Welcome » IT Booklets » Information Security » Security Controls Implementation » Access Control » Authentication
Financial institutions should use effective authentication
methods appropriate to the level of risk. Steps include
Authentication is the verification of identity by a system based
on the presentation of unique credentials to that system. The
unique credentials are in the form of something the user knows,
something the user has, or something the user is. Those forms
exist as shared secrets, tokens, or biometrics. More than one
form can be used in any authentication process.
Authentication that relies on more than one form is called
multi-factor authentication and is generally stronger than any
single-factor authentication method. Authentication
contributes to the confidentiality of data and the accountability
of actions performed on the system by verifying the unique identity
of the system user.
Authentication over the Internet banking delivery channel
presents unique challenges. That channel does not benefit
from physical security and controlled computing and communications
devices like internal local area networks (LANs), and is used by
people whose actions cannot be controlled by the institution.
The agencies consider the use of single-factor authentication in
that environment, as the only control mechanism, to be inadequate
for high-risk transactions involving access to customer information
or the movement of funds to other parties. Financial
institutions should perform risk assessments of their environment
and, where the risk assessments indicate the use of single-factor
authentication is inadequate, the institutions should implement
multi-factor authentication, layered security, or other controls
reasonably calculated to mitigate risk.
Authentication is not identification as that term is used in the
USA PATRIOT Act (31 USC 5318(l)). Authentication does not
provide assurance that the initial identification of a system user
is proper. Procedures for the initial identification of a
system user are beyond the scope of this booklet.
Shared secret systems uniquely identify the user by matching
knowledge on the system to knowledge that only the system and user
are expected to share. Examples are passwords, pass phrases,
or current transaction knowledge. A password is one string of
characters (e.g., "t0Ol@Tyme"). A
pass phrase is typically a string of words or characters (e.g., "My
car is a shepherd") that the system may shorten to a smaller
password by means of an algorithm. Current transaction
knowledge could be the account balance on the last statement mailed
to the user/customer. The strength of shared secret systems
is related to the lack of disclosure of and about the secret, the
difficulty in guessing or discovering the secret, and the length of
time that the secret exists before it is changed.
A strong shared secret system only involves the user and the
system in the generation of the shared secret. In the case of
passwords and pass phrases, the user should select them without any
assistance from any other user, such as the help desk. One
exception is in the creation of new accounts, where a temporary
shared secret could be given to the user for the first log-in,
after which the system requires the user to create a different
password. Controls should prevent any user from
re-using shared secrets that may have been compromised or were
recently used by them.
Passwords are the most common authentication mechanism.
Passwords are generally made difficult to guess when they are
composed from a large character set, contain a large number of
characters, and are frequently changed. However, since
hard-to-guess passwords may be difficult to remember, users may
take actions that weaken security, such as writing the passwords
down. Any password system must balance the password strength
with the user's ability to maintain the password as a shared
secret. When the balancing produces a password that is not
sufficiently strong for the application, a different authentication
mechanism should be considered. Pass phrases are one
alternative to consider. Due to their length, pass phrases
are generally more resistant to attack than passwords. The
length, character set, and time before enforced change are
important controls for pass phrases as well as passwords.
Shared secret strength is typically assured through the use of
automated tools that enforce the password selection policy.
Authentication systems should force changes to shared secrets on a
schedule commensurate with risk.
Passwords that are either not changed or changed infrequently
are known as static passwords. While all passwords are
subject to disclosure, static passwords are significantly more
vulnerable. An attacker can obtain a password through
technical means and through social engineering. Internet
banking customers are targeted for such social engineering through
phishing attacks. Institution employees and contractors may
be similarly targeted. Static passwords are appropriate in
systems whose data and connectivity is considered low risk, and in
systems that employ effective compensating controls such as
physical protections, device authentication, mutual authentication,
host security, user awareness, and effective monitoring and rapid
Weaknesses in static password mechanisms generally relate to the
ease with which an attacker can discover the secret. Attack
Passwords can also be dynamic. Dynamic passwords typically
use seeds,A "seed" is a starting point for the dynamic
password system. Shared starting points, timing, and logic
between the token and the server allow password changes to
synchronize between the two devices. or starting points, and
algorithms to calculate a new shared secret for each access.
Because each password is used for only one access, dynamic
passwords can provide significantly more authentication strength
than static passwords. In most cases, dynamic passwords are
implemented through tokens. A token is a physical device,
such as an ATM card, smart card, or other device that contains
information used in the authentication process.
