The building blocks of a successful authentication infrastructure

In this interview, Josh Alexander, CEO of Toopher, discusses how an increasingly mobile workforce shapes the way an organization deals with authentication issues, provides advice to a CISO with the task of upgrading an outdated authentication infrastructure, and much more.

How does an increasingly mobile workforce shape the way an organization deals with authentication issues?
This is a great question as it’s a rarity when the growth of a mobile workforce actually makes a task easier.

In authentication, we know there are three ways to authenticate you. We’ve already discussed these to some degree, but it’s something you know (passwords), something you are (biometrics), or something you have (key). We’ve already put the first two through the ringer, so let’s chat about the “something you have.” Historically the something you have for the enterprise workforce has been a hard token – you know, that little plastic key fob with the code that changes every 30 to 60 seconds. These present unique challenges to use and administer, which has opened the door to transform the “something you have” from this separate piece of hardware to the user’s mobile device.

The use of the mobile device as the second factor of authentication is the logical way forward. With this newly minted and fast growing mobile workforce, large organizations can take advantage of their workforce’s willingness to carry authentication technology with them everywhere they go. The next logical extension is to harness the additional low hanging fruits. If a mobile workforce is willing to carry a mobile device with them everywhere they go, shouldn’t we be able to leverage the technology embedded in these mobile devices to create authentication decisions based on the contextual-awareness of these mobile devices?

What advice would you give to a CISO with the task of upgrading an outdated authentication infrastructure?
You can do a whole lot with very little time and money.

Gone are the days of needing months to scope and integrate an authentication infrastructure. Sure, do your homework, prove the concept, and phase in the new technology, but changes to authentication do not have to come in one fell swoop, nor do they need to involve months or even weeks of integration and setup. If you can’t make changes to an enterprise authentication scheme in a matter of days, then someone is doing something wrong. Additionally, I recommend you option into the new platform; unless the legacy platform has failed, there’s no rush to immediately abandon the existing platform. Phasing into a new platform as you rely less and less on a previous infrastructure allows for comparative analytics and a fail-safe if any issues are encountered in a phased deployment.

What are the essential building blocks of a successful authentication infrastructure for a large organization?
I think even before we get to the building blocks of authentication, we should outline why authentication plays such an important role within a large organization.

If we harken back to the fraud triangle, we remember that the three primary elements necessary for fraud are incentive, rationalization, and opportunity. Large organizations have been – and will continue to be – susceptible to the cornerstones of fraud as these organizations present both large incentives and simple rationalizations for perpetrating these transgressions. The incentives are high because large organizations are typically well funded and resource-rich, while at the same time, large organizations are projected as inhuman, which makes it easier to justify the nefarious action (e.g., “I’m not really hurting anyone” or “this massive organization owes me”). Being at a distinct disadvantage with respect to these two elements of the fraud triangle puts a significant burden on the large organization to limit the opportunities of would-be fraudsters. Limiting access to commit these actions creates a clear and present need for sound authentication infrastructure within a large organization.

Now – to your point – the essential building blocks of authentication infrastructure for a large organization are the USES (Usability, Security, Economics, and Scalability).

The first parameter, Usability, may be the most important, yet it is often overlooked. Even the slightest modifications of a user’s behavior will introduce friction in the user experience, and friction kills adoption. Users will go to great lengths to avoid the friction, even if they would gain security. For example, we recently worked with a large organization that was looking to replace an older form of authentication for their employees’ remote access; when the organization forced their users to modify their behavior to access the VPN more securely, the users rejected the solution and simply stopped logging in remotely, which lowered the productivity of the entire organization.

Usability has often been overlooked because of the antiquated notion that stipulates that usability and security are at odds – delivering a more usable solution necessarily meant delivering a less secure solution and vice versa. However, this is no longer the case. Technological advances and the ability to draw context into specific authentication requests have now enabled the large organization to provide an optimized user experience while simultaneously enabling the most robust security. So, what does an optimized user experience look like? An optimized user experience for authentication should look and feel the same before and after the solution was implemented; anything less will create cracks in the authentication infrastructure. If you require your users to routinely pull anything out of their pockets, then your usability is poor.

The second building block of authentication is Security. While this may seem like a given, the unfortunate fact is that most authentication schemes have significant security flaws. Relying exclusively on passwords is unwise as passwords are easily broken and as such have proven to be terribly weak security by themselves, and even the best passwords are only as good as the manner in which they are maintained, from both the user and the administrators perspective. If everyone in a large organization has a single, unbreakable password, but the password vault is compromised, then the strength of the individual passwords is for naught. And how many of us create a wicked good password and only use it once? Exactly, even those of us who should know better treat a good password like an elementary school painting – we spend all day working on it and want to make sure we get good mileage out of all of our work, so we use it everywhere we can. This introduction of systemic risk is a huge problem, and we’re just getting started. Unfortunately, the frequency and gravity of attacks will get worse, as the systemic risk introduced by poor security methodology is not limited to passwords.

