Solution Oriented Systems

Multi-Factor and Multi-Layer Authentication

Multi-Factor Authentication and Multi-Layer Authentication

Solution Oriented Systems has more than 10 years of eCommerce security experience; including implementing multi-factor and multi-layer authentication security solutions at various websites for various customers.

Multi-Factor Authentication and Multi-Layer Authentication Services We Provide

Solution Oriented Systems

Case Study: Finding a Low Cost, Easy to Use, and Effective Internet Banking Layered Security Solution

Multi-Factor Authentication and Multi-Layer Authentication - A Case Study using Passfaces

In our ever changing technological world, we all need to be vigilant in protecting our financial information from unauthorized access. We are constantly fighting war-dialers, phishing, pharming, man-in-the-middle, man-in-the-browser, and key-loggers attacks from a variety of hackers, identity thieves, and criminal organizations. And we are constantly anticipating where future attacks might come from so that we can prevent a loss of our sensitive data before we are prepared to handle such an attack.

However, we also need to keep in check, our zeal to aggressively restrict access, from dissuading legitimate users from accessing their own financial accounts. Our customers can be demanding and finicky at the same time. They demand that their information be safe and secure from trespassing by unauthorized access. Yet they are equally finicky when it comes to requiring the use of extravagant technologies to access their own accounts. While the more sophisticated users are demanding higher technology to restrict access to their accounts, the majority of our customers demand to use their current home computers, their friends’ computers, and the local library computer to perform their banking transactions. Securing data access while maintaining flexibility and ease of use has become the greatest challenge for most financials today

Therefore it is imperative for modern day financials to find an effective strategy for protecting their online financial information while maintaining acceptability by a majority of its customers.

The selection process for finding the right product to use appears on the surface to be quite simple. Each product promotes its superiority for protecting online financial data while maintaining user acceptability. So picking any product from the many offered today should suffice in meeting the needs of most financials; or is it really that easy? With further investigation, each product offers its strengths and weaknesses. While each strategy may appeal to one type of customer it may also alienate another type of customer, costing more to the financial then a simple breach of security. And there are the costs: the upfront costs, the maintenance costs, and the intangible costs. It is important to keep in mind that the costs of any new product must include the time of support staff, customer service staff, and the customer’s time as part of the decision process.

Solution Oriented Systems was chosen to assist a mid-size financial in researching and recommending three solutions for providing multi-factor and multi-layer authentication for their internet banking program. Our client currently has 100,000 customers of which 35,000 actively use their in-house internet banking product; of which 1,000 of these user are business accounts. Our client’s goal was to find a product to provide bi-directional authentication with an additional layer of security to fulfill their regulatory requirements and reduce potential fraud.

Our mission was to offer advice on how to create the necessary requirements for filtering out the candidates to find the top three solutions that balance security, usability, and costs.

Security is the main reason we are pursuing this solution and it is critical that this product address potential exploits and attacks. Usability is an equally critical concern for a financial’s staff and their customers. Especially with customers who resist using cutting-edge technology they do not understand, they find too cumbersome to use, or requires to much effort for accessing their financial accounts. Portability is a must today because many financial’s customers will use their work computers, their friends computers, other family members’ computers, internet cafés, and public library computers. Therefore this new security solution needs to be as transparent and as easy to figure out by the average customer.

Costs are always a factor in making any security product decision. Besides the costs of the product software and hardware, other intangible costs need to be included in the decision process. This includes the costs for a additional infrastructure, support staff, and customer service staff.

“ Honestly two-factor authentication is so much better than password-only that it really doesn’t matter which you choose. Choose the one that is cheaper; more user friendly and easier to deploy.” -- Bruce Schneier, Network World, June 2006

Solution Oriented Systems began this process by recommending criteria for the financial to prioritize their requirements for their internet banking security product.

Here is the list of criteria we produced for our client:

    1. Is the product employ a software based strategy, a hardware based strategy, or a combination of both?

    2. Does the product use a challenge questions with a text answer to authenticate the customer in addition to their userid and password?

    3. Does the product require using a hardware device, such as a token, which needs to be purchased for each customer?

    4. Does the product use email to send a verification code to successfully login into the internet banking program?

    5. Does the product use a telephone to tell the customer a verification code for a successful login into their internet banking account?

    6. Does the product offer biometric authentication technology?

    7. Does the product offer anti-phishing or bi-directional technology?

    8. Does the product offer business intelligence and risk assessment technology?

    9. Does the product offer image based challenge / response technology?

    10. Does the product require a software component(s) to be installed on the customer’s computer to work?

    11. Does the product require a third party to authenticate the customer credentials for account access?

    12. Can the product be used to secure high risk transactions as well as the customer’s sign in process?

    13. Can the product be used to register a single computer for account access, then require out-of-band support for account access on other computers?

    14. Will the product be easy enough to use by a majority of the financial’s customer base?

    15. Will the product work on a variety of browsers, including those used by the majority of the financial’s customers?

    16. Will the product integrate well with the financial’s current internet banking technology?

    17. Will the product require the financial to hire extra staff to manage the product?

    18. Is the product flexible enough for a customer to use it at the financial’s branch PC and on a public PC, as well as at the customer’s work and home PCs?

    19. Is the product flexible enough to work on a mobile device?

    20. Is the product flexible enough to work with customer with disabilities?

    21. Is the product’s technology flexible enough to accommodate possible future changes?

    22. Does the product’s manufacturer offer regular support for the latest browser software and security updates?

    23. Is the product in use at other financial’s (not vapor ware or beta ware)?

Ironically, the costs to purchase, and then to deploy, this new security strategy was not a primary factor for my client, but it still was part of their decision process. The costs of hiring additional staff to manage and support this security strategy along with infrastructure changes was a critical factors in their decision making process.

Our client’s requirements for their new internet security product:

    1. No need for a 24 x 7 customer service department. Our client does not have a 24 hours a day, 7 days a week customer service department. They made it clear that they do not want to expand their customer service or their staff. So any strategy that requires round-the-clock customer service was automatically removed from the prospective list.

    2. No software installed on customer’s computers. Our client has experienced numerous phone calls from customers on browser related issues. So much so that they have resorted to hiring an outside firm to handle the technical aspects of helping customers diagnosis their browser settings just to access their account via the financial’s internet banking system. The experience has taught them to make as few changes as possible to a user’s browser settings; much less to require download and installation of software.

    3. No hardware tokens. Our client was aware of numerous problems, reported by other financials, including: including portability issues, hardware costs, support costs, and the potential security risk caused by the alternative access in the (common) event of a token being lost or broken. They were also concern about having a lost or stolen token being reversed engineered; resulting in the high costs of replacing all of the outstanding tokens.

    4. No additional staff required. Our client was adamant about not needing to hire additional staff for handling security out-of-bound cases. They had no desire for manually determining risk or overriding automated risk-based management systems. They would, however, allow their staff to be trained for “ resetting” accounts.

    5. Not vulnerable to known keyloggers. Our client was very concerned about the potential of stealth key logging programs capturing sign on information including userids, passwords, and other text based challenge / responses questions and answers; especially on public computers.

    6. Bidirectional Authentication. Our client was very aware of the prevalence of phishing attacks and required that any solution provide authentication of the financial (web site) to the customer as well as the customer to the financial.

    7. Layered Security. Our client wanted to add an additional layer of security for “ risky” transactions as well as protecting the sign in process.

    8. Must allow portability. The majority of our client’s customers access their accounts at work, at school, at the public library, and even at internet cafés. Plus, each of our client’s branches maintains lobby computers to provide their customers, especially initial training to new customers on a branch lobby computer. Any security solution must allow all users to access their accounts from a variety of computers at different locations.

    9. Must integrate well with current internet banking product. Our client currently uses a well known, in-house internet banking product running on a Microsoft Windows platform. They have no intentions of changing their internet banking product at this time. Therefore, the new security product must integrate well with their current internet banking implementation.

    10. Must support the latest Microsoft Internet Explorer and Mozilla Firefox browsers. While other browsers work well with their internet banking product, our client has standardized their supports for only these two browsers.

    11. Must offer support for current software updates. Windows servers and customer browsers are constantly being updated almost on a weekly basis. This new security product must be able to keep current with the latest in browser technology for Windows and preferably also, for Macintosh computers.

    12. Must be in use by another customer. This financial is willing to explore new technology, but when it comes to internet banking security they were not going to take a chance on vapor-ware or beta-ware. Therefore the new security product had to be installed and successfully running on at least one other customer location.

“ Hardware-based authentication solutions aren’t as easy to provision and manage, so they’re probably not suitable for large user bases” - Jeff Vance, Network World, June 2006

Our client’s preferences for their new internet security product:

    1. Ease of use. Our client was adamant that their customers could quickly understand and use their new internet banking security enhancement. It was their opinion, the easier it was to use and understand, the higher customer adoption rates would be achieved.

    2. Ease of deployment. This financial was in a hurry to complete implementation and of course preferred as low as possible implementation costs.

    3. No third party authentication services. Our client has had previous bad experiences using outside third party vendors for real-time online functionality. Therefore they preferred a fully in-house solution only.

    4. Variety of operating systems. Our client has a user base that includes Windows 98 and Windows 2000 users along with Windows XP, Windows Vista, and Mac users. While Microsoft may not support Windows 98 or 2000 users, our client has enough of these users that it would prefer to allow them to continue to access their accounts using this new security product.

    5. Flexible product. Our client preferred that any potential solution be flexible to allow for possible new future strategies for increasing account security.

    6. Use with mobile devices. This financial has future plans to deploy its internet banking program on mobile devices; both using browser based mobile banking as well as text message based mobile banking. This financial prefer a security strategy that, if possible, would work with either internet banking channel.

    7. Low cost solution. Of course, everyone wants a great product at a low price. Our client said they would be happy with a great solution at a reasonable price.

Solution Oriented Systems was charged to research the available products and offer to them three recommended solutions, to the financial’s management team for further evaluation. Using the above described criteria we came up with three recommended products and two more alternative products. Our recommended products included a text-based challenge/response product with a risk-assessment engine, an image-based challenge / response program (Passfaces), and an one-time security code via email or telephone product. The two alternative products included another image-based challenge/response product and a network based challenge / response appliance.

“ Don’t see widespread adoption of USB tokens until the cost comes down and they are easier to track. It’s hard enough for an organization to keep track of PCs and laptops, can you imagine trying to track USB tokens?” - Barry Runyon, Gartner Analyst

The findings from our client’s project team after reviewing our recommendations were:

    1. Text-based challenge / response authentication was too vulnerable to current stealth key logging technology. Therefore use of text-based challenge response authentication on a PC was not an acceptable technology.

    2. This financial was told by other financials that risk assessment programs would require additional staff to handle out-of-bounds cases. This financial decided it did not want anything to do with risk assessment technology as part of its internet banking security strategy.

    3. Use of email for receiving a security code or one-time-password was less secure than standard internet banking; and created an additional potential security exploit. Therefore use of email to provide security information for internet banking access was deemed not acceptable.

    4. The hardware network device solution was unappealing to this financial due to questions of having potential access by a third-party to the financial’s customers account sign on information. This financial also felt this product would be too difficult to implement as a layered security solution along with some concerns about hardware maintenance and the risk associated with having a single point of failure.

    5. This financial decided the alternative image-based challenge / response product was deemed too cumbersome for its customers to learn and use; although they were impressed with the image-based challenge / response technology.

Decisions that were made by our client’s management team:

    1. After further research and serious review, our client decided not to use the security code via the telephone technology. Their issues were with the portability of using this strategy, with the restrictions to its dial up customers, and the requirements for a new phone system to provide the security codes. Further, our client felt this technology was not practical for layered security to protect risky transactions either. This financial also had numerous concerns with customers using multiple telephones to access their accounts. However, this financial did feel a combination of phone, cell phone, and/or text messaging would be reviewed again in the future as a potential secondary security strategy to the new security solution; should the need warrant additional account security.

    2. After serious research and review , this financial decided on using the Passfaces product, in a multi-layered strategy; securing their online banking program as well as several high “ risk” transactions.

    3. Our client decided to implement Passfaces using the Passfaces’ recommended default image libraries and configuration settings. They also decided to offer Passfaces’ alternative image library (for those users with propagnosia) only on an as-requested basis.

    4. Our client also decided to implement Passfaces with a skip option, for the first 30 days after initial deployment. This would allow for a staggered deployment by letting their users decide when to start using this new security product.

Results of that decision:

    1. Our client’s marketing department received numerous positive comments from new customers prior to full implementation of Passfaces.

    2. 50% of our client’s employees were enrolled and using Passfaces prior to full implementation.

    3. Within the first 30 days of implementation, 40% of the active users were using the Passfaces layered authentication strategy.

    4. Within the next 60 days, 99% of our client’s active users had completed enrollment and were actively using Passfaces.

 

About Solution Oriented Systems                Our Services                Recent Solutions                Our Clients                Contact Us