Token systems typically authenticate the token and assume that
the user who was issued the token is the one requesting
access. One example is a token that generates dynamic
passwords after a set number of seconds. When prompted for a
password, the user enters the password generated by the
token. The token's password-generating system is identical
and synchronized to that in the system, allowing the system to
recognize the password as valid. The strength of this system
of authentication rests in the frequent changing of the password
and the inability of an attacker to guess the seed and password at
any point in time.
Another example of a token system uses a challenge/response
mechanism. In this case, the user identifies him/herself to
the system, and the system returns a code to enter into the
password-generating token. The token and the system use
identical logic and initial starting points to separately calculate
a new password. The user enters that password into the
system. If the system's calculated password matches that
entered by the user, the user is authenticated. The strengths
of this system are the frequency of password change and the
difficulty in guessing the challenge, seed, and password.
Other token methods involve multi-factor authentication, or the
use of more than one authentication method. For instance, an
ATM card is a token. The magnetic strip on the back of the
card contains a code that is recognized in the authentication
process. However, the user is not authenticated until he or
she also provides a PIN, or shared secret. This method is
two-factor, using both something the user has and something the
user knows. Two-factor authentication is generally stronger
than single-factor authentication. This method can allow the
institution to authenticate the user as well as the token.
Weaknesses in token systems relate to theft or loss of the token
either during delivery to the user or while in the possession of
the user; ease in guessing any password-generating algorithm within
the token; ease of successfully forging any authentication
credential that unlocks the token; the reverse engineering, or
cloning, of the token; and "man-in-the-middle" attacks. Each
of these weaknesses can be addressed through additional control
mechanisms. Token theft or loss generally is protected
against by policies that require prompt reporting and cancellation
of the token's ability to allow access to the system, and
monitoring of token delivery and use. Additionally, the
impact of token theft is reduced when the token is used in
multi-factor authentication; for instance, the password from the
token is paired with a password known only by the user and the
system. This pairing reduces the risk posed by token loss,
while increasing the strength of the authentication
mechanism. Forged credentials are protected against by the
same methods that protect credentials in non-token systems.
Protection against reverse engineering requires physical and
logical security in token design. For instance, token
designers can increase the difficulty of opening a token without
causing irreparable damage, or obtaining information from the token
either by passive scanning or active input/output.
Man-in-the-middle attacks can be protected against through the use
of public key infrastructure (PKI).
Token systems can also incorporate public key infrastructure and
Public key infrastructure, if properly implemented and
maintained, can provide a strong means of authentication. By
combining a variety of hardware components, system software,
policies, practices, and standards, PKI can provide for
authentication, data integrity, defenses against customer
repudiation, and confidentiality. The system is based on public key
cryptography in which each user has a key pair-a unique electronic
value called a public key and a mathematically
related private key. The public
key is made available to those who need to verify the user's
The private key is stored on the user's
computer or a separate device such as a smart card. When the
key pair is created with strong encryption algorithms and input
variables, the probability of deriving the private key from the
public key is extremely remote. The private key must be stored in
encrypted text and protected with a password or PIN to avoid
compromise or disclosure. The private key is used to create
an electronic identifier called adigital signature
that uniquely identifies the holder of the private key and can only
be authenticated with the corresponding public key.
The certificate authority (CA), which may be
the financial institution or its service provider, plays a key role
by attesting with a digital certificate that a particular public
key and the corresponding private key belongs to a specific user or
system. It is important when issuing a digital
certificate that the registration process for initially
verifying the identity of users is adequately controlled. The
CA attests to the individual user's identity by signing the digital
certificate with its own private key, known as the root key.
Each time the user establishes a communication link with the
financial institution's systems, a digital signature is transmitted
with a digital certificate. These electronic credentials
enable the institution to determine that the digital certificate is
valid, identify the individual as a user, and confirm that
transactions entered into the institution's computer system were
performed by that user.
The user's private key exists electronically and is susceptible
to being copied over a network as easily as any other electronic
file. If it is lost or compromised, the user can no longer be
assured that messages will remain private or that fraudulent or
erroneous transactions would not be performed. User AUPs and
training should emphasize the importance of safeguarding a private
key and promptly reporting its compromise.
PKI minimizes many of the vulnerabilities associated with
passwords because it does not rely on shared secrets to
authenticate customers, its electronic credentials are difficult to
compromise, and user credentials cannot be stolen from a central
server.Private keys are necessary to defeat the system, and
those keys are stored in a distributed fashion on each user's
access device. The primary drawback of a PKI authentication
system is that it is more complicated and costly to implement than
user names and passwords. Whether the financial institution acts as
its own CA or relies on a third party, the institution should
ensure its certificate issuance and revocation policies and other
controls discussed below are followed.
