Multi-factor Authentication

Download CSOC Protect Notice, Multi-factor Authentication (PDF), updated June 2014

Introduction

  1. Multi-factor authentication is one of the most effective controls an agency can implement to prevent a cyber intrusion. This can help to prevent an adversary from gaining access to your network and identifying and accessing sensitive information during a cyber intrusion. When implemented correctly, multi-factor authentication can make it significantly more difficult for a cyber adversary to steal legitimate credentials to facilitate further malicious activities on the network.
  2. This document explains different multi-factor authentication methods and why some are more secure, and therefore more effective than others, to assist agencies in selecting an appropriate solution.
  3. The Australian Signals Directorate (ASD) recommends that multi-factor authentication be used for all accounts. Using multi-factor authentication provides a secure authentication mechanism that is not as susceptible to brute force attacks and reduces the demands on users to remember long passphrases.

What is multi-factor authentication?

  1. Multi-factor authentication occurs when a user is required to provide multiple pieces of information to authenticate themselves to a system, from at least two of the following categories:
    1. something they know (such as a passphrase, response to a challenge or PIN)
    2. something they have (such as a passport, physical token or card, or software certificate)
    3. something they are (such as biometric data, like fingerprints or facial geometry).
  2. Common combinations of multi-factor authentication include:
    1. tokens that generate a random number used in conjunction with a PIN or password
    2. smartcards supplied to a reader and unlocked with a PIN or password
    3. one-time time-limited codes sent via SMS used in conjunction with a PIN or password
    4. biometrics such as fingerprint scan or facial recognition used in conjunction with a pin or password
    5. software-based certificates or credentials stored on the user’s machine or a removable device that is accessed using a PIN or password.

Why is multi-factor authentication important?

  1. Cyber adversaries frequently attempt to steal legitimate user or administrative credentials when they compromise a network. These credentials allow them to easily propagate on a network and conduct malicious activities without installing additional exploits, thereby reducing the likelihood of detection and making it easier for less sophisticated adversaries. Cyber adversaries will also try to gain credentials for remote network access solutions, including Virtual Private Networks (VPN), as these accesses can mask their activities and reduce the likelihood of being detected.
  2. When multi-factor authentication is implemented correctly, it is significantly more difficult for the cyber adversary to steal legitimate credentials, because:
    1. the user has to prove they have physical access to a second factor that either they have (passport, physical token or card) or are (fingerprints, facial recognition), or
    2. the credentials the cyber adversary obtains expire, ensuring that even if the cyber adversary compromises those credentials, they can’t be used to enable future access or intrusion activity.

Are all multi-factor authentication methods equally effective?

  1. 8. While all forms of multi-factor authentication listed in this document provide significant advantages over basic username and password authentication, some methods are more effective and secure than others. It is essential that multi-factor authentication is implemented and configured correctly on your network to ensure that vulnerabilities are minimised. Multi-factor authentication that has not been implemented or configured properly can result in a false sense of security and leave your network vulnerable to malicious activity..
  2. Multi-factor authentication is most effective when one of the factors is physically separate from the computer from which the user is accessing the system or resource, such as using a token or smartcard rather than a software-based certificate.
  3. To maximise the security effectiveness of any multi-factor authentication method chosen, an agency should ensure that:
    1. the authentication server is hardened and is isolated from the rest of the network as much as possible. This can be achieved by (at a minimum):
      1. implementing the Top 4 mitigation strategies from DSD’s Strategies to Mitigate Targeted Cyber Intrusions on the authentication server
      2. applying any specific hardening advice for the product provided by the vendor, and
      3. implementing appropriate network segmentation and segregation to limit which machines and users on your network can access the authentication server.
    2. users pick reasonably complex passwords or PINs, to ensure defence-in-depth if the token or credential is copied, lost or stolen.
    3. the PIN or password used, particularly for remote access, is different to the user’s standard password for the network if it doesn’t require multi-factor authentication.
    4. users do not store physical tokens with the device they use for remote access.

