass paper final
Class paper final
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and security
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
 

Más de Hai Nguyen

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
Hai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
Hai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
Hai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
Hai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
Hai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
Hai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
Hai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
Hai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
Hai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
Hai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
Hai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
Hai Nguyen
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
Hai Nguyen
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
Hai Nguyen
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210
Hai Nguyen
 

Más de Hai Nguyen (20)

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 
Bi guardotp
Bi guardotpBi guardotp
Bi guardotp
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

1208 wp-two-factor-and-swivel-whitepaper

  • 1. Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide a strong, cost-effective authentication solution that is easy to use and to manage. 2012
  • 2. White Paper Heading 2 Contents  Introduction .............................................................................................................................3 Single-Factor Authentication............................................................................................4 Threats against Usernames and Passwords............................................................4 Malware Attack ..................................................................................................................5 Guess the Password .........................................................................................................5 Steal the Password ...........................................................................................................5 Shoulder Surfing ................................................................................................................5 Phishing.................................................................................................................................5 Dual-Factor Authentication...............................................................................................6 Attacks against Dual Factor Authentication...........................................................6 Steal the Token ..................................................................................................................6 Phishing.................................................................................................................................6 Dual-Factor Authentication and Swivel....................................................................6 Tokenless..............................................................................................................................7 One-Time Code Extraction............................................................................................7 Attacks against Swivel ........................................................................................................8 Stealing the token .............................................................................................................8 Phishing.................................................................................................................................8 Conclusion................................................................................................................................9
  • 3. White Paper Heading 3 Introduction The increasing use of remote access and web-based commerce has increased the need for convenient, cost-effective, yet strong authentication models. Relying on a single factor of authentication, i.e. username and password, is no longer appropriate for many applications. This has led to the increasing use of multi-factor authentication; whereby authentication requires the user to know something (e.g. a password) and possess something (e.g. some form of authentication token). Swivel’s approach to two-factor authentication has the advantage that the user does not need a dedicated authentication token. Add to this PINsafe, our patented one-time code extraction protocol, Swivel can provide a strong, cost-effective authentication solution that is easy to use and to manage.
  • 4. White Paper Heading 4 Single-Factor Authentication When a user authenticates they need to present credentials to the authentication server. A credential maybe based on:  Something they know, e.g. a password  Something they have, e.g. a security string provided by a token  Something they are, e.g. a finger print or retina scan. Each one of these is a factor of authentication. In the early days of authentication (and in many systems still today) authentication is based upon just a single factor of authentication, specifically a combination of a username and a password (UNP). There is an increasing awareness that this is not sufficient for many systems. This realisation is showing itself not only in the increasing number of organizations that are moving to multi-factor authentication but also in more regulations and legislation that are mandating multi-factor authentication. There are three driving forces are behind this. Firstly the increasing value of the systems being protected by authentication systems, secondly the increasing availability and variety of tools that can be used effectively against simple UNP authentication, and thirdly the increase in cybercrime. Threats against Usernames and Passwords One of the weaknesses of UNP is the fact that the password is static; i.e. it does not change from one authentication attempt to the next. Administrators may insist that passwords are changed every 3 months, or even every month, however that still gives an attacker a significant amount of time to aim at a stationary target. Another issue with passwords is that users and helpdesk administrators want them to be easy to remember but IT managers and security managers want them to be difficult to guess. These requirements tend to work against one another. It is much easier to remember words than it is a series of random characters, but it is much easier to guess a word than a series of random characters. Or order for users to help themselves remember more complex passwords they are more inclined to re-use the same password for different applications and interfaces. One final weakness of UNP as an authentication model stems from the fact that username and passwords have been around for so long. This means there are many software-based attacks out there that are, thanks to the internet, widely available. So what are the threats against username and password? The following list is not meant to be exhaustive; it focuses on technical attacks against the
