EYEdentityOnline.com

To follow up on my last post, here’s the link to the password hardening Q&A with Mark Diodati. Per the article: ‘password hardening is that you do something extra to make the password harder to guess or spoof without actually distributing a piece of hardware or software to the consumer. That extra thing you do is like a second factor.’

So he’s claiming that BioPassword is able to perform their function using just the native bits of Flash that reside in the default Flash installation? Does that contain keyboard monitoring and patterning capture or does some new code need to be downloaded via Flash to pull this off (rhetorical, for those of you playing at home)? What prevents another keyboard logger from capturing the password and the patterning? This same patterning going to work on my Treo vs. or all of the 3 different keyboards I use in different postures (work chair, sofa, standing desk)?

Wouldn’t it be far better to ensure that capture of the password via any means or method, with or without any cutesy patterning capture, would gain the attacker nothing of use? What about the ability to protect against any kind of internal, total password file compromise? THAT’s password hardening! BioPassword do that? No.

As to the dancing on-screen keyboard entry stuff, that has been shown again and again to be vulnerable to screen / click capture malware. Doesn’t matter if the keys are in different places at each login, this only protects from a pixel grid attack not a screen capture attack that grabs the image surrounding the mouse at time of click so the attacker can see 3,5,9,4,A,m,r, etc. By the time you make the interface confusing enough to obfuscate the clicks, ‘Joe regular user’ is confused or irritated or picking an easy to enter and therefore guess, password. If this was all that and a bag of chips, Bharosa wouldn’t have had to move into fraud detection to support their weak, ‘pseudo-multifactor’ approach.

This stuff has been around for ages along with the ‘pick the faces you remember’ thing. Do ‘the kids’ today still use the word ‘lame’? It’s 2007 and folks are still dinking around with these kiddy toy approaches. I continue to be amazed at the half-measures being considered, let alone purchased and deployed.

Note the admission in the last answer that PKI is the only real answer. Funny how it keeps coming back down to that. Now if only there was a soluton that made PKI practical and scalable’¦ hmmmm, wonder where I might find one of those [sly, cat-got-canary grin]?

In an interesting article this week by David Berlind on why the Europeans have adopted true 2nd factor authentication vs. the U.S., David Berlind references a Q&A chain with Mark Diodati of Burton Group. The first article in the chain is on What is Multifactor Authentication? and I’d like to draw your attention to the second question: Many European security experts believe that multifactor authentication is essential for securing online consumer applications, but in the United States few banks or other financial institutions use it. Why is this?. Mark Diodati’s response is actually very interesting and not something of which I was aware.

I would however, suggest an additional idea: Higher European adoption could also be influenced by the difference in privacy laws and just general sensitivity to privacy in Europe vs. the U.S. Liability is a strong motivator. I’ve long held that U.S. institutions are concerned about protecting the transactions and hence, themselves vs. worrying about actually protecting the end-user. The end-user could be compromised and have their identities stolen or fraud perpetrated on them in a variety of ways due to a breach of an online account, but so long as the bank doesn’t incur a loss by reimbursing a customer for a $500 fraudulent transaction, the bank is satisfied. They are apparently managing this fraud loss ratio satisfactorily or they would definitely be pursuing more stringent mechanisms or having it forced upon them more explicitly than the weak FFIEC Guidance from 2005. This comes down to the difference between guarding against fraudulent transactions vs. the broader protection of user’s data; transactional, identity, etc.

Certainly there also appears to be a greater resistance by Americans to anything that smacks of inconvenience. The numbers are plain and straightforward that for every change you make to an online experience, users click away, stop and pick up the phone, etc. All things to be avoided if you’re trying to build an online channel and keep support costs low. Understandable.

However, like David Berlind, I’d be very happy to use a true 2nd factor authentication mechanism. In fact, I’ll change banks to get true strong authentication and move to doing much more online business ever after at that bank. I suspect that Mr. Berlind would put an OTP (One Time Password) into that category, but if you’ve read my blog or paid much attention to the reality of the man-in-the-middle threat, you’ll hold out for a true 2nd factor and not just another single factor (what you know). Remember that two passwords don’t make an actual second factor, even if one is only useful for a short while. Yes, I know that is a contentious statement and out of step with the mainstream view of OTPs, but I believe the realities of 2007 back it up.

By failing to offer stronger authentication and other security options and merely sticking with the bare minimum, U.S. institutions fail to capitalize on the opportunities for competitive advantage and increased online usage by a key target audience: The technology savvy early adopter. I haven’t looked up any recent studies on it, but I suspect this group comprises the mythical ‘influencers’ as well and probably have above average incomes, bank balances and credit card usage rates.

I’ll cover the next Q&A article in the chain with Mark Diodati in my next post. It covers password hardening.