Common multi-factor authentication methods explained

Time-synched and token-based multi-factor authentication

  1. The user is provided with a physical token that displays a number on the screen that is valid for a specified period of time. The time on both the device and the authentication server are synched and the authentication server knows what number should be displayed, on all tokens that it services, at a particular time. When the user authenticates with a user name, PIN or password, and the number displayed by the token, the authentication server verifies that all details are correct for that user and grants or denies access.
  2. When implemented correctly, this is the most effective form of multi-factor authentication. Even if a cyber adversary key logs or intercepts the number the user enters, after the expiry time passes that information will be useless.
  3. For maximum security and effectiveness, an agency should ensure, in addition to the advice in paragraph 10, that:
    1. the expiry time of the number displayed on the token is set to the lowest value practical
    2. users are instructed to report any lost or missing tokens, and
    3. users know that they should never provide details (such as the serial number and number displayed) about their token unless they are certain it is being requested by their ICT staff.

Certificate-based smartcard login multi-factor authentication

  1. The user presents a smartcard to a reader connected to the computer when accessing sensitive information or resources. Software installed on the user’s computer prompts the user to also provide a PIN or password to unlock the card, then verifies their identity using the private key stored on that card. When the card is successfully unlocked, the software installed on the computer assists the user to verify their identity by signing an authentication request with the user’s private key. The authentication server then verifies that the authentication request is signed by the valid and correct user’s trusted private key, and grants or denies access.
  2. This type of multi-factor authentication provides significant advantages over user name and password login alone. However, there is a potential vulnerability due to the reliance on the software installed on the user’s computer. If the user’s computer is compromised and the cyber adversary gains elevated privileges, they can use the services provided by the smartcard software to intercept and replay legitimate authentication requests or initiate fraudulent requests on the user’s behalf. An example of an attack such as this is documented in the Mandiant M-Trends 2011 report.
  3. For maximum security and effectiveness, an agency should ensure, in addition to the advice in paragraph 10, that:
    1. The certification authority’s keys are adequately protected, for example, stored in an evaluated hardware security module, and backups of the keys are physically secured and stored offline.
    2. The computers from where users authenticate is hardened and secured. This can be achieved by implementing the Top 4 mitigation strategies at a minimum, using an up-to-date anti-virus program, and implementing a host-based firewall and IPS/IDS. An alternative approach is only allowing access from frequently updated and restarted, non-persistent, trusted operating environments
    3. Users receive a visual notification each time an authentication request is generated that requires the user to enter their PIN or password. This will enable them to potentially detect fraudulent requests.
    4. Users do not leave their smartcards inserted and unlocked in the reader. Contactless smartcard readers can be used to enforce this control.
    5. Storage and functionality on the smartcard is minimised as much as possible, so that applications on the smartcard cannot be used to breach the security of your systems.
    6. Agencies utilise smartcards that have completed an appropriate security evaluation.
    7. Users are instructed to report any lost or missing smartcards as soon as practical.

SMS-based one-time multi-factor authentication

  1. This emerging multi-factor authentication technology uses mobile phones as a relatively inexpensive second factor. When the user enrols to access the system, they provide the phone number of their mobile phone so that a one-time, time-limited, additional password or PIN can be provided to them when they wish to logon or authenticate that they wish to conduct a transaction. During the logon process they provide a user name and password, and request that the authentication server send them an SMS to their pre-registered mobile phone in order to complete the authentication process. The user then provides all this information to the authentication server, which verifies all those details are valid and grants or denies access.
  2. The advantages of this technology is that it uses a second factor that the user already has and therefore minimises the cost to the system owner, and the PIN or password provided via SMS is time-limited. However, there are also a number of disadvantages, namely:
    1. Mobile phone networks can have degraded service or no service at all, which may effect the availability of the system.
    2. Use of smartphones for internet browsing and system access may mean that the SMS containing the PIN or password may no longer be out-of-band or secure.
    3. Mobile phone networks, and many smartphones, are not secure and SMS can be intercepted by motivated and competent cyber adversaries, particularly when travelling. However, since the one-time PIN or password provided by SMS expires, it will have limited use if intercepted, therefore limiting the scope of the compromise.
  3. For maximum security and effectiveness, an agency should ensure, in addition to the advice in paragraph 10, that:
    1. the expiry time of the one-time password sent via SMS is set to the lowest value practical.
    2. users are instructed to report the theft or loss of their phone, or a change in phone number, as soon as practical.

