by Timm Lotter, Senior Presales Consultant, APIIDA AG
With the help of a second factor, logging in to websites, applications and PCs can be much safer. The first factor, the password, is no longer sufficient today. A potential attacker can easily get the personal password due to common security vulnerabilities, fake websites or leaked user data. In order to prevent this – more and more organizations are beginning to use a second factor. There are several types, each having advantages and disadvantages.
One of the simplest methods is Push-Notification. When logging in, the user gets a message on his smartphone, be it Android or iPhone. Contextual information such as browser, location and operating system are displayed for security. The user has three options:
• Confirm: The user wants to login successfully.
• Concern: The user is not sure if the displayed context information is correct.
• Cancel: Someone else is trying to sign in and the login process is aborted.
The clear advantage lies in the simplicity of this method. The user confirms the login with just one click.
But there are also disadvantages: After all, an Internet connection is necessary to receive the push message. Combined with the one-time password (OTP) in the same app, however, this disadvantage can be eliminated.
The user generates a one-time password (OTP) on his smartphone. It’s a randomly generated number, that is valid for a specific time, such as 30 seconds. The user must enter the value in a login mask like a web page or application. A specific secure algorithm is used for the generation. The verification by the website can be imagined, that it also generates the same OTP and compares both.
The advantage is that no Internet connection is necessary for the generation process. Furthermore, the user must manually enter the OTP from the smartphone in the login mask. With this extra step, the retyping, an attack is more difficult.
The disadvantage is that it’s more uncomfortable compared to the Push-Notification. Especially for users who have little IT knowledge. Furthermore, the context information is missing like with the Push-Notification.
The user receives a one-time password (OTP) by e-mail. It’s valid for a certain time and must be entered in a login mask.
The advantage: the user only has to receive the e-mail, be it on a PC, laptop, smartphone or another device. A smartphone is not necessary.
On the other hand, the method is much easier to attack: To receive the OTP, an attacker needs the credentials for the email account. It is even easier if the entire mail server has been confiscated so that an attacker can read all e-mails.
OTP via SMS
The user receives the one-time password (OTP) as SMS on his mobile phone. It is valid for a certain time and must be entered in a login mask.
Positive to emphasize here would be that this variant also includes old devices or smartphones without Android and iPhone.
The disadvantage is the costs for sending the SMS. In addition, an attacker can take over the telecommunications systems to intercept the OTP.
The user gets a grid card – whether printed on paper or as a digital file. It consists of a grid: The columns have letters like A, B, C and the rows have numbers like 1, 2, 3. For each column-row combination there is a value. The login process requires the user to enter multiple values. As an example, A2, C3 and E5 are requested, the values of which would be according to Figure 3 CF, R0 and 0J.
The advantage is undeniably that no digital device is necessary for the Grid Card. This is especially useful for high-security areas where smartphones and Co. are prohibited. This method is cost effective because the grid card can ultimately be easily printed and reused.
The decisive disadvantage: It is easy to copy and displays the “secret” value combinations.
The solution APIIDA Mobile Authentication is undoubtedly an innovation for secure login to the Windows operating system. The user no longer enters his username and password on the PC, but instead uses his smartphone. The login is carried out with the fingerprint or password on the smartphone. The PC and the smartphone are paired with an encrypted Bluetooth connection.
The advantage is that for the Windows login, a “second factor” in the form of an additional device, the smartphone and the fingerprint are necessary. Furthermore, an automatic logout takes place when the user moves away from the PC with his smartphone.
The disadvantage is that the PC must have Bluetooth. However, this can be resolved with a Bluetooth dongle (USB stick).
There are different ways to generate a second factor. All variants have advantages and disadvantages. In order to implement the current and future requirements, however, an MFA solution is needed that provides all methods. But that’s just the first step. In order to raise the security level, the behavioral analysis of the users is necessary to extend the “rigid rules”. In addition, a complex login process quickly overwhelms the users. The art is to create sufficient security with user acceptance during the login process. So far, the two methods “Push-Notification via Smartphone” and the “Smartphone for PC Login” have been ahead of the game.