When utilizing PKI policies and controls, financial institutions
need to consider the following:
The encryption components of PKI are addressed more fully under
Biometrics can be implemented in many forms, including
tokens. Biometrics verifies the identity of the user by
reference to unique physical or behavioral characteristics. A
physical characteristic can be a thumbprint or iris pattern.
A behavioral characteristic is the unique pattern of key depression
strength and pauses made on a keyboard when a user types a
phrase. The strength of biometrics is related to the
uniqueness of the physical characteristic selected for
verification. Biometric technologies assign data values to the
particular characteristics associated with a certain feature.
For example, the iris typically provides many more characteristics
to store and compare, making it more unique than facial
characteristics. Unlike other authentication mechanisms, a
biometric authenticator does not rely on a user's memory or
possession of a token to be effective. Additional strengths
are that biometrics do not rely on people to keep their biometric
secret or physically secure their biometric. Biometrics is
the only authentication methodology with these advantages.
Enrollment is a critical process for the use of biometric
authentication. The user's physical characteristics must be
reliably recorded. Reliability may require several samples of
the characteristic and a recording device free of lint, dirt, or
other interference. The enrollment device must be physically
secure from tampering and unauthorized use.
When enrolled, the user's biometric is stored as a
template. Subsequent authentication is accomplished by
comparing a submitted biometric against the template, with results
based on probability and statistical confidence levels.
Practical usage of biometric solutions requires consideration of
how precise systems must be for positive identification and
authentication. More precise solutions increase the chances a
person is falsely rejected. Conversely, less precise
solutions can result in the wrong person being identified or
authenticated as a valid user (i.e., false acceptance rate).
The equal error rate (EER) is a composite rating that considers the
false rejection and false acceptance rates. Lower EERs mean
more consistent operations. However, EER is typically based
upon laboratory testing and may not be indicative of actual results
due to factors that can include the consistency of biometric
readers to capture data over time, variations in how users presents
their biometric sample (e.g., occasionally pressing harder on a
finger scanner), and environmental factors.
Weaknesses in biometric systems relate to the ability of an
attacker to submit false physical characteristics or to take
advantage of system flaws to make the system erroneously report a
match between the characteristic submitted and the one stored in
the system. In the first situation, an attacker might submit
to a thumbprint recognition system a copy of a valid user's
thumbprint. The control against this attack involves ensuring
a live thumb was used for the submission. That can be done by
physically controlling the thumb reader, for instance having a
guard at the reader to make sure no tampering or fake thumbs are
used. In remote entry situations, logical liveness tests can
be performed to verify that the submitted data is from a live
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning.
Degrees of freedom relate to measurable differences between
biometric readings, with more degrees of freedom indicating a more
unique biometric. Facial recognition systems, for instance,
may have only nine degrees of freedom while other biometric systems
have over one hundred. Similar faces may be used to fool the
system into improperly authenticating an individual. Similar
irises, however, are difficult to find and even more difficult to
fool a system into improperly authenticating.
Attacks against system tuning also exist. Any biometric
system has rates at which it will falsely accept a reading and
falsely reject a reading. The two rates are inseparable; for
any given system improving one worsens the other. Systems
that are tuned to maximize user convenience typically have low
rates of false rejection and high rates of false acceptance.
Those systems may be more open to successful attack.
Authorized users may need to have authenticators reissued.
Many situations create that need, such as the user forgetting the
shared secret, losing a token, or the change of a biometric
identifier. Prior to reissuing an authenticator, institutions
should appropriately verify the identity of the receiving
individual. The strength of the verification should be
appropriate to mitigate the risk of impersonation. For
example, the comparison of Internet-banking customer responses to
questions regarding readily available public information generally
is not an adequate risk mitigator.
Behavioral authentication is the assurance gained from comparing
connection-related and activity-related information with
expectations. For example, many institutions may expect
Internet banking activity from certain Internet Protocol (IP)
ranges to use certain user agents, to traverse the Web site in a
certain manner, and to submit transactions that have certain
characteristics. Although behavioral authentication does not
provide strong assurance that individuals are who they claim to be,
it may provide a strong indication that authenticators presented
are from an imposter. Accordingly, behavioral authentication
is frequently useful to supplement other means of
Device authentication typically takes place either as a
supplement to the authentication of individuals or when assurance
is needed that the device is authorized to be on the network.
