2-Factor Is Great, But Passwords Still Weak Spot

The last few months have seen a plethora of consumer focused websites and services, all adding in two-factor authentication systems, in order to improve security.  The main focus of these additional authentication steps, generally involve a secondary one time password, being sent to the authenticating user, either via a previously registered email address or mobile phone number.  This is moving the authentication process away from something the user knows (username and password) to something the user has - either an email address or mobile phone.  Whilst these additional processes certainly go some way to improve security, and reduce the significance of the account password, it highlights a few interesting issues, mainly that password based authentication is still a weak link.

Consumers Accept New Security

Two factor authentication solutions have been around for a number of years, either in the form of hard tokens (RSA for example) or physical proximity cards for use with a pin to access a controlled physical site.  However, many have been used for general high security enterprise or internal scenarios, such as access to data centers or perhaps dialing into a secure network from an unsecure location.  The interesting aspect today, is that many of these SMS based 'soft' approaches to two factor authentication, are being made available to consumers, accessing standard web applications and sites.  The services those sites offer, whilst containing identity data or personal information, are not particularly life threatening or business critical.  It is interesting to see websites taking a risk with regards to user convenience, in order to implement greater security.  As a security professional, even just from an awareness perspective this a positive move.  Many end users, most of whom are non-technical, now willingly accept these additional steps, in order to reduce the risk associated with their account being hacked.

Password Security is Fundamentally Weak

But why the increased use of two-factor and why are users happy to accept this new level of security?  The main underlying point, is that simple password based authentication, is and never really will be, a totally secure way of protecting resources.  I've blogged on this topic several times in the past 18 months (Passwords And Why They're Going Nowhere, - March 2013,  The Problem With Passwords (again, still) - Oct 2012, The Password Is Dead (long live the password!) - Feb 2012), but the situation still remains: passwords have numerous weaknesses.  Some arise from the end user side (use of non-complex passwords, password sharing between sites, passwords being written down) and some from the custodian side, especially with regards to password storage (use of clear text - yes really!, symmetric encryption as opposed to hashing) and password transit (use of non SSL / HTTPS communication).  The complexity of password hacking techniques is also pretty mature, with automated tooling, pre-compiled hashing tables and harvesting engines, all make application protected by just a username and password, a risky proposition.

Biometrics - Face Recognition

Ok, so everyone knows passwords are weak.  So what are the options?  Due to the rise of mobile technology - both smart phones and tablets - the raw hardware technology available to most end users, is considerably higher than it was say 5 years ago.  Most devices will have high resolution cameras and touch screens that can be used for additional authentication checks, without the need for additional costly hardware.  Facial recognition is available on many of the Android and iOS handsets, when used alongside a secondary PIN.  Most facial recognition systems either use an algorithm to analyze the relative position of things like the nose, eyes and mouth or perhaps analyse a selection of facial images to create a normalized view.  This area is certainly developing, but can perhaps be circumvented by pictorial replays or other savvy attacks.  Google has certainly taken a lead in this area, by recently announcing a patent based on facial authentication.

Biometrics - Voice Recognition

Another area of interest is that of voice or speech based authentication.  On a similar front to facial recognition, this is focusing on the premise, that something you are, is certainly a lot more secure than something you know (password) and even more so than something you own (token).  Vocal recognition requires the 'printing' of the users voice, in order to identify the unique characteristics of the individual.  This is akin to a fingerprint, and when measured accurately using the amplification levels of key frequencies and other pause factors, makes an arguably world unique view of a user's voice, similar to a DNA sample.  At login time, a user is asked to repeat a certain phrase that was used at registration time in order to identify a match.

Any biometric method will raise questions about practicality (accuracy of technology, avoidance of poor type I and type II error rates for example), as well as managing the privacy concerns of holding individual biological data.  The latter part however, could probably be overcome by holding simple hashes of key checking metrics as opposed to raw data.

Either way, passwords may at last be on the long goodbye away from centre stage.

By Simon Moffatt

OpenDJ 2.6.0 is now available

OpenDJ-300x100I am really happy to announce the general availability of OpenDJ 2.6.0, a major update of ForgeRock  directory service product, built from the tag 2.6.0 (revision 9086 in our SVN repository).

OpenDJ 2.6.0 brings a lot of added value, including :

- A REST to LDAP service, allowing an easy access to directory data using HTTP/JSON. The service can be run either embedded in the server or as a standalone web application.

- A new upgrade process to ease transition from OpenDJ 2.4.5 or newer to 2.6.

- New Linux native packages (RPM and Debian) to facilitate the automatic deployment of OpenDJ in the private and public cloud.

- OpenDJ can be configured to delegate authentication to a Microsoft Active Directory service, providing tighter integration with Microsoft environment without the burden of synchronizing passwords.

- An optional extension to remove specific attributes from updates, making it more flexible and easier to deal with legacy applications and migration tasks.

- A way to synchronize SAMBA password attributes with the user’s password.

- Some improvements on the integrity of references, that is now enforced at creation or on update.

- More flexible and efficient audit logs.

- A Java based LDAP software development kit.

- An official stable documentation.

For the complete list of new features, enhancements and fixed defects, please read the release notes.

The binaries can be downloaded from ForgeRock Downloads.

Over the course of the development of OpenDJ, we’ve received many contributions, in form of code, issues raised in our JIRA, documentation… We address our deepest thanks to all the contributors and developers :

Aiman Tahboub, Alan Evans, Arturo V Sanchez, Auke Schrijnen, Bernhard Thalmayr, Brent Palmer, Bruno Vernay, Chris Dowey, Chris Ridd, Christophe Sovant, Dan Gardner, Danny Turner, Darin Perusich, Donal Duane, Elliot Kendall, Eswar Moorthy, Fred Voss, Gael Allioux, Gary Williams, German Parente, Göran Odmyr, Ian McGlothlin, Jamie Nelson, Jean-Noël Rouvignac, Jeff Blaine, Jeffrey Crawford, Jens Elkner, Lana Frost, Laurent Bristiel, Ludovic Poitou, Manuel Gaupp, Manuel Schallar, Mark Craig, Mark Gibson, Marko Harjula, Martin Sperle, Matthew Stevenson, Matthew Swift, Miroslav Fadrhonc, Mitch Silverstein, Nemanja Lukić, Nicholas Sushkin , Nikolay Belaevski, Per-Olov Sjoholm, Peter Major, Rauli Ikonen, Sachiko Wallace, Slavomir Katuscak, Tomas Forsman, Vanessa Richie, Violette Roche, Willi Burmeister

Happy 4th of July everyone !

Filed under: Directory Services Tagged: directory, directory-server, ForgeRock, java, Json, ldap, opendj, opensource, release, REST