NIST: In mobile authentication, think hardware, not software

Credit to Author: Evan Schuman| Date: Mon, 21 Aug 2017 03:00:00 -0700

Retail is in an awkward in-between stage when it comes to online security. In shifting their purchasing to online options, shoppers are using both desktop computers and mobile devices. Had they moved straight to mobile, authentication options would be numerous, including selfies and other biometric authentication such as fingerprints.

But the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) is trying to bolster security and authentication on desktops and mobile devices. It was spurred to tackle its Multifactor Authentication for e-Commerce project because of the realization that increased security in the physical world (with such steps as cards with EMV chips) means that thieves are going to start to focus more on card-not-present transactions.

According to the NCCoE, its recommendation for initiating multifactor authentication borrows from a technique that is already widely used on retail sites. A user could start shopping online with minimally invasive authentication — simply username and password or even auto-login. But as circumstances merit, more could be required. That decision would be based on factors such as “the nature of the product, a known IP address associated with the customer, typical geolocation, and consistency with past patterns of online purchases,” NIST said. In other words, your shopping history and use of various devices at various locations would be analyzed to see if you are behaving unusually — and perhaps are not you.

What is interesting is the nature of the additional authentication the NCCoE recommends.

With desktop e-commerce today, secondary authentication often involves texting a one-time code to a mobile device — a not terribly secure approach, since the text can be intercepted. A better approach would be to authenticate the desktop device itself via such details as OS version, apps that are loaded, serial numbers of those apps, number of images stored, number and names of songs stored and folder names.

Steven Sprague is the CEO of Rivetz, one of the vendors working with the NCCoE on this effort. Sprague argues that a lot of mobile authentication efforts make the mistake of functioning within software. “Software code is easily altered, and memory can be copied,” he said. “The [whole] software process can be observed. You simply cannot hide a secret in the operating system. It’s time to finally do it correctly, with hardened keys within the device.”

Like so much in mobile today, Apple has been leading this fight, starting with the iPhone’s hardware chip-based secure element.

But to be fair, Apple has a far easier path to hardware security because it has complete control over all iOS devices. That’s far from the case in the Google Android world, where it’s all handset manufacturers for themselves.

Realistically, the world is rapidly moving mobile, but the desktop world of laptops and PCs (and, yes, Macs) isn’t likely to vanish for at least five years. But one benefit of a chip-based approach is that it is agnostic regarding mobile or desktop hardware.

But what are the dangers of authenticating devices rather than users? Yes, authenticating a device is easier. The user needn’t do anything to let a site authenticate the device. But what happens when the device is being used by someone else? Some of the device attributes being considered for device authentication could survive a software wipe.

Of course, authenticating users is more disruptive, requiring some kind of biometrics, such as a fingerprint or a facial scan — in security parlance, something you are — or “secret” questions — something you know.

The NCCoE paper presents hypothetical examples of how authentication could work in specific situations, and challenge questions were part of the process in some cases. But the need to answer such questions can make e-commerce too bothersome for many people. Retailers, always looking for a competitive edge, might opt for less security and more convenience.

Sprague comes back to the hardware device-authentication argument. He maintains that a shopper is very likely to notice a missing phone and do so fast. As long as there is an easy and intuitive way for a user to quickly alert authorities that the device is missing and that universal authentication should be shut down, this might work.

http://www.computerworld.com/category/security/index.rss