Monday, February 9, 2009

(2FA) Strong Authentication ... and open source

As many of you readers know, I've always been an advocate of "more-than-a-simple-password" authentication, so when I had the opportunity to speak with Nick Owen from Wikid Systems I took it. Nick had some interesting things to say about his company's market-space, and the need for stronger authentication, so here's some highlights from that interview.

First, here's Nick's take on his company's background and market-purpose.
Nick: "We provide strong authentication solutions. We support an open source and an enterprise version. We're really the only open source solution with a company standing behind it. That allows us to leverage the open source world but also provide a strong, supported product at a reasonable price and since authentication is so "inline" it's important to have it supported."
Immediately, I wanted to know why Nick thought that 2FA (2-Factor Authentication) hasn't been more widely implemented. I've always thought that strong (2FA) authentication should be the baseline for any well-protected online system... Nick's thoughts were pretty much in-line with what I was thinking... Nick highlighted the two main points that have plagued 2FA (and strong authentication in general) for the last several years - namely cost and complexity. While hardware tokens are still expensive and not practical overall, token-based authentication still falls victim to MITM (Man-in-the-Middle) attacks and complexity makes it hard for every online shop to adopt this strategy.
As the conversation turned towards making 2FA more mainstream we seemed to agree that (as his PC token demonstrates) mutual HTTPS authentication is good for network security and applications such as mutual-verification and VPN solutions, but this approach doesn't solve every need universally - which is a problem in itself.
There are other issues with 2FA and "tokens" in general... for example as Nick explains, there are other concerns:
Nick: "Malware is a concern - but if you look at what is actually happening, it is a combo. Take the checkfree breach: the attackers (we think) stole the username and password for Checkfree's Network Solutions account and created a MITM attack redirecting users to site that installed malware. If Network Solutions used 2FA, it wouldn't have happened. If Checkfree used mutual https authentication it also wouldn't have happened! So, it gets down to doing something - which is better than nothing - and defense in depth."
So where does the line of responsibility for the security/privacy of a transaction lie? How much do we trust the end-user's browser when we're dealing with web applications? This is one of those tough questions I like to hear people's answers to... and Nick's insight was interesting.
Nick: "Well, not at all - OK, that's not really true. Perhaps trust is the wrong word because it has morally right or wrong, black/white connotations. Really, it's more about risk acceptance: "I'll take a risk that there is no man-in-the-browser for now, but once that risk increases past X, I need to do out-of-band transaction authentication. In terms of "responsibility", I think a lot of that is regulated for many financial institutions and to a less extent driven by the market."
That's so true - risk is at the base for every decision especially about stronger authentication. But at what point does the risk equation turn the strong authentication issue from a "nice to have" into a "must have"? There aren't any easy answers...
Nick: "Notoriously tough question! I think certain sectors will have that soon. Why doesn't Network Solutions use two-factor authentication already? I would think that Checkfree would gladly pay for it. I think the gamers will see it soon too, such as online poker, etc."
Taking it as a given that people won't want to carry around a token for each merchant they want to have strong authentication to, there has to be a better solution, right? What about a single-broker solution that could be federated out to many different customers such that one token in your hand could get you access to many of the systems you use today including your bank, favorite merchant( and yes... even online poker)?

Nick: "Well, WiKID is well designed for that. We have a customer - Online Banking Solutions - that runs WiKID in a "cloud" (what used to be "service bureau" then "ASP" :). Each bank is a network client to their WiKID server and can add/manager users, get reports, etc. without impacted the other network clients."
That's brilliant. So this one-token approach should be used everywhere, right? It's cost-effective, scalable, and open-source... so why isn't everyone on this bus? Maybe not enough companies have heard of WiKID?

As a final thought, I asked Nick his thoughts on "user-friendly security" and how his products and services conform to the stupid-user usability curve... meaning, are they user-friendly enough to be used by Joe Average user...
Nick: "I think so. For example, our PC token automatically copies the OTP to the clipboard and if mutual HTTPS is set up, then the default browser is launched by the token to the validated site. We also can handle multiple domains - so one token can work with many sites and each user can have more than one token - so one on their BB and one on the laptop, etc. In general, people like using a cellphone more than carrying hardware."
I'd like to thank Nick Owen of WiKID Systems for taking the time to chat, and field my questions on the topic of 2FA or strong authentication. This is a very necessary piece of technology that must not only be simple to use, but adoptable practically... I think WiKID does this smashingly well.

1 comment:

Nick Owen said...

Thank you, Rafal for the interview and the great blog.