The recent cyberattack against RSA’s SecurID system has evoked a very strong reaction from the market, leaving companies and users flustered and worried about what to do next, now that their supposedly strong authentication system has been admittedly weakened.
While it’s too early to know what the effect of this compromise will be on SecurID integrity and strength, we do already know – and have known for a very long time – that the protection afforded by OTPs (one time passwords) communicated through user browsers to web servers, can be circumvented relatively easily by Trojans like Zeus. For example, many of the Zeus raids against businesses’ bank accounts have already proven that OTPs, like the ones generated by RSA’s SecurID or its competitors, can give users and their service providers a false sense of security.
True, a layered security approach is always best and the use of an OTP generator like RSA’s SecurID, does raise the bar for the criminals. Many of them will go elsewhere, to non-OTP protected accounts that are easier to break into.
But the protections afforded by one-time-passwords, whether they are generated by dedicated hardware tokens, mobile apps, software tokens or any other factor, that are communicated through user browsers can be circumvented and defeated. They were an essentially weak form of authentication before the RSA SecurID compromise and they remain so today.
Maybe this incident will wake companies up to the need for more controls than just OTP-authentication. We offered some suggestions in our 2009 note G00173132 “Where Strong Authentication Fails and What You Can Do About it.” Many companies whose customers’ accounts have been raided, have successfully implemented a layered security approach, after they witnessed firsthand the need to do so. (It turns out that even RSA sells products that compensate for SecurID and OTP weaknesses).
While nothing’s perfect, it’s imperfect to expect user authentication done through a ‘non-locked-down’ browser using a one-time-password to sufficiently protect sensitive information and data. The latest incident with RSA should serve as a catalyst to acknowledge this fact. So while this incident is indeed yet another piece of bad news, it should be evaluated in context. Thankfully, there are plenty of innovative solutions on the market that can continue protecting our accounts and information.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.