Planning Considerations for BYOD and Consumerization of IT (Part 4)

by [Published on 24 Sept. 2014 / Last Updated on 24 Sept. 2014]

In this Part 4, we’ll take up the discussion where we left off in the last article and offer some thoughts about the need for your BYOD strategy to support modern authentication mechanisms.

If you would like to read the other parts in this article series please go to :

Introduction

In the first part of this series on planning considerations for security BYOD and consumerization of IT, we looked at the Bring Your Own Device (BYOD) problem domain and discussed key aspects of planning and design. We finished up the article by looking at the structure of a planning frame work that you can use to guide your planning decisions. In Part 2, we discussed a collection of solution requirements that cuts across all secure BYOD deployments. This encompasses the technical capabilities that are required in all BYOD solutions. In Part 3, we continued our coverage of the BYOD requirements and the history and intent behind them.

Support for modern authentication mechanisms

We spent a lot of time exploring the many facets of identity management, but the foundation of identity is the ability to verify the authenticity of the identities that are being managed. Identity theft is a major problem today so there must be some mechanism for confirming that the user (or computer) logging onto our network really is whom or what he/she/it claims to be. How do we verify identity?

We trust that “paper creds” such as drivers’ licenses and passports legitimately identify the person who presents them because:

  • We know that the issuing authority went through an established verification process before issuing the documents, and
  • Those identifying documents included photos of the person that we can compare with the person who is presenting them.

Traditional authentication: Password/PIN

Establishing the authenticity of identity online is more complicated because it’s much easier to “fake it” than with person-to-person transactions. Traditionally, the accepted means for authenticating computer users has been the combination of a username with a password or PIN (Personal Identification Number). It’s a simple way to verify identity. In theory, only the person associated with the user name knows what the password/PIN is so that knowledge verifies the identity.

In practice, there are problems with password authentication, and as computers get more powerful, those problems intensify. Brute force attacks “crack” passwords by simply guessing every possible combination of characters until they get lucky and hit upon the right one. It would be extremely difficult for a human to manually crack even a four digit PIN, but fast CPUs can try hundreds or thousands in minutes. Dictionary attacks narrow down the possible character combinations by relying on the tendency of most people to use “real” words as passwords.

Password authentication is strengthened by the use of longer and more complex passwords (or better, passphrases). Passwords don’t have to be words; they can be random combinations of characters – as many computer-generated passwords are. The only problem with that is that the longer and more nonsensical the passcode is, the less likely the user is going to be able to remember it. That results in users writing down their passcodes, which creates another security risk.

It’s been more than 10 years since Bill Gates predicted the death of passwords at an RSA security conference in February 2004. Despite the development of new and indisputably more secure methods of authentication, passwords are still with us. Human nature being what it is, many users are still, when given the choice, opting for short, easy-to-guess passwords. The good news is that last year, the word “password” was finally toppled from the top of the list of most common bad passwords. The new winner is “123456.” I’m not sure that’s indicative of any progress in user education and awareness.

Of course, administrators have the technological ability to force the use of longer and more complex passcodes, but then we’re back to users getting frustrated with the inability to remember them and writing them down. Bill might have been overly optimistic in his predictions, he was absolutely correct in his basic premise: the password is an outdated method of authentication and it needs to go.

Modern authentication

If the password is dying – albeit slowly – what is taking its place? Modern authentication methods are aimed at creating more of a challenge to potential hacker/crackers, while at the same time focusing on ease of use for the users. Interestingly, while desktop computer users are still overwhelmingly logging on with the same old username/password combination, it’s BYOD devices that are leading the way in providing new ways for their users to authenticate.

Thus your BYOD strategy needs to incorporate support for these modern authentication methods. Some are more secure than others, so it’s up to your organization to determine which meet your security standards and which you will support.

Some modern user authentication methods include the following:

  • Challenge questions
  • Pattern recognition
  • Smart card/token
  • Keystroke dynamics
  • Voice recognition
  • Biometric authentication

Any or all of these can be used in combination with passwords or PINs as part of a multi-factor authentication implementation. Multi-factor authentication combines two or more of the four following factors:

  • Something the user knows (such as a password or PIN)
  • Something the user has (a physical thing in his/her possession, such as a smart card or dongle)
  • Something the user does (the way he/she speaks or types, sometimes called behavioral biometrics)
  • Something the user is (a biologic/physiological trait such as fingerprint, retinal pattern or DNA)

In light of that, let’s look at each of the aforementioned authentication methods in a little more detail.

