{"id":8821,"date":"2017-08-21T02:30:17","date_gmt":"2017-08-21T10:30:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/21\/news-2594\/"},"modified":"2017-08-21T02:30:17","modified_gmt":"2017-08-21T10:30:17","slug":"news-2594","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/21\/news-2594\/","title":{"rendered":"NIST: In mobile authentication, think hardware, not software"},"content":{"rendered":"

<\/p>\n

Credit to Author: Evan Schuman| Date: Mon, 21 Aug 2017 03:00:00 -0700<\/strong><\/p>\n

Retail is in an awkward in-between stage when it comes to online security. In shifting their purchasing to online options, shoppers are using both desktop computers and mobile devices. Had they moved straight to mobile, authentication options would be numerous, including selfies and other biometric authentication such as fingerprints.<\/p>\n

But the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence\u00a0(NCCoE) is trying to bolster security and authentication on desktops and mobile devices. It was spurred to tackle its Multifactor Authentication for e-Commerce project because of the realization that increased security in the physical world (with such steps as cards with EMV chips) means that thieves are going to start to focus more on card-not-present transactions.<\/p>\n

According to the NCCoE<\/a>, its recommendation for initiating multifactor authentication borrows from a technique that is already widely used on retail sites. A user could start shopping online with minimally invasive authentication \u2014 simply username and password or even auto-login. But as circumstances merit, more could be required. That decision would be based on factors such as \u201cthe nature of the product, a known IP address associated with the customer, typical geolocation, and consistency with past patterns of online purchases,\u201d NIST said. In other words, your shopping history and use of various devices at various locations would be analyzed to see if you are behaving unusually \u2014 and perhaps are not you.<\/p>\n

What is interesting is the nature of the additional authentication the NCCoE recommends.<\/p>\n

With desktop e-commerce today, secondary authentication often involves texting a one-time code to a mobile device \u2014 a not terribly secure approach, since the text can be intercepted. A better approach would be to authenticate the desktop device itself via such details as OS version, apps that are loaded, serial numbers of those apps, number of images stored, number and names of songs stored and folder names.<\/p>\n

Steven Sprague is the CEO of Rivetz, one of the vendors working with the NCCoE\u00a0on this effort. Sprague argues that a lot of mobile authentication efforts make the mistake of functioning within software. \u201cSoftware code is easily altered, and memory can be copied,\u201d he said. \u201cThe [whole] software process can be observed. You simply cannot hide a secret in the operating system. It\u2019s time to finally do it correctly, with hardened keys within the device.\u201d<\/p>\n

Like so much in mobile today, Apple has been leading this fight, starting with the iPhone\u2019s hardware chip-based secure element<\/a>.<\/p>\n

But to be fair, Apple has a far easier path to hardware security because it has complete control over all iOS devices. That\u2019s far from the case in the Google Android world, where it\u2019s all handset manufacturers for themselves.<\/p>\n

Realistically, the world is rapidly moving mobile, but the desktop world of laptops and PCs (and, yes, Macs) isn\u2019t likely to vanish for at least five years. But one benefit of a chip-based approach is that it is agnostic regarding mobile or desktop hardware.<\/p>\n

But what are the dangers of authenticating devices rather than users? Yes, authenticating a device is easier. The user needn’t do anything to let a site authenticate the device. But what happens when the device is being used by someone else? Some of the device attributes being considered for device authentication could survive a software wipe.<\/p>\n

Of course, authenticating users is more disruptive, requiring some kind of biometrics, such as a fingerprint or a facial scan \u2014 in security parlance, something you are \u2014 or \u201csecret\u201d questions \u2014 something you know.<\/p>\n

The NCCoE paper presents hypothetical examples of how authentication could work in specific situations, and challenge questions were part of the process in some cases. But the need to answer such questions can make e-commerce too bothersome for many people. Retailers, always looking for a competitive edge, might opt for less security and more convenience.<\/p>\n

Sprague comes back to the hardware device-authentication argument. He maintains that a shopper is very likely to notice a missing phone and do so fast. As long as there is an easy and intuitive way for a user to quickly alert authorities that the device is missing and that universal authentication should be shut down, this might work.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Evan Schuman| Date: Mon, 21 Aug 2017 03:00:00 -0700<\/strong><\/p>\n

\n
\n

Retail is in an awkward in-between stage when it comes to online security. In shifting their purchasing to online options, shoppers are using both desktop computers and mobile devices. Had they moved straight to mobile, authentication options would be numerous, including selfies and other biometric authentication such as fingerprints.<\/p>\n

But the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence\u00a0(NCCoE) is trying to bolster security and authentication on desktops and mobile devices. It was spurred to tackle its Multifactor Authentication for e-Commerce project because of the realization that increased security in the physical world (with such steps as cards with EMV chips) means that thieves are going to start to focus more on card-not-present transactions.<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10554,13860,714],"class_list":["post-8821","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-mobile","tag-retail","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8821"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8821\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8821"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}