As you may be aware, security professionals are abuzz over the March 17, 2011 announcement from RSA that a severe security breach had occurred on their servers. Although details were not disclosed, it is clear that a compromise of secret server-stored “seed” codes represents a serious and far-reaching weakness of solutions relying on one-time passcode (OTP)-generating tokens. For standard security tokens that display a changing series of digits, these secret seed files are stored on both the server and hard-coded into the fob. A compromise of the seed file on the server means that a new fob must be created and distributed to clients; furthermore, security is defeated before such compromises are detected and each time new hardware is being deployed.
The IdentityX solution is not vulnerable to this type of attack, as it employs a multi-layered security approach that does not rely on a simple shared secret. IdentityX technology combines multiple authentication techniques: something you have (a smart phone), something you know (a PIN/passphrase), something you are (multi-modal biometrics such as face, voice, and palm) and even somewhere you are (GPS).
IdentityX is designed to protect against the type of attack being discussed. Consider:
IdentityX is highly configurable, allowing the security policy for a transaction to be tailored to the risk associated with that particular transaction. A bonus of this risk-based approach is that it provides the flexibility to change security policies on the fly in response to future threats. For example, as noted above, if a security breach were to compromise user PINs, an attacker would still need to possess the user’s phone. Nevertheless, the affected company could immediately turn on the added security of voice matching, even while the process of having users change their PIN was begun.
As a backup option, IdentityX does offer an OTP-generating capability similar to the solutions discussed above as an alternative for lower risk transactions. However, even this option is superior to the security token solutions that were recently hacked. Because IdentityX uses the phone as the physical authentication device (rather than a separate fob), it can easily be updated with new “seed” files without the need to issue new devices. If the OTP secret were to be compromised, even customers that were using this back-up functionality could simply connect and get their secrets replaced, immediately invaliding the attack attempt.
IdentityX, with its multi-layered, configurable security policies, is clearly the answer to the evolving security threats that are so pervasive today. Daon’s IdentityX solution brings the ingenuity of the world’s leading identity assurance provider to the defense of the 21st century’s digital lifestyle, and its timing couldn’t be better.