Monday, September 08, 2014

on the strength of authentication factors

i ran across a story on friday about barclays bank rolling out biometric authentication for online banking and wound up starting a debate on twitter that i didn't have time for and couldn't easily fit into a series of tweets even if i did have time. essentially what it came down to was that i don't believe all authentication factors are equally strong and the statement that the barclays system was a "password replacement" raised a red flag for me.

the reason it raised a red flag for me is because single factor biometric authentication is something i've come across before, and not just in an article on the web or even as a user but as a builder. my first job out of university was with a biometric security company, and one of the biggest projects i had while working there was developing an authentication enhancement for windows logon. one of the requests made (and the one i fought the hardest against) was to allow logon with just the biometric. 

here's the problem with this idea - since windows didn't have biometric capabilities built in, the only way to add single factor biometric authentication in was to store more traditional authentication data that windows could accept (such as a password) and then pass that along to windows when the subject's biometric sample matched the registered biometric template. i should note that the article about barclays makes it clear they'll be doing the same thing since they say that barclays won't be storing customer biometric data on their servers. there will have to be a local biometric client that stores more traditional authentication data and passes it on when a biometric match is achieved. storing credentials is not exactly the safest thing in the world. it's not like you can just store a hash of the authentication data in this scenario because you have to be able to present the original, unmodified credentials to the authentication system.

i balked at the idea of making windows less instead of more secure, but i acquiesced when the decision was made to keep the more secure 2 factor mode of operation (without traditional credential storage) in there as well, along with informing the users that biometric-only logon was less secure. 

it's not just less secure because of the credential storage, though, and this is where the twitter debate on friday ventured into. in the course of that job i had the opportunity to examine multiple biometric systems, such as face, voice, iris, etc. and i came away with 2 realizations: 1) the only biometrics that users will ever accept are non-invasive ones (no one wants sensors stuck into them), and 2) that lack of invasiveness makes it relatively easy to steal biometric samples from users, often without them even knowing. fingerprints can be lifted from anything you touch. recordings of your voice can be made without your knowledge. photographs of faces are ubiquitous and a high enough resolution image will capture your iris pattern. 

other authentication factors like passwords and tokens generally rely on restricting access to the authentication data, often through secrecy. when that secrecy is lost, such as when someone takes a photograph of a door key (which is a kind of token) it becomes relatively easy to reproduce the authenticator and gain access to what was being protected. biometrics, especially non-invasive ones, forgo this secrecy under the mistaken belief that reproducing the authenticator is difficult for biometrics. the reality, though, is that you don't have to reproduce a biometric sample, you only have to create an approximation that is good enough to fool the biometric sensor, which often isn't particularly difficult. optical sensors can be fooled with images, audio sensors can be fooled with recordings, the mythbusters once fooled a capacitance sensor by licking a photocopy of a fingerprint.

now hold on, i hear you say, isn't it also really easy to steal passwords? and isn't reproducing that authenticator the easiest of all? it's certainly true that in practice all kinds of things can affect how easy it is for an attacker to become illegitimately authenticated. for that reason i try to look at the upper bound of the strength of the various authentication factors. how strong is a system under ideal conditions, that is where everything goes right and legitimate parties don't make any mistakes.

for passwords, that ideal situation means that the user doesn't accidentally click on anything that would steal his/her password, doesn't get fooled by phishing sites, etc. in short, the attacker can't get the password from the user. it also means the attacker can't get passwords in transit (because that's been properly secured) or a password database from service provider because no vulnerability is found in their system and their employees are likewise careful to avoid making mistakes. under this ideal situation the attacker's only way to succeed in gaining illegitimate entry is to perform an online brute force attack (no, not a dictionary attack, because the user didn't make the mistake of using something from a dictionary) and they'd have to go slow because the ideal provider would have rate-limited failed logon attempts. now you might say this is unrealistic, people make mistakes, and that's true in practice in the aggregate, but it is possible for an individual to do everything right, and it is also possible for attackers to not be able to find any way to attack the provider in order to get the password database. this isn't how strong password protection always is, but rather the ideal we hope to achieve by making our systems secure and avoiding making mistakes, and sometimes in limited cases this is achieved.

for tokens, let's consider the ideal situation to be comparable to that for passwords but on top of that let's consider the strongest token possible (ie. not a door key). let's consider a token that produces one-time-passwords (without any vulnerabilities that would make those passwords easy to predict) so that even brute force attacks become much harder. on the surface this seems even stronger than passwords, but there's a chink in the armour and apple's recent icloud problems are a good example. tokens can be lost or stolen so there needs to be a way to recover from that problem. while our "ideal situation" precludes our user from losing their token, it does not preclude our service provider from providing users with a way to cope with the loss of their tokens. the strongest way to do this is to provide the user with pre-generated one-time-passwords ahead of time. this can work for an individual user who is careful and doesn't make any mistakes but as we've previously seen our "ideal situation" does not extend to the point of saying all users make no mistakes, so the pre-generated one-time-pads are going to fail for reasons such as never being printed out and put in a safe place, or not being able to get to that safe place because the user is traveling, etc. what's a service provider to do then? so far, their best option might be to use traditional passwords as a fall back, and if they do then the token system becomes only as strong as passwords, because although our ideal user didn't lose their token, the provider can't really know that the user didn't lose it (or worse that it was stolen) and has to accept attempts to use the password fall back. while there is room for tokens to be stronger than passwords, the price is that only ideal users will be able to recover in the event of a lost token, and that price may be more than service providers are willing to accept.

for biometrics, we once again consider an ideal user who does nothing wrong, and an ideal service provider who likewise makes no mistakes. in spite of doing nothing wrong the user's voice can still be recorded, their face can still be photographed (in most cultures since facial covering is relatively rare), etc. simply interacting with the world cannot qualify as doing something wrong or making a mistake. acquiring the information necessary to construct a counterfeit authenticator is easy compared to passwords and tokens because no effort is taken to conceal that information and the cultural adjustments needed to change that are beyond what i think would be reasonable to expect. the difficulty in attacking a biometric authentication system boils down to the difficulty in fooling a sensor (or sometimes 2 sensors as people have tried to strengthen fingerprint biometrics with so-called "liveliness tests"), and that difficulty has been consistently overestimated in the past.

this is why i consider biometrics weaker than passwords - because even when everyone does everything right it's still fairly easy to fool the system. as such, when someone (especially a bank) provides people with an authentication system that replaces passwords with biometrics, i think that should raise an alarm. even at that prior job of mine it was conceded that that mode of operation was more about convenience than it was about security. convenience is a double-edged sword, it can make things easier for legitimate users and attackers alike if you aren't careful. using biometrics in a 2 factor authentication system may provide more security than any single factor authentication system can, but biometrics on it's own? there's a reason some people have started saying that your biometric is your username, not your password. don't replace passwords with it (at least not without having someone present to guard against funny business - which isn't an option for online banking).