Thinking about authentication

Thursday, 21 November, 2019

Modern authentication

That way that people identify themselves is one of the most obvious security controls that they come into contact with. It’s an important part of any user experience and a cornerstone of being able to offer personalised experiences.

To authenticate a user you need a set of credentials: a unique identifier of the user, combined with one or more factors such as something they know, such as a password, something they have, such as a token or device (e.g. SMS codes from your bank), or perhaps something they are or do, such as a fingerprint or way they talk.

Gaining access to these credentials is to be able to masquerade as that individual in the digital realm. It allows access to the personal or private data that underpins that experience. There is no ‘looking shady’ in the digital realm. If you can authenticate yourself as that individual, you become that individual. As a result, these virtual keys attract a lot of attention from adversaries.

The volume of data breaches is driven in part by the demand for these virtual keys. There is an underground market in being able to impersonate people. Either because this identity theft allows criminals to take out a fraudulent loan or mortgage for direct economic benefit, or because they can pass on these account details for smaller gains. Spotify, Netflix and even computer games accounts may be seemingly trivial but yield criminal gains by selling access at below sticker prices. Within days of launching, thousands of account details for Disney’s streaming service were for sale online for as little as $3.

It wasn’t due to a massive data breach of the 10 million subscribers that had already registered, rather because through twenty years of effort, we have successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess. As more and more of our lives have become digital, we have more and more accounts to remember and, naturally (because we all take the easy path), password reuse is rife. By testing account details from previous data breaches criminals were able to pick out those that had been reused and sell them on the ‘dark web.’

Authentication and authorization ecosystem

Often a whole variety of related services are combined under the umbrella of authentication and access control. They include identification (registration or enrollment of new users), authentication (verifying the identity of existing users), authorisation (approving the actions of an authenticated user). Session management and profile updates (e.g. change or forgotten password) also play important parts.

So any new authentication mechanism – in the broadest sense – for a consumer (or business) services needs to be mindful of this broader ecosystem and not just defend against unauthorised access, but also the context of ‘good’ and ‘bad’ personas. You want to make it easy for ‘good personas’ to achieve their goal while discouraging the undesirable behaviours of ‘bad personas.’

At each of these stages, technology teams can implement security controls to prevent and detect unwanted or unexpected actions. Audit trails can also be maintained to prove what actions were undertaken (this can be valuable not only from a security but also revenue perspective.)

Business impact

User registration, authentication, and broader lifecycle are key areas for many businesses. Building a customer-centric, robust and resilient service for user management and authentication can make or break customer experience and adoption. It can also have a direct bearing support requests (or even lose customers).

With authentication being the ‘shop front’ for many services we find business impacts typically fall into one of the following four categories:

  • Customer adoption and satisfaction (improved revenue)
  • Access to customer information (regulatory impact)
  • Access to business services (loss of revenue; degraded customer experience)
  • Abuse of business capabilities (increased cost)

Threats

Modern authentication systems need to defend against a variety of common threats. Some of these include:

  • Brute forcing is where an attacker attempts different passwords sequentially until they gain access. This can be as crude as aaa then aab and so on, or cycling through a dictionary of known passwords
  • Credential stuffing is a more targeted form of brute forcing where known usernames and passwords, for example from previous data breaches, are used to gain unauthorised access
  • Denial of service conditions can be achieved where an attacker is able to affect the customer experience by causing account lockouts
  • Account hijacking abusing forgotten password or account recovery processes to steal valuable accounts, like high-profile social media personalities, or those controlling economic assets, such as digital currencies
  • Spoofing of the login interface to capture a user’s credentials. This is a common tactic used in phishing
  • Interception of credentials between the client and service
  • Session replay where a known token or identifier can be reused by an attacker to circumvent the authentication process

Authentication and forgotten password routines typically make use of resource-intensive hashing functions to protect passwords. This makes them a target for more sophisticated denial of service attacks. Rather than simply ‘flooding’ the service with spurious data, they actively try to exhaust the processing capacity of the service. DDOS protection solutions can help to filter requests and protect the availability of the service.

All of these relate to our first two business impacts discussed above. The third, where business capabilities are misused, are also worthy of consideration.

A real world example

I was helping a media customer respond to a security incident on one of their web properties when we noticed unusual behaviour on a sister site. There was a huge volume of user registrations taking place. They had been running a campaign to promote their new streaming service so that perhaps was not to be unexpected, however, the business team were disappointed with the campaign performance. The conversion of these to paid subscribers was well below expectations.

New users were being registered, then, seemingly never using the service again. We decided to extend the scope of the investigation to understand if the behaviour was related to the existing incident.

What we discovered was the user registration process also captured payment card details. At the end of a free trial period, a subscription would automatically be started and payment is taken. To protect revenue and avoid repeat freebie accounts a valid payment card was required to create an account. When a user registered a pre-authorisation check was conducted to verify payment details. Looking at the registration requests we could see they were concentrated from a small number of IP addresses.

Payment card details can be purchased on the black market. Those which are known to be working fetch a higher premium. Cyber-criminals were abusing the client’s card processing facility to validate stolen card details.

The accounts being registered from these addresses were solely to pass the card validation routine. This was also having a direct cost impact on the business: the payment processor charged fees on every transaction.

Protections

You can put barriers in place to help manage many of the threats outlined above. Identifying which are most important to your business or service can be determined through cyber risk analysis (let us know if we can help you with that.)

  • Password storage be in a form that will never allow the plaintext to be obtained
  • Encryption is used to prevent interception during transmission
  • Account lockouts are used to prevent repeated failed attempts (whilst being mindful of denial of service conditions)
  • Password recovery workflows require the use of another factor
  • Sessions are regenerated randomly at login and have an expiration
  • Certificate transparency logs should be monitored to identify spoofing attempts

Reauthenticating users for certain sensitive actions may also be appropriate, for example changing a password or modifying subscription/payment details.

A quick aside considering multi-factor authentication

Given the prevalence of credentials that are now in the public domain one of the primary controls is multi-factor (sometimes called two-factor) authentication. As well as needing an identifier, say a user’s email address, and their password, you also need an additional factor (something a user knows, has, or does.) This helps mitigate against nearly all brute forcing attacks.

Simple consumer-grade options exist that send one-time passcodes to mobile phones, thereby proving that they are - in theory - in possession of the user’s mobile phone. (Though SIM swapping is a growing concern.) Authenticator apps that generate these codes or tokens like those from yubikey are growing in popularity.

Adding this extra step does add friction to user registration. Or you need to consider how to nudge user’s to go out of their way to turn it on. Offering an incentive to do this can be a great way to increase adoption. During Cyber Security Awareness Month EA Games even offered users of their Origin store a free month in exchange for turning on multi-factor authentication.

What to measure?

The following basic data points can provide useful metrics on the health of your authentication system. By monitoring them you can spot any potential issues early - either dealing with malicious activity or addressing issues affecting customer experience:

  • Successful logins
  • Failed logins
  • Password reset requests
  • Completed password resets
  • Successful registrations
  • Failed registrations

It is also important to maintain a log of authentication and authorisation actions that allow further investigation. Though be sure to avoid logging sensitive information (like passwords!)

Have you had any great, or terrible, customer authentication experiences? Let us know on Twitter.