There is one fundamental truth about the Internet Age, without TRUST there is no electronic commerce.
The realities of online sessions, particularly if they are transactional, are that knowing who or what you are dealing with and whether they are authorized to interact, i.e., can be trusted, is critical. And, while a source containing some form of identity may seem reliable, additional verification is increasingly table stakes to assure accuracy and/or trustworthiness. As President Ronald Reagan used to say about the process of negotiating nuclear proliferation with the Soviet Union “trust, but verify!”
The question that arises is how do we make things more trustworthy? After all, for enterprise IT managers and service providers things are getting complicated. As a result of the BYOD phenomena we now need to validate people, the device they are using, the software on that device and know something about the information that is exchanged over networks, open as well as in theory secured.
It turns out that device verification is a significant soft underbelly when taking a holistic approach to risk mitigation from the activities of bad actors. It is why the announcement from San Francisco-based NetAuthority about its SaaS (News - Alert) or premise-baseddevice-centric authentication with transaction verification solution demands attention.
Making devices trusted
Let’s start with the problem. It is big and getting larger. Did you know, for example, that not only are millions of records compromised every year, but that in 2010 Symantec (News - Alert)estimated that the average cost per breach was $7.2 million. And, on top of the loss from the breach, regulations are getting stricter, with stronger penalties for failure by institutions to protect their customers’ information. IT is going to cost companies more if they have not taken appropriate steps to protect critical personal information.
That is not all of the bad news unfortunately. From reading the headlines we all are aware that conventional authentication methods (e.g. user ID, passwords, PINs and certificates) are under constant attack from theft, eavesdropping, hacking and phishing. They are constantly being compromised. This as the number of user devices accessing corporate networks is approaching one billion and mushrooming as a result of BYOD, virtualization enabled by the cloud and the general consumerization of IT.
This cries out for a solution that involves multi-factor (strong) authentication. Again unfortunately, current forms of single-factor identification and anti-virus software do not measure up, especially because of their inability to even detect popular malicious activities like Man-in-the-browser (MitB) malware attacks. In addition, multi-factor identification solutions are often: cumbersome (involve things like physical keys and dongles that people do not use), expensive and thus not widely adopted. They are also highly vulnerable to all types of “man-in-the-middle” (MITM) attacks.
I discussed all of this with NetAuthority’s CEO Chris Brennan and Talbot Harty, VP of product management and development. Brennan noted that, “Impersonation is a huge problem, being able to fully verify a device and its use by only an authenticated user must be the goal. Creating what we call an irrefutable accuracy was the vision behind why we formed the company a year ago and that capability is what NetAuthority is bringing to the market.”
Device-Centric User Authentication
If you are like me, the word “irrefutable” in the context of a discussion of security had me all ears. How do you do that? A picture is the best way to understand what appears to be the game-changing potential of the NetAuthority solution.
What they have developed is a way of authenticating a user’s device with what Talbot described as a “uniquely expandable and flexible multi-attribute device key.”
There is a lot of intellectual property involved here that is patented or patent-pending. For those technically inclined this is how they do it. The Client Dynamic Device Key Generator executes predefined function calls to obtain device attributes and generate dynamic key data which is hashed and placed in an XML device key document. A new symmetrical key is generated and used to encrypt the XML device key document, and the key is signed and encrypted with NetAuthority DAS PKI public key. The encrypted key and device key document are encoded and enveloped for processing. As can be seen this represents multiple layers of protection.
In lay terms, for those of you less technically proficient on security, there is a wealth of information contained in every personal device to allow extraction of its attributes —the list of which can be expanded as needed for even strong authentication down the road. This enables NetAuthority to create a device identification key for that device alone, and that device is associated with me and me alone. When that device is involved in a transaction the session is dynamically assigned a key that exists only for that session.
For example, a financial institution will know when I am using their smartphone app based on my login information. They will also know it is uniquely my device, the device is authorized when I use it to transact they will have an audit trail of my activity that relates to my specific use of that device at a specific time. This authentication of me, my device, and employment of multi-factored security along with the dynamic session-based security is what lends credence to the word “irrefutable.”
Having all of this authentication and verification delivered as a service or throughout a private network with premise-based control means the capability can be deployed massively. As Talbot says, “it has also been architected for quick and simple device registration, has a secure service API for easy system administration, and uses sideband signaling so it has no impact on existing infrastructure.” He added that the solution is additive. It does not require getting rid of any security capabilities already in place and in fact complements them very well.
What it prevents
A list of what the device-centric authentication delivers is impressive. It protects against:
- Key loggers
- Stolen cookies and user credentials
- Phishing attacks
- Circumvented KBA and Risk-based authentication
- Man in the middle attacks
- Man in the browser attacks
Brennan noted that it is the only capability on the market that provides protection from ZeroDay attacks — so-called because they exploits a previously unknown vulnerability meaning the attack occurs on “day zero” of awareness of the vulnerability. These have become the bad guys’ attack of choice since they can create instant havoc. He went on to say that:
“Unlike other forms of multi-factor authentication, the DAE and DAS are designed to facilitate widespread adoption of strong authentication that is both affordable and transparent to the end user. Our suite extends the freedom of mobility and user choice with exceptional authentication security measures; preventing user account breaches while helping financial institutions, consumer online services and SaaS-based cloud services providers protect their customers, information and assets.”
The good news is that because of the strong authentication, especially with optional verification, service providers and IT managers can disable suspect devices. Banks can have a transaction trail of what devices caused a problem and cut down on their risks regarding impersonations that lead to account theft. IT managers can know in a BYOD world which devices are not authorized based on company policies and rules to access critical information and deny access.
The goal for the service as Brennan states was to produce a solution with, “no tradeoff between user experience and security strength.” It is also being priced to go and easy to implement. Prices start at as little as $2 per month per device and the solution works with most platforms and device types providing investment protection along with stronger security.
This is not a case of “trust, but verify.” It is however an example of verify to establish trust in the first instances as well as those that follow. As stated in the headline, this for when you really need to know, and based on the activities of those with malicious intent that is always. As the online world becomes more and more a cat-and-mouse game like the hit TV show in the late 1950s in the U.S., “Who do you trust?” It is clear that establishing and maintain trust is the only path to peace of mind.