President Obama’s Cybersecurity National Action Plan (CNAP) describes a comprehensive approach to keeping our country’s digital assets and critical systems safe. In addition to stressing the importance of keeping applications and IT systems up to date with current patches and end-of- life’ing outdated legacy systems, it highlights the requirement of two-factor authentication for both government employees and for citizens.
Evolving business needs around cloud, mobile and web applications, combined with rising threats, requires new considerations for access control. Two-factor authentication is a strong, defense-in- depth authentication mechanism that requires more than a simple password to login – offering greater security for IT systems and software applications as well as the end users that access them. It is based on the concept that users are who they claim to be by requiring them to identify themselves with a combination of:
- Something they know – password or PIN
- Something they have – token or smart card (two-factor authentication)
- Something they are – biometrics, such as a fingerprint (three-factor authentication)
While two-factor authentication has been around for quite a while, it has not been as widely implemented as one would think. In fact, a large end-user population still uses nothing more than a username-password combination to access sites and applications containing sensitive data.
For Software Architects, consider the following:
- Identify the necessity for two-factor authentication. Although two-factor authentication offers greater security, it can add expense and complexity to system design. Hence, it’s important for architects to carefully consider the value of the assets to be protected and whether or not two-factor authentication significantly improves the security of the system. You may want to use it if your application handles a large number of assets, handles sensitive data, and/or performs critical business functionality.
- Choose an authentication solution. In the software world, two-factor authentication requires the user's credentials and the use of a device, recognized by the application, a cryptographically developed code that evolves over time, or some biometric from the user. Some solutions include:
- RSA's SecurID, which consists of a hardware or software token, assigned to a user, that generates an authentication code every 60 seconds.
- VeriSign's Unified Authentication managed service, in which enterprises deploy USB tokens to all their users.
- ActivIdentity's Strong Authentication solutions with smart cards, one-time password and USB tokens.
- SafeNet solutions that provide secure access to cloud applications, virtual desktop infrastructures, web portals, and enterprise networks.
- Duo’s solution that combines modern two-factor authentication with advanced endpoint security solutions.
A number of vendors use a cookie on the client machine as a "second factor," but this isn't a true implementation of the two-factor authentication mechanism. At best, a cookie ensures machine authentication, not that of the user. Even then, it does not provide a sufficient guarantee of independence from the security of the underlying platform, as a physically separate token would.
3. Apply the authentication solution. After choosing the solution that best fits your application's needs, consult the appropriate vendor about the technical aspects of integrating their solution into your application.
For Network Architects, you should consider the following:
Two-factor authentication requires the use of a password and an additional form of authentication for remote network access, ensuring that an attacker cannot use compromised credentials to access the network remotely. The additional form of authentication is the challenge of this requirement.
There are multiple commercial grade products available including RSA SecurID tokens, which uses physical tokens, and Securenvoy cell-phone based authentication, which sends text messages as an additional form of authentication. Below is a situational example for two-factor authentication:
Problem Example
MyApp is an online banking product. It uses single factor authentication when verifying its users; therefore the user would need to only supply their username and password (the single factor) in order to authenticate. If the user's credentials are not strong enough and can easily be guessed, or are leaked by means of a phishing attack, the attacker would be able to gain access to the user's bank account.
Solution Example
MyApp is an online banking product. It uses two-factor authentication when verifying its users. Hence, the user would need to provide their user name, password (the first factor), and the information stored in their security token (the second factor, which is a physical "something you have" item) in order to authenticate. If the user's credentials were leaked, the account would be still protected as the attacker would not have the second required authentication token..