Tuesday, April 28, 2015

Three factor authentication for secure access

Some years ago, we did work for an airline and they wanted us to build a web portal that their crew could access. The client had this IT manager who kept insisting on 3 factor authentication for the login. Our team tried to suggest to him that 3 factor authentication was usually military grade security and the cost burden might not be justified. However, this person had recently returned from the middle-east and said that the login system had to incorporate a securID fob that would issue moving token numbers.

I had read up on the internet about 3 factor authentication security at the time and it appears that this IT manager's notion of 3 factor authentication was a little off-the-mark. Just adding one more number to the login process does not quite make it 3 factor.

In theory, the three factors of authentication are
1. Something you (and only you) know - like a password or PIN
2. Something you (and only you) have - like an ATM card or that securID fob
3. Something you do - like say a phrase in your own voice. Ostensibly, only you can do it just right - others doing it could be discernibly different.

Adding the securID fob was just a more secure version of 2 Factor authentication.
A number of high value credit card transactions conducted over the internet in India fall into this category. You not only need to have the credit card with its expiry date and CVV number, but also a mobile phone to which the bank will text a One-Time-Password (OTP)

A thumb-print scan or a retina scan or iris scan on a biometric reader is still 2 factor authentication. For the thumb or your eye is something you have. And in extreme circumstances, it can be taken away from you; a la Minority Report.

What then is a fair example of true 3 factor authentication? Imagine an access system where you have to provide a thumb-print and a password and say a keyword in your own voice. Scenes in a couple of movies come to mind. If you have watched the Vin Diesel starrer Pacifier, and stuck it out till the very end, you will remember the vault that refuses to open until Vin Diesel does a nonsensical dance set to a nursery rhyme. Start at the beginning of this youtube clip and then skip to 4:15
Another example is the scene in Richie Rich, where to open the family vault inside Mt. Richmore, Richard and Regina Rich have to sing a song.

These days, there is talk of 4 factor authentication, with the 4th factor being somewhere you are. I presume this would be akin to a situation where a weapon cannot fire while on friendly soil.

Incidentally, the airline eventually canned his plan for cost and also for practicality reasons - does a crew member not login if they left their security fob at home? Last I heard, they had canned him too.



No comments: