Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

RSA SecurID incident should serve as a wake up call on strong OTP user authentication

by Avivah Litan  |  March 19, 2011  |  2 Comments

The recent cyberattack against RSA’s SecurID system has evoked a very strong reaction from the market, leaving companies and users flustered and worried about what to do next, now that their supposedly strong authentication system has been admittedly weakened.

While it’s too early to know what the effect of this compromise will be on SecurID integrity and strength, we do already know – and have known for a very long time – that the protection afforded by OTPs (one time passwords) communicated through user browsers to web servers, can be circumvented relatively easily by Trojans like Zeus. For example, many of the Zeus raids against businesses’ bank accounts have already proven that OTPs, like the ones generated by RSA’s SecurID or its competitors, can give users and their service providers a false sense of security.

True, a layered security approach is always best and the use of an OTP generator like RSA’s SecurID, does raise the bar for the criminals. Many of them will go elsewhere, to non-OTP protected accounts that are easier to break into.

But the protections afforded by one-time-passwords, whether they are generated by dedicated hardware tokens, mobile apps, software tokens or any other factor, that are communicated through user browsers can be circumvented and defeated. They were an essentially weak form of authentication before the RSA SecurID compromise and they remain so today.

Maybe this incident will wake companies up to the need for more controls than just OTP-authentication. We offered some suggestions in our 2009 note G00173132 “Where Strong Authentication Fails and What You Can Do About it.” Many companies whose customers’ accounts have been raided, have successfully implemented a layered security approach, after they witnessed firsthand the need to do so. (It turns out that even RSA sells products that compensate for SecurID and OTP weaknesses).

While nothing’s perfect, it’s imperfect to expect user authentication done through a ‘non-locked-down’ browser using a one-time-password to sufficiently protect sensitive information and data. The latest incident with RSA should serve as a catalyst to acknowledge this fact. So while this incident is indeed yet another piece of bad news, it should be evaluated in context. Thankfully, there are plenty of innovative solutions on the market that can continue protecting our accounts and information.

2 Comments »

Category: Uncategorized     Tags:

2 responses so far ↓

  • 1 Garret Grajek   March 20, 2011 at 11:26 pm

    Good points. And I do believe the post on this subject will eventual reveal:

    The whole concept of unilateral, 1-sided (client only) authentication is outdated and out-matched by internet attackers. Sure, this RSA hack may reveal the “secret” algorithm and/or seed records that will help hackers produce the proper token code. But this level of crypto-sophistication has never been necessary – all the SecurID attacker needs is to insert himself, as a man-in-the-middle, for a replay attack on the current token code.

    And for this matter – let’s not pick on the RSA SecurID tokens.

    All tokens, hard and soft are susceptible to this attack. As are Username/Password solutions, as are the “match the picture” solutions, as are the GRID solutions and so are the biometric solutions that solely rely on digitizing client input.

    Bottom Line: The internet calls for bilateral authentication for secure client/server validation.

    That’s what (has to be) next for the “good guys” on the internet.

    Garret Grajek
    CTO and a Founder of SecureAuth
    http://blog.gosecureauth.com

  • 2 reader   March 27, 2011 at 3:48 pm

    if you have a better solution – go get a patent. otherwise it is just another blah-blah-blah, and “we told you…”