Challenge questions

Many web sites have begun incorporating, along with user name and password, challenge questions such as “what is the name of your favorite pet?” or “what was the street you lived on as a child?” The question may be coupled with a random image that the user selects. This adds a bit more security because an unauthorized user who, for example, found the password the user wrote on a sticky notepad and left in the top desk drawer would presumably not also know the answers to these personal questions. Note that the combination of username/password/challenge response does not constitute genuine multi-factor authentication.

Pattern recognition

Many smart phones and tablets now allow users to unlock them by tracing a pre-set pattern on a grid of dots with their fingers. This is a great deal easier than typing on a tiny on-screen keyboard. As with patterns, the security of this method varies depending on the complexity of the pattern and the number of dots it uses. Microsoft’s Windows 8 operating system can use a variant of this, in which the user selects a photograph that will be presented at logon and then must touch specific parts of the photo in the specified order and pattern.

As with passcodes, a drawback of pattern recognition is that increased complexity makes it harder for the legitimate user to remember the pattern – although the physical process of swiping the pattern, once burned into muscle memory, may be more easily retained than simple mental memories of a string of characters. That’s the reason some people are able to type a long numerical password but can’t verbally tell you what it is. As with challenge questions, this is another example of “something the user knows” and thus doesn’t qualify as true multi-factor in conjunction with a passcode.

Smart card/token

Smart cards have become one of the most popular forms of modern multi-factor authentication in corporate environments; the employee ID card often functions as the smart card and can be used for physical access such as opening doors as well as holding the digital credentials for authenticating the user to the network. An advantage of smart cards is that they do accomplish true multi-factor authentication when paired with a password or PIN (something user knows plus something the user has). A disadvantage is that if the user loses the smart cards, it’s stolen or just left at home, the user will be unable to authenticate. Another disadvantage is the cost, which includes both the cards themselves and the readers that are necessary to use them.

Tokens work similarly, but the identity information is stored on a dongle or USB key or can even be a virtual token stored on a smart phone, in which case the phone becomes the “second factor” that the user possesses. This has a convenient advantage in that most people already take their phones everywhere with them so there’s no additional item to remember.

Keystroke dynamics

A relatively obscure method of authentication involves “something the user does” – the keystroke patterns when typing. Studies have shown that the exact rhythm, timing and weight given to keystrokes can be analyzed to reveal a pattern that’s unique to each user. This information can be stored and compared when the user types a sequence again as a way of authenticating identity.

A big advantage of this method of authentication is that the user doesn’t have to remember anything – no memorization of a passcode and no need to remember to bring along a smart card or token device. A disadvantage of this and other behavioral authentication methods is that unusual circumstances may alter a user’s behavior. That is, an injury to a hand or finger could cause a normally fast touch typist to hunt and peck with one hand, altering the pattern.

Voice recognition

Natural voice patterns have also been found to be unique to specific persons. By utilizing computer analysis of hundreds of different vocal characteristics, a voiceprint can be constructed and then all the user has to do to authenticate is to speak. Although again, circumstances (such as a cold or injury to the throat) could alter the print, in most cases there would still be enough points of comparison to get a match. In 2012, the National Bank of Australia began using voice recognition for some customer authentication situations.

Biometric authentication

Biometrics is a big field in which there has been a lot of research and study over the last several years. True biometrics (as opposed to “behavioral biometrics”) involves something the user is, an inherent physical characteristic that cannot be easily altered. The most common form of biometric authentication uses fingerprint recognition. Fingerprint readers have been available for desktop computers and have been built into some laptops for years. Now some of the latest high-end smart phones, such as the Galaxy S5, include fingerprint recognition to unlock the phone. Variations include palm print recognition, iris or retinal pattern recognition and, at the extreme end, DNA analysis.

Biometric authentication has the big advantage of rarely changing or being altered by circumstances, being more difficult to duplicate than other methods, being something the user always has with him/her, and no cost on the user end (as there is with smart cards and tokens). However, biometric scanning equipment can be relatively expensive, and some users consider the technology intrusive. When combined with a “knowledge” factor, biometric authentication can offer the most secure form of authentication.

Summary

When designing your BYOD strategy, it’s important to take into consideration the many different methods of user authentication that are available for today’s computers and devices, and for the best security you should take advantage of this and incorporate support for modern authentication technologies into your plan.

If you would like to read the other parts in this article series please go to :

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.