March 19, 2013 •
Whether a legal requirement, industry self-regulation or best practice guidelines, two-factor authentication has consistently been a focus for reducing risk. This post explores the role of two-factor authentication in major compliance and guidelines issued in the United States; there will be a follow-up for Canada. Original links to compliance and guidelines documents can be found at the bottom.
There are three known factors or ways someone can prove who they are:
Think of the different factors as different dimensions: X, Y and Z. So far, everything falls into one of these identity dimensions. By combining two or more of these you are adding assurance that the person is indeed who they claim they are. Two-factor means an attacker needs to solve two fundamentally different problems, each in different dimensions, in order to compromise your identity.
Having a password and a pictogram on website is not two-factor authentication! Since it does not include two of the different identity dimensions. Both a password and a pictogram fall under something you know. This type of authentication method is called multi-layer single factor.
Now onto compliance.
Prior to an industry-wide standard each major payment brand had their own standard. The original PCI DSS was published and administered by Visa and MasterCard in 2004.
Today, the organization responsible for this standard is the PCI Security Standards Council. The council was launched in 2006 by global payment brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
Although PCI DSS is not a legal requirement, the payment brands and merchant account providers do require it. Lack of compliance results in substantial fines.
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. However, Requirements 8.1, 8.2 and 8.5.8 through 8.5.15 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).
|PCI DSS Requirements||Testing Procedures|
8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial- in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)
Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
|8.3 To verify that two-factor authentication is implemented for all remote network access, observe an employee (for example, an administrator) connecting remotely to the network and verify that two of the three authentication methods are used.|
Since access is happening from outside of the network it is considered high risk and hence requires additional identity assurances. Protecting remote access with two-factor authentication adds such assurance and significantly reduces risk of unauthorized access.
Next the financial industry.
In short the FFIEC is a government agency which works with many other government agencies to unify how financial institutions should be supervised. They have published online authentication guidelines in 2001, 2005 and 2011. Each guideline building up on the previous and really a reflection of the fast evolving consumer and attack landscapes which define online financial services. The guidelines are in fact just that, guidelines. They are not legally binding. However it is suggested that banks treat the FFIEC as baseline compliance for safe online authentication and transaction verification. They could turn into law or perhaps the banks will self-regulate in the future.
All three documents are an interesting read. The key takeaway from the guidelines can be summarized in the following three key points:
The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application.
The risk should be evaluated in light of the type of customer (e.g., retail or commercial); the institution’s transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity and value of the stored information to both the institution and the customer; the ease of using the method; and the size and volume of transactions.
Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
High-risk transactions must use multi-factor authentication. Obvious candidates for high-risk are business, wealth and high-end customers. However, it is increasingly clear that as attacks become more pervasive and larger scale, financial institutions will have to protect more and more online customers.
The 2011 guidance is particularly interesting since it characterizes that online security has no silver bullet:
Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.
This approach in theory is quite sound. In fact as financial institutions implement layered security techniques, the so called “lower-risk” transactions should benefit from layers which have been built to scale and offer cost-effective security.
Another interesting note from the 2011 guidance is a reflection of past experience and suggestions on how to improve on chosen strategies.
Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.
Challenge questions can be implemented more effectively using sophisticated questions. These are commonly referred to as “out of wallet” questions, that do not rely on information that is often publicly available. They are much more difficult for an impostor to answer correctly.
Device fingerprinting is characterized as “simple” or “sophisticated”. Simple device fingerprinting, i.e. a static cookie stored in the browser, is deemed inadequate since it can be copied to another computer. Of course, any security expert could have told you that. Since the guidance is just a guidance, further supplements do reflect the lessons that likely came from implementing naive solutions.
Simple challenge questions after a username/password do not adequately protect the customer. Common questions are likely reused on other websites or easy to gather from a wealth of personal information online. It can be an easier to guess than a password!
In summary FFIEC strongly suggests the use of two-factor authentication for high-risk transactions and recognizes the pitfalls of earlier naive security implementations.
HIPAA was an act signed in 1996 by President Bill Clinton. It was meant to improve the efficiency of the nations health care system by encouraging the use of Electronic Data Interchange. EDI was defined in the same year by National Institute of Standards and Technology.
It is important that only those workforce members who have been trained and have proper authorization are granted access to EPHI.
Privacy of information plays a huge role here. Two-factor authentication is suggested for accessing the so called Electronic Protected Health Information (EPHI). Protected Health Information can be account numbers, medical record numbers and geographic indicators among other private consumer information.
Covered entities must develop and implement policies and procedures for authorizing EPHI access in accordance with the HIPAA Security Rule at §164.308(a)(4) and the HIPAA Privacy Rule at §164.508. It is important that only those workforce members who have been trained and have proper authorization are granted access to EPHI.
|Risks||Possible Risk Management Strategies|
|Log-on/password information is lost or stolen resulting in potential unauthorized or improper access to or inappropriate viewing or modification of EPHI.||
Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”);
Implement a technical process for creating unique user names and performing authentication when granting remote access to a workforce member. This may be done using Remote Authentication Dial-In User Service (RADIUS) or other similar tools.
Health institutions must protect customer health information and records from volatile remote access. Once again, two-factor authentication is suggested to mitigate the risk of remote access.
NERC aims to ensure the reliable use of critical strategic assets that make up the power grid in North America. They have been around since 1968 and in 2007 were granted legal authority to enforce reliability standards in the USA. They are aiming to have comparable results in Canada and Mexico.
High Impact BES Cyber Systems and their associated:
Medium Impact BES Cyber Systems with External Routable Connectivity and their associated:
|Require multi-factor authentication for all Interactive Remote Access sessions||
An example of evidence may include, but is not limited to, architecture documents detailing the authentication factors used.
Examples of authenticators may include, but are not limited to,
The document goes on to describe the benefits of multi-factor authentication:
The use of multi-factor authentication provides an added layer of security. Passwords can be guessed, stolen, hijacked, found, or given away. They are subject to automated attacks including brute force attacks, in which possible passwords are tried until the password is found, or dictionary attacks, where words and word combinations are tested as possible passwords. But if a password or PIN must be supplied along with a one-time password supplied by a token, a fingerprint, or some other factor,the password is of no value unless the other factor(s) used for authentication are acquired along with it.
This is a relatively new requirement from NERC CIP and one they are taking with appropriate seriousness. Yet another example of two-factor authentication for remote access.
Although there are varying levels of enforcement, guidelines vs. law vs. fines, it is clear that two-factor authentication plays a critical role in both compliance and following best practices. This trend will only grow within these industries and with the overall environment.
LoginTC is a two-factor authentication platform built to solve large scale problems in a cost-effective manner. It appropriately addresses the concerns raised in the various guidelines and standards.
In particular, remote access to networks containing critical, financial, payment or patient records can be protected with the LoginTC.
For more information on securing your VPN and remote access please see: LoginTC RADIUS Connector