  • 5. White Paper Heading 5 client rather than attacks against server or social engineering based attacks such as con-tricks, blackmail etc. Malware Attack Deploy malicious code on target’s computer, for example, a key logger that records a user’s keystrokes. By looking at the details of the keys pressed so the password can be determined. Searching the log for a username and the password is likely to follow. Some software attacks are more sophisticated and look for specific actions before starting to log, e.g. accessing banking URL. The static nature of passwords means that this form of attack can be very effective. Guess the Password There are a range of guessing attacks against passwords which are based on how much or how little information the attacker has about the target. On one extreme there is a brute force attack whereby an attacker just guesses different possibilities until they succeed; not very effective but can be used if the attacker can gain access to the file of encrypted passwords. Slightly more targeted is a dictionary attack, where rather than just guess random values, the attacker restricts the attack to words or phrases that are likely, as most people choose passwords that are words. Finally, if the attacker knows personal information about the target, they may try their favourite sports teams or their children’s names as password. The need to make passwords memorable makes this kind of attack an option. Steal the Password One way of satisfying the IT security manager’s insistence on a complicated password is to write it down somewhere; in an envelope in the desk drawer etc. Whereas this form of attack requires physical access, it is surprisingly common practice for people to write passwords down unencrypted. Shoulder Surfing To find out what someone’s password is you just watch them type it in. Another attack that requires physical access, but as passwords are static, you have plenty of attempts at watching the user type in their password to manage to discern the whole thing. This form of attack has become more recognised since the use of Chip and PIN technology with people being asked to hide their fingers as they type in their PIN. Phishing It is particularly difficult to defend against phishing attacks, partly because it is so easy to mount such an attack. You can get all the corporate imagery you need from the real website to build a mocked-up site then you can mass email a mock email to any valid email address. The user goes to the mock site and enters their username and password. The attacker then has the password that they need and they can do what they will with it.
  • 6. White Paper Heading 6 Dual-Factor Authentication Adding another factor of authentication adds another task for the attacker to complete before their attack is successful. The basic model is that the token provides the user with a one-time code that they must enter in order to authenticate; the security string is dynamic in that it is different for each authentication. We can see that there are many and varied ways of gaining one factor, the password, but having succeeded in that what does an attacker need to do in addition to succeed in defeating two-factor authentication systems? Attacks against Dual Factor Authentication There would appear to be two obvious approaches: Steal the Token An attacker may be lucky in that the token may be kept in the same drawer as the user’s password! But clearly an attack that combines a software attack determining the password and physically obtaining the token could be a successful attack. The first element being straightforward, the second one less so, however in an e-commerce B2C scenario with many tokens being physically distributed; there may be vulnerabilities that could be exploited. Phishing Phishing can still have some success even against dual factor authentication as the attacker obtains the users password and one-time code and can therefore use those credentials to fraudulently authenticate as the user. Unlike the phishing attack for single factor this does not allow the attacker to steal the user identity as the user still has the token. This means the attacker cannot re-authenticate without re-phishing the required one-time code. This means that a web application that requires repeated authentication provides a good defense against phishing attacks. For example a banking website that requires authentication for every monetary transaction. Dual-Factor Authentication and Swivel Swivel authentication platform is a dual factor authentication solution with subtle but important differences. As with many dual factor authentication systems, Swivel sends a security string to the user that the user needs to authenticate but security strings are sent to the user’s mobile phone either in the form of a voice call, SMS or via a mobile app; therefore there is no need for dedicated security tokens.
  • 7. White Paper Heading 7 The received security string is not entered by the user; it is combined by the user with a PIN to extract the one-time code which is then entered. The advantages of these differences are described below. Tokenless The fact that Swivel does not require a dedicated security token (it uses the mobile phone as a token) has a number of advantages. There is nothing that needs to be physically distributed; therefore you are not at the mercy of postal systems etc. to provision users. Users can be provisioned instantly. Just as importantly there is nothing to physically reclaim once a user no longer requires access. This is particularly relevant where you have a population of users that has a high churn rate such as an academic institution. People treat their mobile phone as something vital; they need it for business but also to keep in contact with their friends and families when they are at work. They are less likely to leave it behind; or leave it in a pocket of a garment destined for the laundry. They are also more likely to notice when they have lost it or it has been stolen. As Swivel reuses an existing device as a security token there is no additional cost. If someone loses of damages their mobile phone a replacement is borne by the telecoms budget; not the security budget! One-Time Code Extraction The use of the Swivel one-time code extraction protocol means that both factors of authentication can be combined into a single credential. This means:
  • 8. White Paper Heading 8 The user only needs a 4 digit one-time code to authenticate; (Swivel can be configured to use PINs of 4 to 10 numbers long and it can also be used in conjunction with a password). As the PIN is never entered the attacks described earlier, such as key loggers, cannot be used to ascertain one of the two factors of authentication. So the use of Swivel Dual Factor solution makes some of the attacks discussed before even harder. There is no physical token to distribute, the loss of a mobile phone is likely to be noticed and reported sooner than a security token. In the event that an attack gains access to a mobile phone, security is still not compromised as the attack still needs the PIN, and the PIN cannot be ascertained by key- logging attacks as it is never entered by the user. Attacks against Swivel Stealing the token In the Swivel example this attack still leaves the attacker the problem of the PIN, as the PIN is never entered it cannot be obtained via key logging type attacks. Phishing No authentication product is immune from attack. Forms of phishing attacks may have some success against Swivel; it is very difficult to stop users entering credentials onto a mock web site as discussed before. Once entered these valid credentials can be used by the attacker; as before this does not allow the attacker to steal the account as they cannot re- authenticate without the mobile phone. A mock web site can send a user a false security string and by examining the returned one-time code ascertain the user’s PIN. However this requires knowledge of the target’s mobile phone number and the means to send an SMS. Once the PIN is known, physical access to the mobile phone is still required.
  • 9. White Paper Heading 9 Conclusion Two-factor authentication is a much stronger form of authentication than single-factor. Swivel’s implementation of two-factor authentication, with its unique one-time code extraction protocol and its use of the mobile phone as a security token, provides a number of advantages including increased strength of authenticated and decreased running costs.