Multi-Factor, maybe, but is it really harder to phish?

MIT Tech Review asked me for a general comment on web authentication for their article covering new technology by Delfigo. There wasn’t enough time to look in depth at Delfigo’s technology, so my comments were about multi-factor authentication in general, and whether the additional factors are easily phishable. In other words, it’s interesting if authentication looks at more than just your password, but if it’s just as easy to trick a user into communicating the extra information and replaying it against the authentication server, then it may not be all that useful.

According to the Tech Review article, Delfigo looks at the pattern of how you type your password into the web form with some JavaScript code. I’m guessing this means timing of keystrokes, number of times the delete key is used, etc.. Funny, I implemented a very basic prototype of this kind of typing-pattern recognition as a class project based on an idea I’d heard about in some tech magazine…. that was back in 1998/1999, and I wasn’t using JavaScript, which didn’t really allow for this fancy pattern detection yet. Oh, and it was really really crummy and prototypical. But I digress.

Now, if typing pattern detection is all there is to Delfigo’s technology, then it may well be very cool but it may not be particularly useful: it’s easy for me to put up a fake site that tricks the user into typing his password and measures exactly the same things that Delfigo measures, maybe even by simply copying Delfigo’s JavaScript (which I can easily get since it’s downloaded to my browser). After that, I can pass on the password and the extra measurements to the authentication server. In other words, it sounds just as phishable as a password. Now, if Delfigo is doing additional things, like checking where you’re logging in from, and looking for patterns there, then that’s interesting and potentially useful from a security point of view. But the keyboard typing pattern detection won’t serve a real security purpose other than making it a little bit more complicated to phish, and thus potentially redirecting attackers’ efforts to other sites… until Delfigo-protected sites become numerous and valuable enough to attack, of course.

14 thoughts on “Multi-Factor, maybe, but is it really harder to phish?

  1. Hi Ben,

    I do appreciate your taking time to comment. Delfigo says that they do check for IP address, system configuration, and other factors, which may help a bit. Your point about phishing seems significant to me.

    Best,

    Erica

  2. Hi Ben,

    I do appreciate your taking time to comment. Delfigo says that they do check for IP address, system configuration, and other factors, which may help a bit. Your point about phishing seems significant to me.

    Best,

    Erica

  3. Hello Ben,

    Thank you for your insights on multifactor authentication and keyboard dynamics. I invite you to schedule a call with me so I can explain how Delfigo is different and show you the security platform in action. In addition to solving a distribution problem there is much more to the Delfigo solution than just keyboard biometrics and a unique typing pattern. I did want to highlight a few items that make our solution platform uniquely different. I hope you understand that a comment to a blog will not do it justice.

    1. Including the keyboard biometrics pattern, Delfigo looks at 14 different identity factors. One important item to note is that the capture component noted in your post, written in JavaScript is scrambled, and thus the capture routine sequence would have to be reassembled in the correct sequence assuming a hacker figured out how to rebuild and would then have to arrange the sequence of factors in the exact same order that DSGateway expects the capture component to run.

    2. The patent-pending artificial intelligence (AI) based security architecture uses several advanced mathematical algorithms in addition to the capture component to segment the 14 identity factors captured to analyze and assign a confidence factor on “are you who you say you are?”

    3. Using symbolic connectors Delfigo analyzes data-relationship using a semantic network algorithm to thwart fraud attacks.

    4. The advanced mathematical algorithms look for a high degree of precision in the computational results. The algorithms not only look for the keyboard biometrics to match with in a degree of confidence we also check for data relations and patterns across the other identity factors we capture and measure.

    I look forward to speaking with you so I can share the entire Delfigo value proposition and get your perspective.

    Bharat Nair
    Delfigo Security.

  4. Hello Ben,

    Thank you for your insights on multifactor authentication and keyboard dynamics. I invite you to schedule a call with me so I can explain how Delfigo is different and show you the security platform in action. In addition to solving a distribution problem there is much more to the Delfigo solution than just keyboard biometrics and a unique typing pattern. I did want to highlight a few items that make our solution platform uniquely different. I hope you understand that a comment to a blog will not do it justice.

    1. Including the keyboard biometrics pattern, Delfigo looks at 14 different identity factors. One important item to note is that the capture component noted in your post, written in JavaScript is scrambled, and thus the capture routine sequence would have to be reassembled in the correct sequence assuming a hacker figured out how to rebuild and would then have to arrange the sequence of factors in the exact same order that DSGateway expects the capture component to run.

    2. The patent-pending artificial intelligence (AI) based security architecture uses several advanced mathematical algorithms in addition to the capture component to segment the 14 identity factors captured to analyze and assign a confidence factor on “are you who you say you are?”

    3. Using symbolic connectors Delfigo analyzes data-relationship using a semantic network algorithm to thwart fraud attacks.

    4. The advanced mathematical algorithms look for a high degree of precision in the computational results. The algorithms not only look for the keyboard biometrics to match with in a degree of confidence we also check for data relations and patterns across the other identity factors we capture and measure.

    I look forward to speaking with you so I can share the entire Delfigo value proposition and get your perspective.

