Online IT Security lies heavily on the minds of all online users today, particularly those executing online financial transactions. IT Security used to rely on a single level of authentication, usually a password or PIN code.
As the crooks became more adept at uncovering user credentials through techniques such as phishing and keylogging exploits, it became clear that single level authentication was not sufficient to guarantee IT Security.
The concept was extended to that of two-level or multi-level authentication.
Multi-Level Authentication, of which Two Factor or Two-Level Authentication is a subset is a process whereby the user must a present additional piece of evidence to the authentication mechanism before being granted access.
The multi-level concept is based around the user providing several unconnected elements to an authentication process. These can include:
- A physical device, for example, an ATM or Identity card;
- A code known only to the user, an OTP, PIN code, passphrase are examples;
- A biometric process, fingerprints, retina scans are becoming more and more common; and
- Other identification, for example, a location.
Information can come from either the user as a remembered item or can be provided by the physical device.
A good example of two-level authentication is the bank card used at the ATM. The user must have the card and know the PIN code associated with it before being allowed to carry out a transaction.
An online example of multi-level authentication is the increasingly common use of One-Time Passwords (“OTP”), a passcode sent to the user using a different channel, SMS or email perhaps.
The big question to be asked, does two-level authentication provide enough security protection?
If we look at two specific environments that commonly use two-level authentication, online banking, and corporate network access:
Most banking systems are keenly interested in ensuring the security of their banking environment, and many adopt a two-level authentication system. The single level User ID/password credentials are easily compromised by phishing or keylogging exploits for example. There have also been examples where bank staff has provided financial details to fraudsters.
A two-level authentication process can either be an OTP sent by email or SMS or in some cases a physical device that provides the second level passkey.
The downside of this process is that for those who do not have a smartphone, sending an OTP by SMS is not going to work. If there is no access to the Internet, sending it by email won’t work either. Also, most security guru’s consider SMS and smartphone authentication inherently unsafe. In some cases, the email or SMS carrier does not deliver the message before it becomes invalid and the user must start the process again.
The security of the transmission is out of the hands of the financial institution and relies on the security levels operated by the carrier. SIM cloning, always-on email, and message interception are all real threats to smartphone authentication services.
A final complication for the mobile worker is that they may need to carry out banking transactions from a foreign country while on assignment. It may not be possible to receive the OTP SMS in that environment.
A user can lose an authentication device or it could be stolen.
On balance, therefore, while it is relatively easy to set up and implement, two-level authentication using SMS or email may not provide a sufficient level of security, particularly for corporate online financial management.
Corporate Network Access
It is becoming common for mobile workers to need to use corporate applications while on the road. This has been eased by the increasing availability of Internet access through public WiFi systems in shopping malls, restaurants, and hotels.
Most access is via a VPN with the attendant security features that it offers, but the user will still, at some point be required to log on to both the VPN and the corporate network. It is at this point that the multi-level authentication environment kicks in.
The downside of implementing a secure environment for remote access is that many authentication systems supporting two-level or multi-level authentication need software to be deployed on the client computer or smart device.
This, in extreme cases, can mean separate authentication environments for logging onto the VPN, the corporate network and the Internet.
From a support standpoint, it creates additional headaches in ensuring compatibility between the various environments, managing version conflicts and compatibility with the corporate applications themselves. However, the problem can be eased with virtualisation and hardware dongles.
For both home and corporate users, the jury is still out on whether two-level authentication provides sufficient security.
The answer is probably the common one of setting a balance between the security of what you are trying to secure and convenience.