Devices are authenticated through either shared secrets, such as
pre-shared keys, or the use of PKI. Authentication can take
place at the network level and above. At the network level,
IPv6IPv6 is one of two Internet protocols in widespread use.
The other is IPv4.has the built-in ability to
authenticate each device.
Device authentication is subject to the same shared-secret and
PKI weaknesses as user authentication, and is subject to similar
offsetting controls. Additionally, similar to user
authentication, if the device is under the attacker's control or if
the authentication mechanism has been compromised, communications
from the device should not be trusted.
Mutual authentication occurs when all parties to a communication
authenticate themselves to the other parties. Authentications
can be single or multifactor. An example of a mutual
authentication is the identification of an Internet banking user to
the institution, the display of a shared secret from the
institution to the user, and the presentation of a shared secret
from the user back to the institution. An advantage of mutual
authentication is the assurance that communications are between
trusted parties. However, various attacks, such as
man-in-the-middle attacks, can thwart mutual authentication
Several single sign-on protocols are in use. Those
protocols allow clients to authenticate themselves once to obtain
access to a range of services. An advantage of single sign-on
systems is that users do not have to remember or possess multiple
authentication mechanisms, potentially allowing for more complex
authentication methods and fewer user-created weaknesses.
Disadvantages include the broad system authorizations potentially
tied to any given successful authentication, the centralization of
authenticators in the single sign-on server, and potential
weaknesses in the single sign-on technologies.
When single sign-on systems allow access for a single log-in to
multiple instances of sensitive data or systems, financial
institutions should employ robust authentication techniques, such
as multi-factor, PKI, and biometric techniques. Financial
institutions should also employ additional controls to protect the
authentication server and detect attacks against the server and
All authentication methodologies display weaknesses. Those
weaknesses are of both a technical and a nontechnical nature.
Many of the weaknesses are common to all mechanisms. Examples
of common weaknesses include warehouse attacks, social
engineering, client attacks, replay attacks, man-in-the-middle
attacks, and hijacking.
Warehouse attacks result in the compromise of the authentication
storage system and the theft of the authentication data.
Frequently, the authentication data is encrypted; however,
dictionary attacks make decryption of even a few passwords in a
large group a trivial task. A dictionary attack uses a list
of likely authenticators, such as passwords, runs the likely
authenticators through the encryption algorithm, and compares the
result to the stolen, encrypted authenticators. Any matches
are easily traceable to the pre-encrypted authenticator.
Dictionary and brute forceAn attack that tries all
possible combinations of the allowed character set. attacks
are viable due to the speeds with which comparisons are made.
As microprocessors increase in speed, and technology advances to
ease the linking of processors across networks, those attacks will
be even more effective. Because those attacks are effective,
institutions should take great care in securing their
authentication databases. Institutions that use one-way
hashes should consider the insertion of secret bits (also known as
"salt") to increase the difficulty of decrypting the hash.
The salt has the effect of increasing the number of potential
authenticators that attackers must check for validity, thereby
making the attacks more time consuming and creating more
opportunity for the institution to identify and react to the
Warehouse attacks typically compromise an entire authentication
mechanism. Should such an attack occur, the financial
institution might have to deny access to all or nearly all users
until new authentication devices can be issued (e.g. new
passwords). Institutions should consider the effects of such
a denial of access, and appropriately plan for large-scale
re-issuances of authentication devices.
Social engineering involves an attacker obtaining authenticators
by simply asking for them. For instance, the attacker may
masquerade as a legitimate user who needs a password reset or as a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive,
or using other interpersonal skills, the attackers encourage a
legitimate user or other authorized person to give them
authentication credentials. Controls against these attacks
involve strong identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be
captured by hardware- or software-based keystroke capture
mechanisms. PKI private keys could be captured or
reverse-engineered from their tokens. Protection against
these attacks primarily consists of physically securing the client
systems, and, if a shared secret is used, changing the secret on a
frequency commensurate with risk. While physically securing
the client system is possible within areas under the financial
institution's control, client systems outside the institution may
not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records the
authentication as it is communicated between a client and the
financial institution system and then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
Man-in-the-middle attacks place the attacker's computer in the
communication line between the server and the client. The
attacker's machine can monitor and change communications.
Controls against man-in-the-middle attacks include prevention
through host and client hardening, appropriate hardening and
monitoring of domain name service (DNS) servers and other network
infrastructure, authentication of the device communicating with the
server, and the use of PKI.
Hijacking is an attacker's use of an authenticated user's
session to communicate with system components. Controls
against hijacking include encryption of the user's session and the
use of encrypted cookies or other devices to authenticate each
communication between the client and the server.