Out with the Old and in with the New
I was asked today by a board member to respond to a question from a prospective investor who wanted to know how Live Ensure (our service) differed from two other – lets call them ….the more traditional solutions. For the sake of this blog we will call them the Old and the New solutions.
Let me describe the Old Co solutions to you briefly. They both embody technologies which are over a decade old ( think RSA ) such as tokens and servers ( both physical and virtual). Their solutions rely on the user entering a PIN into a browser and thereby satisfying the ‘something you know ‘ part of strong authentication.
Here it is slightly edited.
The biggest weakness of both Old Co solutions are the vulnerability to MITM and MITB attacks.
Both require the user to enter a PIN ( something you know ) ie a second factor over and above the user name and password ( the single factor or weak authentication ).
The user enters this PIN back into the browser which is as yet not secure and so vulnerable to interception. See extract from Old Co 1 site : “ In this mode the user is presented with their challenge (security string) in the same channel that they will enter their response (one-time-code). This is generally implemented within a browser. “
Here the user is required to ‘generate’ their PIN by picking out from a string of digits presented their PIN number based on a pre-agreed arrangement / image / layout. “ The user combines their PIN in their head with the security string and enters their OTC within the login screen. “ ( Big opportunity here for user failure and calls to a support centre)
This is classified as ‘ security by obscurity’ because the two parties are in effect comparing a shared secret. There is no way that the site can determine with 100% accuracy that the person on the other side is the person who they claim to be - just that they know the answer to the question. This is the failure of most 2FA solutions today. A hacker sitting in any Eastern Europe country can satisfy the requirements of the site. This is impossible with Live Ensure (New Co).
• Both Old Co solutions use the browser to convey their PIN (secret) – Live Ensure does not hence immune to MITM and MITB attacks.
Live Ensure is a true SAAS and is able to be integrated into any log in form including all of those covered by both solutions as well as many more. These solutions are limited in their ability to scale because of their manifestation (Appliance servers – both physical and virtual )
Extract from Old Co 1 site “ Old Co service is highly scalable with each appliance capable of supporting in excess of 250,000 active users. “ This against Live Ensure which can scale instantaneously to millions of users as quickly as they can enroll.
Old Co 2’s ability to scale is limited by virtue of its use of tokens. Here every user needs to be provided with a token be it physical or virtual. The shortcomings of tokens are well documented. Expensive, easy to lose, they are static ( they end up in the hands of the ‘user’ whether legitimate or not ), their seed is hackable (RSA).
• Both Old Co’s are difficult to scale. Live Ensure strength is its ability to scale exponentially without any impact on performance.
Live Ensure is available as a mash up integration from the Web portal. There are no professional services nor System Integrators required to install the solution. This is not the case with either of the Old Co’s. In fact just to get a demonstration you have to write to someone at the company. With Live Ensure you just go to the App store download the App and then go to the website where a demo can be done instantaneously.
• Both Old Co’s products are cumbersome for the Enterprise or site to get and integrate into their site. Live Ensure is a true SAAS and can be integrated into a site or application within hours by a capable developer.
The pricing for the Old Co 1 solution is not transparent. What is clear is that it consists of a licence fee plus a hardware/ appliance fee plus a maintenance fee. The Old Co 2 solution is also vague on pricing but given that it needs to cover the cost of tokens will be pricier than Live Ensure.
• Live Ensure pricing is very clear and simple. It is priced either on a per user per annum basis or on a per authentication basis. As a true SAAS the pricing which includes all maintenance and software upgrades will be cheaper than either of these solutions. Which also require a support / customer centre in order to operate. (At what cost ?)
Live Ensure is a lightweight, transparent, tokenless, SAAS solution that can be implemented across enterprises and websites with equal efficacy. It leverages the device that users already have – a mobile phone and requires no ‘heavy-lifting’ on the part of the user. No PIN/Pattern to remember (first point of weakness of these solutions ) .
Both Old Co’s are enterprise focused (could never be implemented across a large website ), require extensive IT department involvement both initially and on an ongoing basis, and the technology is at least a decade old. There is nothing new or innovative here. Their only strength is their legacy and like RSA will soon be supplanted by faster moving, disruptive and importantly more secure solutions. These solutions are basically just fancy PIN generators – just a variation on user name and password.
Live Ensure is streets ahead in terms of its use of context for authentication (ensuring the right parties are present in order for authentication to be possible) as well as the strength of geo factors and behavioural factors now possible with smart-phones. This is called defense in depth and is in direct contrast to the security by obscurity advocated by both Old Co solutions. A big failing.
Out with Old and in with the New ?
Comments
Post a Comment