Browsed by
Month: December 2016

Authentication: Achieving the Right Balance Between Security and Access

Authentication: Achieving the Right Balance Between Security and Access

With the growth of technology the safety of information is increasing but so is the risk to lose the information. Computer authentication systems have two simple necessities. They are required to retain the bad guys from gaining access to your account, and they must, to let you to access your account. Both are significant, and every authentication system is a harmonizing act between the two. Too little security and the bad guys will get in with no trouble. But if the authentication system is too intricate, restraining, or hard to use, you will not be able to or will not be bothered to use it.

Access to information, whether on a tablet or through a laptop or a smartphone be it in any part of the world, is now a fact of modern life. Administrators require to work on data, on the go and on all devices if they are to hold to an all the time more linked world. Yet firms are stressed as they are not able to offer workers a protected admittance to the systems they need.

Balancing safety and usability is difficult, and many administrations get it wrong. But it is also developing; organizations necessitating tightening their security remain to push more elaborate authentication methods, and more savvy Internet users are ready to accept them. And surely IT administrators must be leading that evolutionary change.

There is a new method that has been introduced to make everything simple yet protective! It is called the Adaptive Authentication method.

Using adaptive authentication is a way to match user verification to the potential risk of access!

This new kind of authentication can identify variations in our activities, it is not static and context is vital. For example, is a person using the same device in their standard situation? What else have they gained access to, lately? Does everything look common?

As much of the exploration is carried out behind the scenes, the technology makes it stress-free for you. When the risk is low, it can authenticate who you are effortlessly without the need for re-entering identifications. But when the risk is high, further validation is required from the user. Because this vibrantme thodology to authentication is particularly significant to users away from the office, it is significant that we are able to provide this experience on most devices.

Facebook utilizes a comparable kind of authentication. Whenever a person logs on, servers look at data such as the network they are logging on from, what browsers or devices that person usually uses and the third-party apps they have linked to their account. If something is odd, Facebook requests users to validate their individuality by sending a code to a person’s phone or questions will be asked which only that user can provide a reply for.

Social media is not the only area utilizing this adaptive authentication, financial services and healthcare providers who are prominent internationally when it comes to this unconventional form of security because of the possible loss to client data, money and trustworthiness.

Is Two-Factor Authentication the Solution to Protect Cloud Services?

Is Two-Factor Authentication the Solution to Protect Cloud Services?

Two-Factor Authentication

These days, without you going to unexpected measures, approximately every bit of your private and professional life goes through a cloud service. The jeopardy of devising significant cloud authorizations negotiated is too great to be dependent on guarding them with nothing more than a password. An invader who can get admittance to a significant cloud service, particularly e-mail, can commit surveillance or disruption, or he can just cause mayhem.

The way out is to turn on two-factor authentication for every single vital cloud service you utilise, particularly those which are tangled to professional accounts. Two-factor authentication is a security procedure in which the operator delivers two means of identification from distinct kinds of identifications; one is characteristically a physical token, such as a card, and the other is stereo typically something memorized, such as a security cipher.

With 2FA facilitated for a cloud service, any effort to sign in on a device that cannot be recognised by the system will have the need of entering a secret code that is received as a text message or created by an authenticator application on your formerly recorded smartphone.

Two important two factor authentication techniques are:

  • One-Time Passwords

One time passwords (OTPs) are a method of ‘symmetric’ verification, where a one-time password is instantaneously created in two places—on the confirmation server and on the hardware token or software token which will be  in the user’s control. If the OTP created by your token is similar to the OTP created by the validation server, then verification is successful and you are allowed to access.

  • PKI Authentication

PKI authentication is a procedure of ‘asymmetric’ validation as it depends on on a couple of divergent encryption keys—that is, a private and public encryption key. Hardware PKI is based on the tokens like the smart cards and USB tokens are intended to mass your secret private encryption key safely.

When validating to your network server, for instance, the server gives a numeric ‘challenge.’ That challenge is signed utilising your private encryption key. If there is a mathematical correspondence between the signed challenge and your public encryption key, then validation is positive and you are approved admittance to the network.

