Introduction
Authentication protection is a concern in the industry and in research
as authentication is relied upon to be a strong protection measure to
ensure communication exchanges between authenticated entities is secure,
private, and that data maintains its integrity. Vulnerabilities in
multiple types of authentication and subsequent communications are
reported for interactive user access (Perkovic, Cagalj, & Saxena,
2010; Volker,Richter, & Friedinger, 2004) and automated system
access (Xu & Zhu, 2013; Alomari, Benamer, Muhammad Rafie Mohd, & Mohamed, 2014).
This leads researchers to consider new approaches to address the
vulnerabilities and develop mechanisms that provide greater assurance of
protection of authentication credentials.
Improvement Approaches
There are two basic approaches that literature seems to be taking to
improve authentication assurance. The first approach, primarily adopted
for interactive user access and authentication, is to adapt a measure
where the user enters authentication information in a non-traditional
way. The non-traditional way requires data input and exchange with the
authentication service but in a manner that, if intercepted, would not
have meaning to an attacker. In Perkovic et al., 2010 and Volker et
al., 2004, the researchers not only measured their approaches to
demonstrate the security, but they also assessed their approaches using
the System Usability Scale. Predictably, the new approaches did not rate
well on an ease-of-use scales when compared to more traditional
approaches. The Technology Acceptance Model (TAM) measures the extent
where ease-of-use and usefulness of a technology can predict the level
for which a user will intentionally adapt the technology (Reynolds &
Woods, 2006). The decrease in ease-of-use could arguably be a factor
in explaining why such capabilities have yet to be adapted. It is
possible that not only has ease-of-use of such technologies inhibited
adoption, but usefulness too. In the research on interactive user
authentication, the authors made minimal effort to demonstrate a need
for the technologies they developed. If the threat that the technology
addresses is not a concern to users, then the technology provided to
address that threat will not be readily received. This may be an area
where more contributions to the body of knowledge would be helpful; the
level to which users find different security threat scenarios of
significance. Such information could guide the focus on what
capabilities need to be developed and whether such capabilities would
have an improved chance at adoption.
The second approach that seemed common in literature for addressing
automated system authentication is to enchance current capabilities to
exchange even another piece of information between them and perform a
mathematical function on them. This approach is analogous to
encryption; where a key is exchanged and that key is required to undo a
hash and reveal the data. Alomari et al., 2014 present a type of shared
key exchange in RFID authentication to validate communciations and
assure data integrity in an enhanced communication protocol. In a
similar derivative of this approach, Xu and Zhu (2013) introduce a smart
card which provides a proxy-type/anonymizing capability between two
systems in order to mask information about the remote system. The
proxy/anonymizing capability comes from a successful exchange of
additional information between the proxy and the remote system. Counter
to the challenges of ease-of-use found in the interactive user
authentication solutions, the authors demonstrate the ability to
integrate these solutions with minimal user impact and cost. This makes
it difficult to ascertain what factors could be impeding the adoption
of these solutions and perhaps more research that examines why these
types of technologies are not being seen in the market would be useful.
The Importance of the Problem
Valid authentication is a concern across all aspects and represents
both a human and a technology problem. The use of compromised
credentials is the primary attack vector that leads to successful
breaches in organizations (Rapid 7 empowers organizations, 2014).
Credentials are compromised due to human issues (social engineering
attacks), technology issues (compromised systems) and policy issues
(weak passwords that are easily cracked). Management attempts to
address these issues with relevant controls and capabilities that are
appropriate for the threat and risk in the organization. A common layer
of protection is a strong detective capability, which should identify
the use of compromised accounts regardless of the root method that the
attacker got the credentials.
References
Alomari,
S. A., Benamer, S. H., Muhammad Rafie Mohd, A., & Mohamed, H. H.
(2014). APSEC+: An enhanced simple mutual authentication protocol for
RFID security. International Journal of Academic Research, 6(5), 278–291. doi:10.7813/2075-4124.2014/6-5/A.39
Perkovic, T., Cagalj, M., & Saxena, N. (2010). Shoulder-surfing safe login in a partially observable attacker model. Financial Cryptography and Data Security Lecture Notes in Computer Science, 6052, 351-358. Retrieved from https://ifca.ai/pub/fc10/29_80.pdf
Reynolds,
R. A., & Woods, R. (Eds.). (2006). Handbook of Research on
Electronic Surveys and Measurements. Hershey, PA, USA: IGI Global.
Retrieved from http://www.ebrary.com
Volker, R., Richter, K., & Friedinger, R. (2004) A PIN-entry method resilient against shoulder surfing. Proceedings of the 11th ACM Conference on Computer and Communications Security, 236-245. doi: 10.1145/1030083.1030116
Xu, J., & Zhu, WT.(2013). A generic framework for anonymous authentication in mobile networks. Journal of Computer Science and Technology, 28(4), 732-742. doi: 10.1007/s11390-013-1371
No comments:
Post a Comment