What is Modern 2FA?

October 4, 2018 Nok Nok News 0 comments

Here are some challenges with password-based security:

Passwords can be guessed, even seemingly strong ones.
End users need to be able to tell the difference between a good request and a malicious request. An example is Phishing attacks, which can lead people to reveal their passwords.
Passwords can be stolen en masse from poorly secured repositories. A classic example of this is the Yahoo breach.
Furthermore, even if you implement a robust password policy for your own site, there’s no guarantee that the user won’t reuse their password elsewhere

The lengthy list of downsides spurred the development of a retrofit for passwords by augmenting them with an additional means of authentication, otherwise known as two-factor authentication (2FA). However, past approaches to 2FA have their own security issues. Many traditional methods of 2FA have design flaws that have led to organizations like the National Institute of Standards and Technology (NIST) to recommend that they should be deprecated.

The first attempt at 2FA was the arrival of One-Time Password (OTP). In this scenario, the user is given a dedicated OTP-generating hardware device they must carry with them. However, along with typing in their password (the first factor), the user also has to key in the (second factor) OTP value at every login. This increased security, but decreased usability since the user has to carry a special token (often multiple ones) around and transcribe numbers from one screen to another. This quickly becomes unusable, especially on a mobile phone. If an authentication solution has a lot of friction, then adoption may be low and transactions may be reduced.

This setup is also vulnerable to man-In-the-middle (MiTM) and malware attacks. Cost is a problem, because these systems required a proprietary OTP hardware device locked to a specific vendor. OTP systems based on a secret key are also subject to attack, causing massive compromises. Such an attack happened to RSA, requiring a remedy of wholesale token replacement.

Another attempt at 2FA replaced the dedicated OTP device with an app running on the mobile phone. While this eliminates the need to carry around a token, it is still inconvenient and subject to the same security problems as tokens, and more. Yet another attempt relies on transmitting the OTP over SMS. While this offered an improved user experience, it relied on the (weak) security of the SMS network. The use of SMS as an additional means of authentication is itself subject to attack. Recently, hackers broke into a few Reddit systems by intercepting SMS messages.

To effectively augment passwords or just outright replace them, we need a modern approach to 2FA. It needs to combine security with ease of use, and decentralize authentication in a way that cannot be attacked centrally and create a distributed security infrastructure that works across all devices, operating systems and browsers in a non-proprietary, standard way. Modern 2FA is based on FIDO and other open standards, which means freedom from being locked into a particular vendor’s hardware or infrastructure.

With the modern 2FA approach, the shortcomings of previous approaches are finally addressed. The first step is to eliminate symmetric shared secrets and replace them with asymmetric key based methods that require no central authority or secret. This overcomes the problem of interception and manipulation of shared secrets endemic to passwords and OTPs.

The second step is to protect the private keys in the secure hardware element within the mobile device (TEE on Android; Secure Enclave on iOS) or PC laptop (TPM). The keys can even be stored on an NFC or Bluetooth-linked external hardware token. The server only stores the public keys, eliminating a major area of vulnerability.

The third step is to tightly couple the usage of the key with a user gesture that can vary from a simple biometric (face, finger, voice) to a wearable or token to a more complex gesture that combines something you have with something you know with something you are in as many combinations as is deemed necessary to achieve the right level of security. The important thing is to keep the developer API and backend the same regardless of which means of authentication is used.

Finally, Modern Authentication should never rely on end-users being able to tell the difference between a good request and an malicious request, and protocols like FIDO add special measures beyond the protection of keys to prevent phishing and MiTM attacks.

By leveraging a modern approach to 2FA, attacks due to credential compromise will be a thing of the past!

Try Now

20 Mar

3 Min read

Flexible Authentication Strategy Key to Meeting Business Demands

March 20, 2017 Nok Nok News 0 comments

We are six months out from the rumored launch of a rumored new iPhone. As a result, of course, article after article has been posted confirming that, yes, we love our Apple rumors.

Joking aside, these rumors do contain an interesting development for the iPhone. If true, the iPhone 8 will do away with the home button and introduce a new method of unlocking your device – unlock by facial recognition.

We have long been a proponent of biometric authentication. However, the introduction of a new form of authentication on what is arguably the most popular platform in use today creates a long list of headaches for business who plan on being compatible with and thriving on the new iPhone. Fortunately, Nok Nok Labs has a solution in the market today that can help business with precisely these sorts of headaches.

The problem isn’t the introduction of new, novel technology. The problem isn’t changing behaviors and customers’ patterns. The problem that creates headaches for businesses is that they are deployed on a technological stack of systems that is not designed to seamlessly integrate these new, novel pieces of technology, behaviors and customer patterns. In 2015, Apple introduced the iPhone 5S and kicked off a wave of adoption for everyday consumers with fingerprint sensors. Businesses had to rush to find a way to integrate their mobile applications with Apple’s fingerprint APIs. Even now, two years later, we are still pleasantly surprised when we find a new application has fingerprint-integration rather than kludgy password-based authentication. If the iPhone 8 does rely on facial recognition rather than fingerprints, a whole new wave of work will be required to integrate with that feature. Even those who had already integrated with the fingerprint will have to recode, redesign, retest and rework their existing systems to adapt to a changing landscape.

If only there was a better way.

Fortunately, there is.

The solution is to do away with one-off integrations and embrace a flexible framework for authentication. The FIDO Alliance has published a protocol for accomplishing just that. And this protocol has been vetted and embraced by over 250 companies around the globe including heavyweights such as Google, Microsoft, MasterCard and RSA. Nok Nok Labs built the first implementation of this protocol and offers its customers a way to instantiate an authentication system that can flexibly accept identities from fingerprint sensors, facial or voice recognition applications, even secure PINs or third-party dongles and tokens like the YubiKey. The business will perform a single integration of a server, add just a handful of lines of code to their mobile application, and simply chose the types of authenticators that they wish to accept. As new technology becomes available and is adopted by their customers, the business needs only to change a policy in their configuration to accept it or not.

Feel free to visit our resources page to explore in more detail what our technology is capable of. Also, you can reach out to us directly at [email protected] if you have questions or would like to have a more robust discussion about how we might be able to help your authentication strategy.

Contact Us

Latest Posts

Navigation

Please complete this form to view and download this resource.