Is two-factor authentication secure?

Opponents argue that, should a thief gain admission to your computer, he will be able to boot up in safe mode, bypass the physical verification procedures, probe your system for all PINs and enter the data physically. Therefore, at least in this circumstances making two-factor authentication no more protected than the usage of a password alone.

When Two- Factor Authentication becomes unsecure, Multi Factor Authentication is the solution!

Multi-factor authentication will sojourn a lot of identity theft which is allied with thieving passwords. There are additional categories of multi-factor authentication that do not encompass utilization of one-time passwords in which a random number passcode is generated and sent to the user.

There are biometric arrangements like finger print, voice identification and etc., indiscriminate compound question authentication, and facilities such as OpenID that permits you to connect with more security and protection to sites and services with a minimal chance of a stolen ID.

The Future of Selfie Payment Authentication

The Future of Selfie Payment Authentication

Online payment has taken the place of cash transaction. Decades back people prefer carrying cash in a purse rather choose online transactions as it is easier to pay. But now, it has got more exposure due to the facility of online marketing. With the technological advancement to make the online payment more secure, a new way of online payment authentication has been launched by Master Card i.e. the Selfie Payment Authentication process.

What is Selfie Payment Authentication

Taking Selfie is a huge craze among the people, but now you can make payments by taking Selfie, yes Master Card has already started the process of facial bio-metric for payment authentication and that means you can just pay through your mobile and authenticate the process by taking a Selfie.

Bio-metric authentication is one of the most secured procedures of authenticating any transaction thus Selfie payment authentication is the future of secured online transaction.

Advantages if the Selfie Payment Authentication Process

Secured Process: –

Password, OTP and other authentication process have become old fashioned and obsolete now and over that they are forgettable too. In the last few decades, this process has faced many cyber-threats which have lead to the loss of millions of dollars. But Selfie authentication ensures both identity and authentication which connects individual human identity to online identity. It is one of the most secured steps of authentication.

The inclusion of bio-metric authentication in the Multi-Factor Authentication process is the considered as the safest one and Selfie payment authentication uses the same bio-metric authentication process.

Nothing to Remember: –

Sometimes it becomes a daunting task to remember the password or username as it is not safe to give easy to predict passcodes as it makes it more vulnerable to cyber threats, but with Selfie Payment Authentication, you don’t need to remember anything, just smile and click a pick of yours and the authentication is done and that is also in the safest manner.

How the Technology Works

Master Card’s new take on the authentication process is one of the many kinds of bio-metric authentication which is been worked on by many companies to enhance the online security. Fingerprints, retina scan, palm scans and many others process are used for a secure bio-metric authentication; likewise, the new Selfie Payment Authentication process uses your image for scanning and authenticating.

It is a very simple technology in which instead of typing password to authenticate payment, you just need to simply click a Selfie to authenticate your identity and complete the transaction.

The technology assigns a value to the face of the picture taken, the shape, the length of the noses and others to verify the identity and complete the transaction.

For some people it may seem weird to take Selfie every time to complete a transaction and few may assume that this simple process may be not a secured one, but this is lot more secure way of authentication as it is very hard to fake bio-metric information and over that the system of Selfie Payment Authentication of Master Card has users blink in front of the camera to ensure the picture is real but not just an image.

So, welcome the future of authentication with Selfie Payment.

Why SMS based OTP becoming thing of the past?

Why SMS based OTP becoming thing of the past?

Two factor authentication has become very popular and for it to work effectively a temporary code needs to be generated on the mobile device in addition to the password. It has been observed since past few months that SMS based OTPs prove to be the weakest link. For example, earlier this month an activist DeRay McKesson found his twitter account was hacked to tweet pro-Donald Trump messages despite of having a two factor authentication mechanism in place. This was done by redirecting the text messages to a different SIM card which could reveal the one time passwords.

How SMS based OTP is vulnerable?

