In December 2014, Synaptics announced Natural ID, a small biometric sensor facilitating faster fingerprint reading capabilities more convenient to common UI behaviors. Today, Synaptics announced the SmartBar, a capacitive touch space bar, designed to take advantage of underutilized keyboard space. Synaptics also announced Natural ID integration into PC mice, showing that FIDO-ready PC peripheral integration is a reality.
These are promising and significant developments for security. The 2015 Verizon DBIR shows that passwords continue to be the weakest link in the security chain. With DefiniSec's commitment to minimize sensitive data exposure using two-factor authentication, we see a great opportunity in the convergence of these technologies removing the inconvenience of the 2nd factor while retaining a high degree of security. This Insights offering explains drawbacks with some traditional two-factor approaches and highlights advantages available with these capabilities.
Challenges with Two Factor Authentication
Two-factor authentication is essential to insuring proper human access to secured assets. By combining a password (something you know) with a token (something you have), an attacker's task of gaining unauthorized access to protected materials becomes inordinately more difficult. As with any technology, there are numerous ways to utilize the two-factor approach and some of today's deployments are less secure than they seem.
Of the problematic situations, we most often see a 2nd factor used as an Access Gate. In this scenario, a user provides his/ her username/ password along with a 2nd factor token to gain access to protected assets. Problems arise when the act of providing both authentication factors offers access to a large amount of protected material - far more than necessary for any single transaction - and for extended periods of time. This unnecessarily exposes additional resources to attackers that, "piggy-back" legitimate user actions and becomes especially prone to breach events when the authorization timeframe is extended. We have seen in more than a few cases remote access VPNs used by at-home workers where they login using a 2nd factor, but remain logged in for days if not weeks only because the software and systems do not preclude it. A successful breach of the home network and computing resources would offer an attacker extended time to obtain materials available to the end-user who is not present.
Another example can be found when using USB sticks that provide second factor services. While they are plugged into the host computer a user only need provide a password to access sensitive materials. Most often the USB stick remains attached even when not necessary, again providing opportunities for attackers to utilize their ability to breach passwords and access protected content.
Using Proof of Physical Presence
Requiring a user to touch a sensor before cryptographic material is emitted for authentication greatly improves the security of a second factor token by requiring a physical presence for each requested operation. This reduces a great deal of the exposure noted in problematic cases by providing more granular control and limited exposure for each user event.
This however leads to an increasing frequency of touch events, and becomes cumbersome and annoying for users. Synaptics' announcements give us an indication of positive traction for biometric fingerprint reader integration with PC mice. This simplifies the act of providing a second factor as it is more closely related to the natural state of regular computer use. Because it is not always comprehensive for uses cases, integration with a capacitive SmartBar can provide a stronger sense of a retained physical presence across transactions and further control protected material proceedings.
Thus, the mouse-integrated biometric fingerprint sample can be used to enable access to a single protected file, while ongoing capacitive SmartBar actions reset timers that, when they timeout, automatically lockdown plaintext materials from any access. Together these provide granular access controls and ongoing physical presence requirements to provide exposure reduction critical to successful enterprise risk management.
Bringing Technologies Together
The host impersonation threat is one of the more difficult threat vectors to control. Today's announcements provides us with proof positive that our path integrating fine-grained two-factor authentication is in alignment with industry needs. By using a proper combination of Natural ID with SmartBar, :Access avoids the typically elusive combination of strong security and practical user workflows necessary to protect from today's advanced threats without reducing productivity and efficiency.
This article was published June 3rd, 2015