Out with the Old and in with the New


I was asked today by a board member to respond to a question from a prospective investor who wanted to know how Live Ensure (our service) differed from two other – lets call them ….the more traditional solutions.  For the sake of this blog we will call them the Old and the New solutions.  

 Let me describe the Old Co solutions to you briefly.  They both embody technologies which are over a decade old ( think RSA ) such as tokens and servers ( both physical and virtual).  Their solutions rely on the user entering a PIN into a browser and thereby satisfying the ‘something you know ‘ part of strong authentication.  

Here it is slightly edited.

The biggest weakness of both Old Co solutions are the vulnerability to MITM and MITB attacks.

Both require the user to enter a PIN ( something you know ) ie a second factor over and above the user name and password ( the single factor or weak authentication ).

The user enters this PIN back into the browser which is as yet not secure and so vulnerable to interception.    See extract from Old Co 1 site : “  In this  mode the user is presented with their challenge (security string) in the same channel that they will enter their response (one-time-code).  This is generally implemented within a browser.

Here the user is required to ‘generate’ their PIN by picking out from a string of digits presented their PIN number based on a pre-agreed arrangement / image / layout.  “ The user combines their PIN in their head with the security string and enters their OTC within the login screen. “   ( Big opportunity here for user failure and calls to a support centre)

This is classified as ‘ security by obscurity’  because the two parties are in effect comparing a shared secret.    There is no way that the site can determine with 100% accuracy that the person on the other side is the person who they claim to be  - just that they know the answer to the question.  This is the failure of most 2FA solutions today.   A hacker sitting in any Eastern Europe country can satisfy the requirements of the site.    This is impossible with Live Ensure (New Co).  

Both Old Co solutions use the browser to convey their PIN (secret) – Live Ensure does not hence immune to MITM and MITB attacks.     

Live Ensure is a true SAAS and is able to be integrated into any log in form including all of those covered by both solutions as well as many more.   These solutions are limited in their ability to scale because of their manifestation  (Appliance servers – both physical and virtual )
Extract from Old Co 1 site “ Old Co service is highly scalable with each appliance capable of supporting in excess of 250,000 active users. “    This against Live Ensure which can scale instantaneously to millions of users as quickly as they can enroll.

Old Co 2’s  ability to scale is limited by virtue of its use of tokens.   Here every user needs to be provided with a token be it physical or virtual.   The shortcomings of tokens are well documented.   Expensive,  easy to lose,  they are static ( they end up in the hands of the ‘user’ whether legitimate or not ),  their seed is hackable  (RSA).

Both Old Co’s are difficult to scale.   Live Ensure strength is its ability to scale exponentially without any impact on performance.      

Live Ensure is available as a mash up integration from the Web portal.   There are no professional services nor System Integrators required to install the solution.   This is not the case with either of the Old Co’s.    In fact just to get a demonstration you have to write to someone at the company.  With Live Ensure you just go to the App store download the App and then go to the website where a demo can be done instantaneously.

Both Old Co’s products are cumbersome for the Enterprise or site to get and integrate into their site.   Live Ensure is a true SAAS and can be integrated into a site or application within hours by a capable developer.  

The pricing for the Old Co 1 solution is not transparent.  What is clear is that it consists of a licence fee plus a hardware/ appliance fee plus a maintenance fee.    The Old Co 2 solution is also vague on pricing but given that it needs to cover the cost of tokens will be pricier than Live Ensure.

Live Ensure pricing is very clear and simple.    It is priced either on a per user per annum basis or on a per authentication basis.   As a true SAAS the pricing which includes all maintenance and software upgrades will be cheaper than either of these solutions.   Which also require a support / customer centre in order to operate.   (At what cost ?) 

Live Ensure is a lightweight,  transparent,  tokenless,  SAAS solution that can be implemented across enterprises and websites with equal efficacy.    It leverages the device that users already have – a mobile phone and requires no ‘heavy-lifting’ on the part of the user.  No PIN/Pattern to remember (first point of weakness of these solutions ) .

Both Old Co’s are enterprise focused (could never be implemented across a large website ),  require extensive IT department involvement both initially and on an ongoing basis,  and the technology is at least a decade old.  There is nothing new or innovative here.    Their only strength is their legacy and like RSA will soon be supplanted by faster moving, disruptive and importantly more secure solutions.    These solutions are basically just fancy PIN generators – just a variation on user name and password.  

Live Ensure is streets ahead in terms of its use of  context for authentication (ensuring the right parties are present in order for authentication to be possible) as well as the strength of geo factors and behavioural factors now possible with smart-phones.    This is called defense in depth and is in direct contrast to the security by obscurity advocated by both Old Co solutions.     A big failing.

Out with Old and in with the New ?

Comments

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

CAPITALISM – no longer fit for purpose ?

Image
The vast majority of humanity survive on a few dollars a day.    The economic boom of the last fifty years has benefited a relatively small elite. The fossil fuel driven economy has devastated the planet. Capitalism is the most efficient creator of wealth but it has been derailed and it has led to inequality and environmental degradation on a global scale. Global warming and capitalism’s favourite progeny – globalisation – has triggered social movements,   political discontent and massive migration.    There are more economic and political migrants seeking greener pastures than at any time in history. Increased Government participation in the economy both directly and through regulation is required to temper the excesses of laissez-faire capitalism. Degrowth means uncoupling the link between growth and prosperity.        Adam Smith’s ‘invisible hand’ has been the single biggest driver of the phenomenal economic growth enjoyed globally over the last two hundred years
Read more