The very nature of physiological biometrics creates an even more pernicious vector of systemic risk. I’m not dismissing biometrics, but we should appreciate the fact that what makes them incredibly useful is the same thing that creates massive leverage in an authentication infrastructure. Look, my thumbprint is unique (I’m not a twin); but what happens when I scan that thumbprint? My thumbprint is no longer unique – it is now a quantitative representation of my thumbprint, and that string of characters that act as a virtual substitute for my beautiful and immutable thumb are replicable. In fact, the only thing I’ve really done is turn something effectively unique into something that is effectively not unique; said another way – I’ve turned something unique into a password, and, as we’ve seen time and time again, passwords are easily broken.

As grim as this seems, this is only really half the issue. The other half of this problem is that the wonderfully unique aspects of who I am are in fact limited (he said without ego). I only have two thumbs, ten fingers, two eyes, and one face. Without the introduction of some gecko DNA, the inability to generate new unique aspects of my personal features will necessarily introduce more systemic risk into an authentication process. I’m likely to use the same thumbprint to login to multiple systems, which is precisely what I don’t want my users to do if I’m administering an authentication infrastructure. This is a major and often overlooked security issue: what new security vulnerabilities do I introduce by changing something?

The newest, most common vulnerability caused by authentication technology is repetition poisoning. Repetition poisoning is caused by continuously asking a user to manually authenticate requests. The constant interaction for the same arbitrary requests trains the user to habitually affirm actions without regard for the content or the request. This vulnerability effectively violates two of the cornerstones of authentication: Usability and Security. The repetitive hassle impairs the usability while simultaneously creating a vulnerability that impairs the integrity of the security of the solution.

The final two parameters of authentication infrastructure, Economics and Scalability, should be considered together. Authentication is an incredibly important and non-complicated aspect of security; as such it could historically be very expensive (given its importance) or inexpensive (given its complexity). However, I’d like to present an argument that given both its importance and the lack of complexity, good authentication should be a right, not a privilege. As a result, everyone and anyone within a large organization should have the ability to assert their authentic identity easily and effectively without a massive price tag. This newfound right, though, has even greater implications.

The modern large organization does not have a single point of entry. In days of yore (read: like ten years ago), large organizations only had a few points of authentication – perhaps for local access and remote access, and likely only one required multi-factor authentication (remote access). However, today’s large organizations are reliant on many applications and points of remote access. As such, a scalable authentication platform needs to spread throughout the organization to afford the organization the levels and layers of security necessary to constrain access to only authentic users. Previous forms of authentication could not offer this level of scalability from a usability or an economic perspective, but for a modern large organization to secure itself from opportunities of exploit, such organizations must be able to deploy an authentication infrastructure that is optimized for usability, secure against both new and old attack vectors, and able to cover the breadth of application at a reasonable price point.

How can an organization make sure the authentication methods they’re using remain strong and relevant for years to come?
I think there’s clearly the standard answer, which is participation in industry and vendor conferences, local security groups, blogs, etc., and I think these are all good and viable ways to stay informed, but more importantly I think organizations should amend the incentives within the organization.

Being the CISO at a large organization is a lot like being a goalie in soccer. Sure, there’s the normal recognition of being part of the A-team, but the job is about how to be in the best position when a ball gets kicked at your face. And as pleasant as that is, there’s the perverse incentive structure in place that reads:

If you’re an attacker and

  • You succeed – then you can rejoice in the spoils
  • You fail – no worries, try again at your earliest convenience.

But if you’re the goalie and

  • You succeed – good, that’s your job – that’s what we pay you to do.
  • You fail – you’re fired.

Much in the same way that we should fully expect to continue seeing fraud throughout the financial industry (financial executives are incentivized to show gains whereas auditors are not incentivized to prevent fraud), so too the incredibly talented security professionals should be expected to fail against the constant barrage of incentivized attackers.

Think about the Great Wall of China – modern CISOs are tasked with defending every inch of the wall, and the would-be fraudster only has to the find the tiniest crack to sneak through.

We could, however, change the game if we create a new incentive structure that enables – nay encourages – organizations to take the position of the attacker, challenging infrastructures and systems before the fraudsters have a chance to exploit a weakness. If an organization could embrace this mentality, then I believe an organization could maintain an authentication infrastructure that would be relevant for years to come.