Biometric-based multi-factor authentication

  1. This multi-factor authentication mechanism requires the user to enter a PIN or password, along with presenting a biometric such as a fingerprint or facial recognition scan. When the user enrols they provide a scan of the appropriate biometric (such as a fingerprint or facial scan) as a reference point for the authentication server to compare to. When the user authenticates they provide a PIN or password along with their biometric scan, the authentication server verifies both the PIN/password and the biometric with those provided at enrolment, and grants or denies access based on the outcome.
  2. When implemented properly and securely, this is an extremely secure method of multi-factor authentication, however, the cost of good biometric readers and user privacy considerations are often significant barriers to implementation. It should also be noted that for every biometric, due to the wide range of differences between individuals, some of the potential users will not be able to successfully use it.
  3. Like smartcard-based logon, the vulnerability in this mechanism is caused by the reliance on the software installed on the user’s computer. If a cyber adversary compromises the user’s computer and gains elevated privileges, then it is possible for the cyber adversary to use the services provided by the biometric capture software in order to intercept and replay legitimate authentication requests or initiate fraudulent requests on the users behalf. Furthermore, the effectiveness of biometric-based authentication is reliant on the quality of the biometric readers and software to ensure that false negatives (denying access when it should be allowed) and, more importantly, false positives (granting access when it should have been denied) are both minimised. The expense and availability of high quality biometric readers and software for a user’s system make implementing secure biometric multi-factor authentication difficult.
  4. For maximum security and effectiveness, an agency should ensure, in addition to the advice in paragraph 10, that:
    1. The computer from where users authenticate is hardened and secured. This can be achieved by at a minimum implementing the Top 4 mitigation strategies, using an up-to-date anti-virus program, and implementing a host-based firewall and IPS/IDS. An alternative approach is only allowing access from frequently updated and restarted, non-persistent, trusted operating environments
    2. Each time an authentication request is generated, require the user to enter their PIN/password and have the system display a visual notification; this will enable them to more likely detect fraudulent requests because they will be prompted
    3. They implement a good quality biometric reader and software to minimise the risk of both false positives and negatives.
    4. They plan for an alternative authentication method for those likely, but probably few, cases where an individual cannot successfully use the biometric mechanism.

Software-based certificate multi-factor authentication

  1. When the user wishes to authenticate to the system, the system attempts to access the user’s software-based certificate, which is stored in a file or in the registry on the hard drive. When the certificate is located, the user is prompted to provide their PIN or password to unlock the certificate store. If successful, the software installed on the computer assists the user to verify their identity by signing an authentication request with the user’s private key. The authentication server then verifies that the authentication request is signed by the valid and correct user’s trusted private key and grants or denies access based on the outcome of that verification.
  2. Software-based certificates are the least preferred multi-factor authentication method, as they do not provide one of the factors independently of the computer from which the user is accessing the resource that requires multi-factor authentication, and they can be easily copied or stolen without the user’s knowledge.
  3. The vulnerability in this mechanism is caused by the reliance on the software installed on the user’s computer. If a cyber adversary compromises the user’s computer, then it is possible for the cyber adversary to use the services provided by the software in order to intercept and replay legitimate authentication requests or initiate fraudulent requests on the users behalf. By compromising the user’s computer, the cyber adversary can gain access to both factors easily with a low likelihood of detection. There is also the additional risk that if the cyber adversary can gain elevated privileges, the user’s keys and certificates can be stolen from their computer (as they are just files or registry values) and used by the cyber adversary from their own computers or infrastructure to enable prolonged and difficult to detect remote access. For this reason, it is recommended that agencies only use software-based certificates for low risk transactions or systems, and never for authentication via a remote access solution.
  4. For maximum security and effectiveness, an agency should ensure, in addition to the advice in paragraph 10, that:
    1. The computer from where users authenticate is hardened and secured. This can be achieved by at a minimum implementing the Top 4 mitigation strategies, using an up-to-date anti-virus program, and implementing a host-based firewall and IPS/IDS. An alternative approach is only allowing access from frequently updated and restarted, non-persistent, trusted operating environments
    2. Each time an authentication request is generated, require the user to enter their PIN or password and have the system display a visual notification; this will enable them to more likely detect fraudulent requests because they will be prompted
    3. Store the certificate/keys in the operating systems certificate store rather then in a regular file on the hard disk.

Further information

  1. The Australian Government Information Security Manual assists in the protection of official government information that is processed, stored or communicated by Australian Government systems.
  2. DSD’s Strategies to Mitigate Targeted Cyber Intrusions complements the advice in the ISM.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.