Delfigo Security - Strong Authentication

Lily Hay Newman wrote a compelling article for Slate.com this week in which she argued that, like the food we eat and the products we buy, software should come with disclosures where our personal data is being put at risk. It seems that we're now hearing about our data being hacked on a constant basis, and there is good reason to worry that many people are tuning out the risk because the sheer volume of attacks makes it seem like there is nothing we can do.

Regulation, and shared standards are one obvious approach to an issue that is so large it can target entire industries while simultaneously effecting well known individual entities. Regulation would presumably standardize levels of risk and more importantly, communicate those risks broadly so that users could have a collective understanding that would have context, but Newman notes: "In the absence of a reliable disclosures, the burden of personal online security largely falls to users. The simpler and more straightforward the demands on them are, the more likely they are to comply. And one of the most important areas to address is passwords." Passwords are used so widely, while being so widely known to be flawed, that they do a good job illustrating the pressing need for change. As she closes her article, Newman argues that dual factor authentication addresses some of the most widespread and exposed risks, while noting that new technologies (such as biometrics) are enabling stronger authentication without complex requirements for end users.

We all know that when a new OS release comes out, it's probably a good idea to update iPhones and iPads. If you're a little behind though, specifically if you haven't upgraded to 8.1.1, your iPhone or iPad is vulnerable to the kind of brute force hack described here. If you have an older device and are unable to upgrade, your device remains vulnerable.

'“It’s always been known that having a 4-digit PIN on your phone is inherently insecure however the ‘erase data after 10 invalid attempts’ configuration setting was seen as somewhat of a mitigation in many circles,” said Dominic Chell, director at MDSec. “We believe that the device is able to evade this constraint by aggressively powering off the iPhone after each PIN entry attempt is made, but before the failure has been committed to flash memory – it does this by directly powering the iPhone itself.”'

Being aware of this kind of vulnerability is the first step, but insisting on a higher level of security for access to our devices is the next one. As we do more and more on our devices, it is increasingly necessary to understand the security threats that can compromise them, and search for ways to mitigate the risk.

User Experience is a widely discussed topic in and beyond the security space. Previous posts here have cited the need to provide seamless and even transparent ways to secure mobile apps and transactions, in order to to enhance both security and adoption. This article examines that concept and points out that "no experience" is often the best user experience in a wide range of contexts.

The author says quite plainly "...unless your name is Disney, your customers almost certainly aren’t coming to you for an experience at all. They’re coming to you because they want to solve some problem or meet some need, and they think your company has a product or service that will help them do that – whether it’s feeding the family a meal, or fixing their car, or maybe communicating with a friend." This idea speaks directly to the notion that frictionless experience is king with end users, who are most likely looking to accomplish something as opposed to "experience" something when accessing an application or doing an online transaction. While security sometimes requires that the user devote some amount of effort to participate in authentication, access a secure environment, or protect valuable information, end users are still likely to embrace a frictionless experience - making them more likely to embrace security technologies that are designed with this in mind.

One time passwords are commonly viewed as an easy to use strong authentication method, a recent report by the Javelin Group and Nok Nok Labs suggests that heavily relying on OTP, especially on Android, carries a significant risk of fraud, as hackers figure out ways to compromise the secure messages this method of authentication relies on. With a high percentage (41%) of Android users using OTP with their financial accounts last year, it is important for users to understand the risks and that all strong authentication methods are not created equal.

The report recommends that users "Use the effective authentication capabilities of the mobile device. To protect mobile users and their accounts from vulnerabilities associated with the use of passwords, take advantage of hardware integrated into mobile devices to protect all channels. More secure solutions, such as those based on biometrics, can be delivered directly to consumers without the cost of providing additional hardware."