On a serious note, when . . . → Read More: Security: Sometimes less is more]]> I am a security architect. My job is not to provide the best in class security, just in case you didn’t get it, MY JOB IS NOT TO PROVIDE BEST IN CLASS SECURITY. I strive to provide the RIGHT LEVEL of security based on the risk, always taking into account the usability and cost of the solution I am recommending. There is a reason why enterprise architects and people who run the business and pay the bills sometimes hate the security types. More often than not, we try to recommend super duper secure solutions which cost a fortune and are mostly unusable. We love 8…oops is it 12 or 16 characters now passwords with alphanumeric, upper case, lower case characters. Doesn’t matter if nobody, includng us could remember them; and we want them to change those every other week ?. We love to spread fear and create confusion. My brother called me last night asking what can he do to protect his social security number; some security type had told him that last year 5 million identities were stolen in USA alone. Who comes up with these absurd numbers ?

On a serious note, when was the last time you thought about the number of help desk calls that would be generated by the SECURE solutions we are recommending (THINK COST !). Or the poor people who would be forced to write all their passwords on post-its (THINK USABILITY !). I have always thought of security design as an optimization problem guided by the level of security required based on the risk, but never forgetting the cost and usability. We have to make all of these factors OUR concerns when we design security. I always have my compass to guide me as an architect. You can also see it below. Sometimes a simple solution which can be effectively used by the majority of the users without much hassle and with little cost is better. Perhaps it is not always there, but do we always look for that, strive for that ? Sometimes less is more…

OTP is not ALWAYS something you have when it comes to authentication

OTP tokens rely on the fact that it is almost impossible to predict the next value of the number provided by the token. Thus a commonly made in-correct assumption that someone who is able to provide the correct token value ALWAYS possesses the token. This ignores the fact that one can simply choose to convey the value of the token over phone or SMS. We are of course assuming intentional communication here but . . . → Read More: Why Smart Cards are better than OTP tokens in two factor authentication systems]]> Every security professional knows that 2 factor authentication is better than a single factor system. A fact commonly misunderstood is that not all 2 factor authentication systems provide equivalent security protection. A prevalent confusion among enterprise architects and even some security professionals is that One Time Password Tokens (OTP) and Smart Cards provide an equivalent level of security protection. After all both of these are, “something you have,” and thus equivalent. This is a gross over simplification when comparing two entirely different technologies. In fact, even something you have is not always a true statement when it comes to OTP. Let’s look at this in a bit more detail.

OTP is not ALWAYS something you have when it comes to authentication

OTP tokens rely on the fact that it is almost impossible to predict the next value of the number provided by the token. Thus a commonly made in-correct assumption that someone who is able to provide the correct token value ALWAYS possesses the token. This ignores the fact that one can simply choose to convey the value of the token over phone or SMS. We are of course assuming intentional communication here but the fact remains that it is possible to do this and if you can do this so can any man-in-the-middle. The knowledge of correct token value does not in fact ALWAYS imply possession of the token; it simply means that you know the token value at that particular time. Every decent hacker eager to earn a living understands this nuance and this has been exploited by a number of trojans which simply collect the value of the secret (password) and the token value using various man-in-the-middle techniques and resubmit these values to the target site (usually a banking site) with in the life time of the token.

Smart Cards allow establishing 2 way SSL

Compared to the tokens, smart cards allow to establish the identity of the user by using SSL certificates and private keys. This actually allows establishing a two way SSL session between the end points involved in the session. A two way SSL session requires both end points to prove their identity to each other using SSL certificates. Smart Cards store a signed digital certificate issued by a trusted certificate authority (CA) and the private key associated with that certificate on secure hardware, i.e. the chip on the smart card. In fact the microprocessor and the associated operating system on the smart card will never allow the private key to leave the smart card. Therefore, it is possible for a website to verify the identity of the user by the certificate stored on the smart card. This allows the web server to establish a two way SSL session where not only the web server has proven its identity using an SSL certificate but the browser has also proven its identity to the web server using the certificate on the smart card. It is simply not possible to compromise this system using the types of attacks which are used against tokens, where one simply needs to capture the correct value of the token for a compromise.

The additional security provided by establishing a two way SSL session, only possible using smart cards is way better than OTP tokens and unless someone call tell me on how to comprise a correctly established two way SSL session, man-in-the-middle attacks are next to impossible on a correctly configured smart card based system authentication system.