"How should unified two-factor authentication be designed?"
Angelika Steinacker, European Head of Identity and Access Management (IAM) at IBM advocates for being clear about the relevant use cases and technical environment when implementing multifactor authentication.
Interview with Dr. Angelika Steinacker
Dr. Angelika Steinacker, CTO Identity & Access Management , IBM Security Europe
After studying mathematics, Angelika Steinacker made IT security her specialty in her doctorate on cryptography. She is Head of Identity and Access Management (IAM) at the U.S. computer company IBM in Europe. In an interview, she advocates for being clear about the relevant use cases and technical environment when implementing multifactor authentication (MFA) in an effective good and user-friendly way.
Ms. Steinacker, what have you noticed most during your many years of involvement with IT security?When I started with IT security, it was still a rather marginal field. It was around the time that cryptography started to become commercial, first in the banking and finance sector. At the same time, this gave me a chance to meet important people in the security scene in person at congresses in the U.S., like Diffie Hellman and Bruce Schneier. As a woman, it wasn't always easy to be accepted in this field, but that didn't stop me from continuing. I would never have stayed with IT security if it had become boring.
Looking back, it amazes me that people haven't changed over all these years. Problems we faced 35 years ago are still here: for example, the attitude that “I won’t be affected by attacks. Many believe that what happens to others can’t happen to themselves and therefore they don’t need to take precautions.
One of the essential precautions is effective access protection mechanisms. Multifactor authentication (MFA) in particular is regarded as critical. What are the various MFA procedures, and how do they differ?Basically, a distinction is made between something you own like a token or a smartphone, something you know, traditionally a password, and something you are, which includes biometric methods like fingerprint or voice. The standard method we use at IBM is the password plus another factor through another channel: for example, a one-time password. It’s important that these are two independent factors operating over different channels; for example, they can’t be running on the same device. Possession variants include smartcards, Yubikeys and other tokens, and the smartphone with a special app: for example, to use fingerprints.
The product range includes a variety of token solutions. What are their advantages and disadvantages?What’s technically cool isn’t always what’s useful in everyday life. Yubikeys are a nice solution, very appealing in terms of technology and standardization. The smartphone also offers attractive options and it makes many things easier, but it’s suboptimal from a security perspective. That's because you're using the internal functions of the device or the operating system manufacturer that you can't fully control.
However, when it comes to service devices that are managed by the company, it's a different story. On private devices, however, you never know what’s running on them: often malware, unfortunately. However, precautions must be in place in the event of the loss of a device. This also applies to tokens, which can also be lost, perhaps even sooner than a smartphone.
It’s important to remember that some variants are subject to export restrictions. This applies in particular to companies that work in other countries. Yubikey, for example, doesn’t deliver to China. But if employees travel to China, they should be given a fresh laptop and smartphone on which sensitive data shouldn’t be stored under any circumstances. RSA tokens, on the other hand, are allowed in China, so they’re an alternative.
As mentioned, it’s crucial to use two procedures that operate via different channels. In the financial sector, regulations like PCI-DSS add the aggravating requirement that both factors must be applied simultaneously. This means that a user only finds out whether the login has worked after entering both factors: in other words, one factor isn’t queried and confirmed after the other.
Will multifactor authentication make it possible to say goodbye to passwords?This is possible theoretically, but I don't see it happening in practice. Many IT systems don’t allow anything other than passwords. In many companies, this approach would require major changes to the IT infrastructure.
If you can work with a risk-based approach and want to have little user interaction, you can work behaviour-based: The system analyzes the user's behaviour on the computer, such as the typing speed. However, this is difficult in Germany due to data protection laws. Most alternative solutions are very expensive or require massive adjustments to the infrastructure. In many companies, there are simply too many older IT components to consider.
Biometric procedures make it technically the easiest way for us to give up the password, but there are high security and data protection requirements. As a result, many of these methods are often only used for privileged access: for example, admin accounts.
An important point to consider is continuous authentication: How do I know that someone won't log into the system and then walk away from the PC, and an unauthorised person will come and use the logged-in PC? You’d think that with more permanent authentication and behaviour-based methods that this scenario could be detected. Continuous doesn’t necessarily mean at all times, but rather every once in a while. However, constantly asking users to re-enter their passwords is the worst form of authentication, because people quickly find ways to circumvent it.
So there are a few stumbling blocks lurking when introducing an MFA solution. What else is there to consider?Implementation in compliance with the law is important. Any company that operates internationally has to comply with many different laws, and data protection laws are at the forefront. Singapore has one of the strictest data protection laws. In many cases, there’s is no way around having your own server for data exchanges with Singapore, because domestic data can’t be mixed with foreign data there.
But even your own infrastructure often sets limits. The decisive question is whether you want to equip all employees with MFA or only some? In my opinion, you need it for everyone. But if you roll out a project like this for 20,000 employees, it’ll end up taking two years. Old IT systems are especially time-consuming.
In addition, companies have to adapt their processes. For example, how do you deal with someone losing their token? There have to be fallback options. As long as an employee can simply come into the office, that's not a problem. That's the usual method, because sending the token in the mail isn’t a good idea. But during COVID-19, it's difficult, and the same is true for employees abroad. In these cases, a smartphone is sometimes the better option.
How do you get MFA designed to be as user-friendly as possible? Users usually want to carry only one access key and need only one component for all enterprise software and platforms.You have to get employees on board, and communication is the most important thing. Users should have to do as little as possible themselves: There should be as little interaction as possible. If it gets too complicated, users will find workarounds and leave the Yubikey or smart-card permanently in the computer. There’s a lot to be said for biometric or behaviour-based processes, but they must be agreed on by works councils. It has to be proven that there’s no work monitoring taking place and that the data isn’t accessible to everyone.
However, there’s only one solution for all possible cases if you have a very simple IT infrastructure with few users who are all equally important and perform comparable activities. Otherwise, differentiation is inevitable. For example, different procedures are needed for old Windows systems than for current Windows versions.