Why is it so Difficult to Add Two-Factor Authentication to Online Applications?

by Mushegh Hakhinian
Security Architect, IntraLinks
POSTED ON February 9, 2011

Mushegh HakhinianThe primary challenge around adding two-factor authentication to online applications is that it is difficult to bolt-on anything to an existing product. The problem is usually unrelated to the security technology but is down to inherent problems with the web applications. Most are not designed with security in mind.

Traditionally, if access control was important, some kind of login functionality would have been added to the application. This has been the way since the early days of client-server model. Unfortunately not a lot has changed since then. Even the most cutting edge web applications are designed as a castle with a reinforced perimeter and a heavily guarded entrance in the form of the login page. Once in, all users will have access to everything they are authorized to.

RSA Conference 2011 San Francisco

The problem with this model is the assumption that everything behind the door has the same requirements for security, which is regularly not the case. Online banking applications recognized those challenges first, and understood the need to address them. They started by adding strong authentication to the function of authorizing money transfers. Following that, the U.S. federal government mandated two-factor authentication at login.

The web applications industry again, though, dodged the bullet by using the then new risk-based authentication model where only a low percentage of logins were considered risky enough (risk threshold is configurable by the banks) to warrant additional challenges. Thus, we know from experience that narrow specialization of applications allows bolting-on additional security measures later.

However, when the goal is to build a platform for providing solutions across multiple verticals, the access control has to be decentralized to provide just in time strong authentication and authorization. Security has to be built-in and available as a service to all modules of the application.

Rapid adoption of cloud-based services exacerbates the situation since the data and transactions that the login page protects are now subject to different security policies for different users. In other words, the same transaction or feature needs to be protected differently, depending on customer requirements. Customer requirements, whether it’s a private company or government organization, are difficult to predict when applications are initially designed.

Applications must be designed in a way that customers can apply the security requirements as configuration settings. An IntraLinks exchange is perfectly suited for this. Each exchange has its own ‘security level’ setting that can range from regular password to One Time Password (OTP) to any custom authentication mechanism. This kind of segmented application resolves the dual problem of strong authentication — appropriate level of security and user experience degradation. It enables customers to avoid putting the strongest authentication mechanism at login, which inconveniences all users, but at the entrance to their digital workspace (exchanges, in our case). Users will input a simple password to enter the application and see a list of exchanges that they are authorized to enter. They will seamlessly navigate to some exchanges. Some exchanges will ask for a security question. Others will challenge for an OTP. On top of that, if the customer has established a custom rule requiring that only internal IPs have access to the exchange, they may be declined access because the user Is not coming from an approved IP address.

This segmentation allows for extending security policies to the cloud. If the internal security policy requires two-factor authentication for a certain class of documents, an exchange can be configured for all documents of that class to be uploaded there. This will be particularly appealing to people who do not want to keep two systems — a cloud provider for data classified as, for example, ‘public’ and ‘unclassified’, and an internal system for ‘confidential’ documents.

In conclusion, the technology has matured to provide strong authentication for online applications and there is no good reason to not use it. With a little foresight in design phase, it is possible to introduce the strongest of electronic authentication mechanisms to the web.

I look forward to the deep dive into where and how to apply two-factor authentication, which I will be presenting at the RSA Conference in San Francisco next week.

Tags: #RSAC / 2 factor authentication / @RSAConference / Cloud / internal security policy / IntraLinks Exchange / Mushegh Hakhinian / password / risk-based authentication model / RSA Conference in San Francisco / security technology / technology / two-factor authentication
 
dvjdliyriw March 21, 2012 04:58 PM
jf6Sku , [url=http://yrourrmspwmj.com/]yrourrmspwmj[/url], [link=http://lgfslvspiqon.com/]lgfslvspiqon[/link], http://sodpncnevkxe.com/
ufqapufutk March 20, 2012 07:52 PM
6dz11q <a href="http://fqwzhkjfuphu.com/">fqwzhkjfuphu</a>
hgfsolc March 19, 2012 10:17 PM
ypAgvO , [url=http://dpqlungmfezm.com/]dpqlungmfezm[/url], [link=http://cqpapqescpwa.com/]cqpapqescpwa[/link], http://bfksbttnudtq.com/
ibwjjhe March 19, 2012 04:47 PM
RjS1SQ <a href="http://nvsvwratgxji.com/">nvsvwratgxji</a>
Selvam March 19, 2012 02:30 AM
Thanks for this article!Trying to niplememt it, I have some issues:I.) I try to set up my routes like this in order to get the twitter_callback_path match /auth/:provider/callback => sessions#create , :as => :twitter_callback but It raises the following error when I run cu*****ber: (::) failed steps (::)No route matches {:controller=> sessions , :action=> create } (ActionController::RoutingError)./features/step_definitions/twitter_steps.rb:9:in `/^Twitter authorizes me$/'features/authentication.feature:9:in `And Twitter authorizes me'Here is my scenario:Feature: Authentication Scenario: Login via Twitter When I go to the homepage And I follow Sign in with Twitter And Twitter authorizes me Then I should see II.) I would be pleased to know how I use the Twitter developers console. I enter my username as parameter and my password as value. I copy paste the request reponse in a verify_creditentials.json file and put it in the following folder: features/fixtures/the content is something like this: opening connection to api.local.twitter.com opened<- "GET /1/account/verify_credentials.xml HTTP/1.1Accept: */*Connection: closeUser-Agent: OAuth gem v0.3.4.1Authorization: Host: api.local.twitter.com:9000Is it the right way to do it?Thanks a lot for your help!
Butterfly October 28, 2011 01:24 AM
I'm shocked that I found this info so esialy.
J February 15, 2011 04:43 PM
Interesting read!
Share this
Send to a friend
Linked-in
Facebook
Twitter

Authors

Categories

About IntraLinks

IntraLinks ® provides enterprise-class solutions which facilitate the secure, compliant and auditable exchange of critical information, collaboration and workflow management inside and outside the enterprise.

Our on-demand solutions help you organize, manage, share and track information enabling you to accelerate your workflow, optimize your business processes and realize new profit potential.

Archive

Recent Posts

Contact Sales

* = Required

By Phone

Americas:
1 866 INTRALINKS or +1 212 342 7684
Europe, Middle East & Africa:
+44 (0) 20 7549 5200
Asia Pacific:
+65 6232 2040
Latin America:
+55 11 4949 7700 or 0-800-892-2247

Follow Us

Linked In RSS