Text or SMS is not a convenient way to sending to you the secure password. There are a few ways in which the attackers can compromise the text messages. Firstly, social engineering techniques can be used by calling the service provider and asking to redirect the messages to another number. This situation can be avoided if you have set a PIN to your account by informing the provider. Secondly, the messages can be easily intercepted using a device called IMSI (International Mobile Subscriber Identity) catcher. These devices are quite expensive but you never know they may be used for capturing your messages and thirdly, the protocols which allow telecom industry to exchange data between networks can be exploited. For example, earlier this year a protocol was identified which was vulnerable Signaling System 7. In another case, as you might be aware twitter still uses SMS based OTP system to verify it’s users and recently one of the spokesperson commented on behalf of twitter that they are in a process of discovering other solutions to bypass SMS based tokens.

What is the solution?

A preventive measure must be employed to protect against the tampering of SMS based one- time password.
Solutions such as hardware tokens can be used. While performing a transaction the one time password would be generated on the token provided by the provider and can be used as an effective security mechanism. Another option would be to use one touch authentication mechanism, which allows executing the transaction with one touch notification using a smart phone. Lastly, an application can be used which you can easily install on your smart phone, this would generate random one time pass codes in real time that would be coupled with your online accounts, which can be used for secure authentication.

Security is always based on risk but you need to be proactive and move ahead and change your policies according to the rapid changes in technology.

End of SMS based Authentication

End of SMS based Authentication

What is SMS based authentication?

Using SMS is the second step of two factor authentication.  Once you enter the username and password a one time code is sent by SMS which completes the login process. With each passing day hackers are developing new ways to crack the SMS texts.  SMS based authentication is highly insecure and prone to cyber attacks  as anyone can take the phone and use the code. There is no way to verify whether the person receiving the code is the right recipient. There have been incidents where the hackers have broken into this mechanism by directly contacting the mobile phone service providers.

How unsafe is SMS OTP?

SMS based authentication is highly vulnerable to attacks, the only aim of the attacker being to acquire the OTP, as the messages can be easily intercepted or redirected. Hackers can attack SMS using the VOIP service and also gain access to accounts using two factor authentications by SMS.

Another form of threat is the wireless threat in which an unauthorised device is placed on the wireless network to record an individual’s activity including the SMS. Also, the GSM technology used for delivering SMS to the intended recipients is considered insecure due to weak encryption algorithm and lack of mutual authentication.

Mobile phone trojans are on a sharp rise to intercept SMS. Trojans are specifically created and designed to steal OTP sent by banks in text message. Other kind of mobile malware used for attack is the SMS OTP Trojan which is a malicious software installed by the user. This software uses social engineering to deceive the user into installing this malware.

SIM Swap attack is one of the latest frauds hitting the market. The attacker uses social engineering to ascertain the victim’s mobile operator to port the number to a SIM possessed by the attacker. Therefore the attacker receives all incoming calls, text messages and bank one time passcodes. The attacker can then perform various frauds using the personal information gathered along with the OTP acquired by SIM swapping.

Some of the common limitations associated with SMS OTP are  delay in receiving SMS OTP, disabling roaming service disallows bank from sending user the SMS OTP, cost to bank for sending SMS and network coverage problem.

The alternate ways to be considered while implementing two factor authentications are use of biometrics, secure mobile apps generating time based codes or cryptographic chips. These options must be used to eliminate SMS based authentication and making the future secure.

What is the solution?

A preventive measure must be employed to protect against the tampering of SMS based one- time password. Solutions such as hardware tokens can be used. While performing a transaction the one time password would be generated on the token provided by the provider and can be used as an effective security mechanism. Another option would be to use one touch authentication mechanism, which allows executing the transaction with one touch notification using a smartphone. Lastly, an application can be used which you can easily install on your smart phone, this would generate random one time pass-codes in real time that would be coupled with your online accounts, which can be used for secure authentication.

Security is always based on risk but you need to be proactive and move ahead and change your policies according to the rapid changes in technology.