Two-factor Authentication - Possession Factors: "something The User Has"

Possession Factors: "something The User Has"

Possession factors have been used for authentication for centuries, in the form of a key to a lock. The basic principle is that the key embodies a secret which is shared between the lock and the key, and the same principle underlies possession-factor authentication in computer systems.

There are several ways of attacking such a system, including:

1. An attacker can determine the shared secret, for example by attacking the authenticator or a management system, reverse-engineering the possession factor, or intercepting the secret during authentication. In the case of a lock and key, the lock can be picked. In an inadequately secured computer system, for example, a database containing the shared secrets can be attacked through SQL injection.
2. An attacker can steal the possession factor. In the case of a lock and key, the attacker can steal the key and use it before the rightful owner notices the loss and has the lock changed. In the case of a computer system, the attacker can steal the possession and use it before the rightful owner notices and has the device cancelled and a replacement issued.
3. An attacker can copy the possession factor while it is inadequately safeguarded. An attacker can take an impression of a physical key and make a duplicate; and in the case of computer systems, can clone the possession factor.
4. The attacker can intercept the authentication process and masquerade as the authenticator to the party seeking authentication and vice versa, in a man-in-the-middle attack. In the case of the lock and key, the attacker can interpose a dummy lock to model the key, make a copy of the key, and use it in the real lock. In the case of a computer system, the attacker can for example interpose a counterfeit authentication interface to intercept the communications and relay the authentication information between the legitimate user and the real authenticator.
5. The attacker can hijack access after authentication. In the case of a lock and key, the attacker can wait until the owner of a key has opened the lock, and then gain access to the locked facility. In the case of a computer system, the attacker can for example use man-in-the-browser malware, session fixation, or sidejacking to gain access to a secured facility as soon as a legitimate user has logged in.

The security of the system therefore relies on the integrity of the authenticator and physical protection of the possession factor. Copy protection of the possession factor is a bonus. This may comprise some form of physical tamper resistance or tamper-proofing, it may use a challenge/response to prove knowledge of the shared secret whilst avoiding risk of disclosure, and it may involve the use of a pin or password associated with the device itself, independent of any password that might have been demanded as a first factor. A challenge/response will not defeat a man-in-the-middle attack on the current authentication session but will prevent the attacker from successfully reusing or replaying credentials.

The secret may simply be a number, large enough to make guessing infeasible, or it may be a secret key embodied in an X.509 certificate, supported by a PKI.

Many commercial and a few non-commercial solutions are available for providing the possession factor as described in the following sections. The system designer must consider various trade-offs, such as between costs of deployment and support, usability and user acceptance, and hardware and software requirements. Physical tokens may authenticate themselves by electronic means (e.g. a USB port) or may display a number on a screen, derived from the shared secret and which the user has to type in. In the former case, device drivers may be required which the system designer may or may not be able to rely on if he has no control over the client device (as in the case of authentication to a public website). A one-time pad (such as PPP, described later) is a little different but can still be classed as a possession factor.