Louis Leahy (Australia) - Authentication for the 21st Century

There are lots of scary headlines going around about breaches in computer systems and with good reason, the attacks are becoming more numerous and more varied. Most of these breaches are centered around gaining access to a network via the logon interface. This logon topology has remained largely the same since the advent of computers in the last century. It was designed when the command line ruled and graphical user interfaces did not exist. The attacks be they phishing attacks, malware, hacking etc are designed to obtain the users access credentials to a network. Most of these attacks are centered on the client device e.g. desktop computer, laptop or smart phone as this is the point of weakness.

The weakness mostly, is not because of deficiencies in hardware or software but because of the complexities that arise from the demands of users for their device to be multifunctional. In the majority of cases this does not equate with the users ability to combine these functions correctly and ensure that they are kept up to date. Now don't get me wrong, I'm not a snob, and I don't think for a moment that users should be required to be computer administration wizards. On the contrary I think that systems should be user friendly and be able to be used as easily as we use many other sophisticated appliances in our complex lives today. The point is that because of these demands and the associated risks authentication for network access needs to change.

Sure there are other means of access but legitimate access via the logon interface gives the infiltrator the possibility of utilizing the applications on the device to access the network and its data. Other forms of infiltration may not necessarily allow such access, may be detected as abnormal and pose a greater risk of detection for the attacker. Access to the desktop applications makes it much easier to steal information which is the main game. Information may be bank account access details, corporate secrets, product and trading data, private personal data etc.

So, how to fix the problem? Well former most is that the authentication should reside on the network with appropriate commercial grade security in place. Parts of the authentication should not reside on the client device as is now the case in almost all circumstances. There is at least one company in the market place that has realized this, however, their solution is to move the authentication to another interposed computer we would argue that this simply moves the problem and if the client computer is compromised it still appears legitimate to the network. It also may actually facilitate a greater risk of man in the middle attacks because the attacker in this case does not have to be on the client's computer to look legitimate.

At least with the current configuration if used in conjunction with certificates or token arrangements will make it difficult for the attackers but the more sophisticated attackers understand that, which is why there is a prevalence of malware designed to give them access to the client computer. By placing the authentication process on the network it reduces the risk from either malware or man in the middle attacks. Granted if the network is compromised then all bets are off but lets work on the basis that the professionals are responsible for that and what we are trying to fix is the obvious phishing attacks and telephone scams where users are tricked into revealing their access credentials which the infiltrator can then use to access the network. Access to the network is readily available as where to logon is generally clearly shown on most network websites.

Which bring us to another problem, why do organizations show everyone where their enrolled users access their networks? Sure you have to have a system of registration to attract new users but once they are registered in order to protect their information that is contained on the network and by extension the networks' information, they should be protected by protecting their access point. Now I have had some heated discussions in some quarters that it is impossible to hide access points and this may be true but do we have to advertise which points belong to which users the answer is obviously no. This information should be kept confidential. If an organization establishes this regime correctly on different subnets this will also help to prevent those users from being inconvenienced if the organization's public interface is subject to a denial of service attack.

The next issue I would like to cover is the underlying code number set. I believe it should be proprietary it should not be a well known number set that everyone expects everyone will be using. What does this mean simply put the code system needs to be more sophisticated than the keys available on a traditional keyboard. This can be achieved on modern systems now because of the advent of graphical user interfaces. At present the attempts to do this have unfortunately been very unsophisticated and result in a diminution of security by reducing the number of possible combination as a result of reducing the number of keys. I know that there are arguments that the underlying numbers are very sophisticated and in some instances the number sequences also change but who cares, ultimately it is what is displayed as the available entry selection that is of consequence, if that is diminished then it follows that the number of possible combinations is diminished.

There are many problems with the traditional logon topology that is used on nearly every network and computer system. Here we have discussed some of the glaringly obvious ones there are many more. You may be thinking that only fools fall for these traps. Perhaps so but the recent advent of tab napping shows and the reports that timing attacks may be coming back into vogue because of the improvements in the quality of bandwidth both show the increasing sophistication of attackers and simply relying on observation as a means of security is no longer an option, if you don't want to look like a fool. The advent of the graphical user interface means it is possible to move to a more sophisticated topology that includes a greater range of key characters and the use of more sophisticated number sequences to provide a greater level of security as demanded in the 21st century.

Louis Leahy is the inventor of VPCSMLTM and a Director of Armorlog International Limited that is developing this new method of authentication.



« Denis Zenkin (Russia) - Intranet Security: Tears in Rain


Rajesh Ranjan (India) - Software as a Service »


Do you think your smartphone is making you a workaholic?