Tuesday, March 6, 2007

MFA, What Is It And What Does It Mean To Me?

MFA or Multi-Factor Authentication is a new layer of security being added to online banking by financial institutions. The federal government has determined that simple user id and password verification is too easily spoofed by a cyber-critter and has there fore required F.I. to add another layer.

There is a pretty good article on Wikipedia on this topic that you can read here.

As I type this I can hear protests about how inconvenient it will be to have to go through another step to get to your information. My feeling is this, it’s a lot more inconvenient to have to go through a fraud and lose all my money to some cyber-critter with too much time on his hands and who, in all likelihood, will never get caught. It is the same approach I have about the increased airport security. If my being troubled just a bit keeps my plane from being the one they talk about on the news, more power to ‘em.

MFA relies on a few things and the levels that your own FI will go to is largely up to them. Our credit union chose to go with a two-factor verification, and it goes a little something like this. You log into your account as usual. But one time and one time only, you have to choose a picture from a group of pictures that the FI has provided. Second you have to set up one or several (again, wholly up to your FI) challenge questions to which only you know the answer.

The idea behind this procedure is that when you log in using your id and password, it gives you access to the next layer of security. Then you will see the picture that you have chosen. Since only 2 people in the world know what you have chosen, you can be reasonably sure that you are on your FI’s servers. You must also answer your challenge questions. This lets the FI know that you are you; because, you are, theoretically the only one who knows those answers.

That’s it. You’re in and everything should act as normal from there.

Like I said earlier, this is how my credit union has chosen to do this. There are a lot of other possibilities out there. Some FI will allow you to download a certificate to your pc that will let you into your account taking the place of the challenge questions. This is great, as long as the certificate doesn’t get compromised, and it makes your pc the ONLY one you can do online banking from.

With the advent of the biometrics for pcs, like using your fingerprint to log into Windows or to unlock the pc from screensaver, you may one day see the ability to scan your fingerprint from your pc to access your account.

Ok, that’s two pretty dry write-ups in a row. Story from growing up with LD next time, I promise.



HollyB said...

that piece of paper on the wall may say "Accounting" or "Finance" or "Business" but I think you must be an LEO who has a degree in one of the above.
It's all that time w/LawDog, isn't it? You picked up a need to catch financial criminals by osmosis. *g*

Vic303 said...

My bank & at my credit card both do this MFA authentication. It's a little wierd, but if it works, I don't find it a problem to use.

KCSteve said...

Work uses the SecurID token - a little chip running a known psuedo-random number generator. The servers know what number the token should be showing. You tag the current magic number on to the end of your password. If you're right, you get in. If not, either you're wrong or you're not talking to the real server. If it's a spoofed server they've got your ID and password, but without the magic token they won't get in at the real server. If they're an intermediary they can get in right now (magic number changes once / minute) but can't get in again unless they intercept you again. Don't know if the system is smart enough to watch for two concurrent access streams from the same ID.

MorningGlory said...

The only problem with the biometrics is that people will end up getting their thumbs cut off by the bad guys, to be used to log onto their computers.

Anonymous said...

You should look into a very recent research study conducted jointly by Harvard and MIT that concluded your credit union solution, commonly referred to as a site key and the same solution deployed by Bank of America, is LESS THAN 10% EFFECTIVE!

Anonymous said...

The problem with stuff like authentication is that it relies on the "something you know" piece too heavily. TRUE authentication requires two things... something you have (like the SecurID solution above) and something you know (like a username & password). Any solution that merely requires you to know something more is merely an extension of the username/password solution and has about the same effective application security.

The "something you have" can be as simple as a USB key with a certificate, to a smart card (like an ATM card with a chip that requires a reader that attaches to your computer), to a biometric scanner (uses a fingerprint, a thumb print or a retinal scanner), and up to as complex as something like the SecurID which generates a pseudo-random number every X seconds.

The "something you know" is usually a username/password combo that may or may not require a password of a certain length or complexity (that is, the password must be at least 8 characters long and use uppercase, lowercase, numbers and special characters/punctuation - usually three of these four things).

The problem is that you must have a compromise between security and useability. I can make a genuinely secure system for you, but it quickly becomes more hassle than it's worth to users, or users do things (like write down their password) that compromises security. When I design a level of security into a network or system, I have to strike a balance between what is secure and what people will be willing to do without having to compromise the security. I can assign passwords that are very secure and under 10 characters long, but they will be randomly combined sets of characters, and won't contain words you'll find in the dictionary, and it will change every 30 days. That means that users will immediately write down their password because it isn't easy to remember.

TFM is a weak attempt to introduce additional security to an inherently insecure environment. A better solution would be to offer smart cards with USB-connecting readers or a USB key with an embedde3d certificate to your FI's customers (cost can be a factor, but if you buy enough of the devices, price comes down some - perhaps your customers would be willing to share in the cost...).

(Yes, I do design IT networks. How did you know? :) )