I want to pick back up on the discussions from a week or two ago about what threats authentication can protect against. The driver for two-factor authentication to protect on-line banking from phishing attacks is that it makes phishing harder, but this has already been broken up to and including Secured Hard Tokens.

As I see it, this should really be a wake-up call that the security industry’s authentication strategy needs to say (among other things), it’s time to get over the obsession with authenticating the User and focus instead on the actual threats. First, we should be deploying & using mutual authentication. The reason that Man-in-the-Middle attacks work is because it’s easy to impersonate a server

Overcoming this inertia is going to be hard, because there are a lot of vendors making a lot of noise about how all we need is stronger authentication, by which they usually mean moving away from free credentials (passwords) to expensive credentials (tokens, biometrics, or commercially-issued certificates) which they, of course, would like to sell us.

That’s not to say that there’s not a lot of value in the second factor, but more in some cases than others. Two-factor, combined with pre-shared keys to perform mutual authentication provides excellent protection for VPN connectivity. But in phishing, Two-factor only raises the bar for an attacker, and only to the extent of filtering out the dumb ones. Even they will get toolkits in six months or so, though, and fraud will return to “normal” levels.

Unfortunately, the reason that free credentials seem to be failing is generally because people lack the necessary sophistication to protect them, not because they’re somehow inherently weak. Application vendors are trying to solve this problem (Both Firefox 2.0 and IE 7 are both going to have anti-phishing features). This may help, but only by minimizing the impact of the weakness between the keyboard and the chair, not the client and the server.

The best way to tackle this problem is to minimize the reliance on the weakest link (the user). I don’t claim to have a solution (other than pre-shared keys or some sort of meaningful large-scale PKI, and anyone who reads this ‘blog probably rolled their eyes as soon as they read those words), but If we can get general agreement that there is a problem, then there will be demand (paying customers) for a solution and one will turn up sooner than later.

Personally (and I know I have a bit of a bias here, being a big de-perimeterization fan), I think that another problem we should be taclking is the that endpoint location should be irrelevant. Within the corporate world, we operate under the paradox that we don’t consider “somewhere you are” to be an authentication factor, then structure most of our risk and security assumptions around which network the endpoints are on (Internet, Intranet, DMZ, etc.). I know it will take significant architectural changes to get to an endpoint-agnostic model, but every journey begins with a single step.

Finally, I believe we should apply security as close to the data as possible, which is fairly congruent to “Location should be irrelevant.” How does stronger authentication move security closer to the data?

As to what we can do about it, I think that promoting protocols which support Mutual Authentication (and using them) should be a key tactical goal for the security profession. This is something we can do today which would will put us ahead of the game longer-term as the security assumptions inherent in “somewhere you are” evaporate.

Eventually, we will be forced by events to secure both high-value transactions and high-volume micropayments (think vending machines). We need to be ready for either or both of those, and the current obsession with stronger authentication isn’t going to get us there.

So here are some Real World goals I suggest we should be looking at.

1. Improved authentication should focus on (cryptographically) strong Mutual Authentication, not just improved assertion of user Identity. This may mean shifts in protocols, it may mean new technology. Those are implementation details at this level.
2. We need to break the relationship between location & security assumption, including authentication. Do we need to find a replacement for “somewhere you are?” And if so, is it another authentication factor?
3. How does improved authentication get protection closer to the data? We’re still debating types of deadbolts for our screen door rather than answering this question.