    Bharat Nair
    Delfigo Security.

  5. Mr. Nair, if Ben got something wrong, why not explain here why Ben’s concerns are invalid? Ben’s criticisms sound quite plausible on the surface. If a blog comment won’t do it justice, how about posting a detailed technical paper on your web site and linking to it? That is, after all, the accepted standard in this industry.

    I found your 4 arguments completely unconvincing:

    1. “Scrambling” the Javascript isn’t going to defeat any kind of serious attack. It’s a speedbump, not a serious defense.

    2. Irrelevant. If a man-in-the-middle can capture and replay the inputs to your “segmentation algorithm”, the details of your algorithm are irrelevant.

    3. Gibberish.

    4. Content-free.

    Given the inability to post a coherent technical defense of the Delfigo system, it sounds to me like it would be prudent to assume that Ben’s criticisms are valid and that the Delfigo system is flawed.

  6. Mr. Nair, if Ben got something wrong, why not explain here why Ben’s concerns are invalid? Ben’s criticisms sound quite plausible on the surface. If a blog comment won’t do it justice, how about posting a detailed technical paper on your web site and linking to it? That is, after all, the accepted standard in this industry.

    I found your 4 arguments completely unconvincing:

    1. “Scrambling” the Javascript isn’t going to defeat any kind of serious attack. It’s a speedbump, not a serious defense.

    2. Irrelevant. If a man-in-the-middle can capture and replay the inputs to your “segmentation algorithm”, the details of your algorithm are irrelevant.

    3. Gibberish.

    4. Content-free.

    Given the inability to post a coherent technical defense of the Delfigo system, it sounds to me like it would be prudent to assume that Ben’s criticisms are valid and that the Delfigo system is flawed.

  7. (also sent by email directly to Mr. Nair)

    Hi Mr. Nair,

    Thanks for responding to my blog posting.

    I appreciate the offer for more information about your security product. I believe the best way to review the security of a system is in a public setting. If you have a publication, or a draft of a publication, or a technical white paper, I would be happy to take a closer look assuming that it is publicly available and that I can comment on it freely in public.

    I don’t know your technology, so I cannot say definitively whether or not it provides a significant improvement in web authentication security. However, I agree with David Wagner that your response did not address my concerns regarding whether some of these authentication factors are easily phishable. In particular, bringing up obfuscated JavaScript indicates that you may not be considering the correct Web thread model.

    I hope you’ll consider providing more in-depth technical information about your system, as the best security systems tend to be those that are openly vetted.

    -Ben

  8. (also sent by email directly to Mr. Nair)

    Hi Mr. Nair,

    Thanks for responding to my blog posting.

    I appreciate the offer for more information about your security product. I believe the best way to review the security of a system is in a public setting. If you have a publication, or a draft of a publication, or a technical white paper, I would be happy to take a closer look assuming that it is publicly available and that I can comment on it freely in public.

    I don’t know your technology, so I cannot say definitively whether or not it provides a significant improvement in web authentication security. However, I agree with David Wagner that your response did not address my concerns regarding whether some of these authentication factors are easily phishable. In particular, bringing up obfuscated JavaScript indicates that you may not be considering the correct Web thread model.

    I hope you’ll consider providing more in-depth technical information about your system, as the best security systems tend to be those that are openly vetted.

    -Ben

  9. Nick,

    Hmmm, that’s awfully close to advertising your product there, but you make a relevant point so I’ll let it go this time around🙂

    Mutual authentication is great, I agree, though I think it’s a bit of an overstatement to say that you need cryptographic principals to “have a chance.” In particular, it seems that your solution requires an additional token, or an additional software install, and in some cases that’s a deal breaker for ubiquitous web access. I’m not saying that’s bad, but it’s a different category of system that’s not purely web-based.

  10. Nick,

    Hmmm, that’s awfully close to advertising your product there, but you make a relevant point so I’ll let it go this time around🙂

    Mutual authentication is great, I agree, though I think it’s a bit of an overstatement to say that you need cryptographic principals to “have a chance.” In particular, it seems that your solution requires an additional token, or an additional software install, and in some cases that’s a deal breaker for ubiquitous web access. I’m not saying that’s bad, but it’s a different category of system that’s not purely web-based.

  11. Sorry Ben, I could also point to the mutual auth wikipedia article, but since I wrote that too, I have a conflict there also😉. I think a re-think on “purely web-based” and ubiquitous web access for services that are serious enough to warrant two-factor authentication. Do you really want a user logging from a kiosk in some internet cafe?

    Another option might be to do transaction authentication. But whatever the option, you are right that just doing strong session authentication will not be enough. However, it will be a requirement – part of the foundation.

  12. Sorry Ben, I could also point to the mutual auth wikipedia article, but since I wrote that too, I have a conflict there also😉. I think a re-think on “purely web-based” and ubiquitous web access for services that are serious enough to warrant two-factor authentication. Do you really want a user logging from a kiosk in some internet cafe?

    Another option might be to do transaction authentication. But whatever the option, you are right that just doing strong session authentication will not be enough. However, it will be a requirement – part of the foundation.

Comments are closed.