As the name implies, multi-factor authentication is the use of more than one process to ensure the person using a system or device is authorized. While that's a workable overview, this SC News review and analysis of products starts with an interesting section that concludes precise definitions are a bit more elusive. It also says costs are declining and that products increasingly give users choices on which authentication methods to use.
The magazine reviewed eight products: The 4TRESS AAA Server v6.5 from Actvidentity; eToken from Aladdin; IAM Suite with iTag v3.5 from Encentuate; SecureAuth for SSL VPN from Multi-Factor Authentication; the Defender v5.2 from PassGo; ProtectID from StrikeForce Technologies; the Armored Credential System from TriCipher and Digipass from Vasco. The editors chose the Defender v5.2 from PassGo as the best buy and also recommend TriCipher's Armored Credential System.
Interest in multi-factor authentication seems to be highest in the banking industry. Two things are apparent: Multi-factor authentication greatly improves security both because of the technology itself and because it discourages all but the most serious crackers. It also is clear that it is not foolproof.
Securology discusses a Symantec post about Trojan.Silentbanker. The Trojan targets more than 400 banks worldwide. The main fear is man-in-the-middle attacks in which the data stream between the bank and its client is intercepted, the information changed and the criminal able to steer the money to his account. The key is that this is done without the perpetrator actually having to crack the authentication system.
At the beginning of last year, the Federal Financial Institutions Examination Council (FFIEC) put new multi-factor authentication rules into effect. According to Bank Lawyer's Blog -- which references material from a subscription-only American Banker story -- the rules are working. The stories say anecdotal evidence suggests that fraud has decreased by 30 percent to 40 percent. The blog says, however, that criminals are continuing to try to find a way around the higher level of security and mentions Trojan.Silentbanker.
This long presentation from BearingPoint begins by providing the standard definition of multi-factor authentication: Such a system will use two or more of three piece of information or data: Something the person asking to be authenticated knows (a password), something he or she has (a token or smart card) and something he or she is (a biometric element such as a fingerprint). The presentation is a set of about 30 slides which provide detailed information on several topics, including the recently promulgated regulations and the different types of multi-factor authentication options.
The thought that the heightened security brought by the new FFIEC regulations has made online banking safer isn't universally shared. The reality, according to this Bankwide post reporting on the DefCon meeting last autumn, is that smart hackers don't get access to machines in a random, brute force fashion. Rather, they use a variety of methods to learn passwords and otherwise get the information necessary to access systems.
If the assumption is made that crackers will somehow learn how to legitimately gain access to systems, the strength of the security to at least some extent is meaningless. In other words, a change in emphasis from trying to break systems to attempting to find passwords and otherwise take advantage of the humans using those systems means that there still are great opportunities for hackers who are flexible. And, if anything has been proven during the past decade, it is that crackers are willing to adopt.