About this sample
About this sample
Words: 1895 |
10 min read
Published: Jun 6, 2019
Words: 1895|Pages: 4|10 min read
With the development of technology, network system plays more and more important role in society. People need social media to keep contract with friends or colleagues, organizations need network to share meeting history. and Company need network to cooperate with third-party. However, each emerging technology always accompany issues. The one of serious issues of data transmission is cybercrime. There has so much sensitive date store on cloudy, and not only user can connect server, but also hackers, which means sensitive data always stay under risk after network born. According to ACSC (Australian cyber security centre) (2017 p15, pp21 - 22) reported that data leak or email malicious captured 27% of total cybercrime. What’s more, the number of special devices’ cybercrime is increasing. So, cybercrime is one of inevitable problems of network. Recently, one of emerging authentication is used in most of website for improve website security ability, which is second factor authentication. However, comparing traditional authentication (single authentication), What role the second factor authentication play in companies? what methods the second factor authentication has? The article will focus on discuss the problem.
According to report of ACSC of multi-factor authentication (protect 2017 p1), it is doubt that, comparing with single authentication, multiple factor authentication can provide better protection on sensitive data. However, with different second factor authentication scheme is used, it may bring different benefits or drawback to user. Generally, there are three benefits are brought mitigate risk of security problem by multi-factor authentication: reduce likelihood, physical device & One-Time credentials and remote certification.
As we know, one of security problems in authentication is that some users tend to set weak password, which can be broke with violent cracking. The second problem of password in authentication is reusing password (USER AUTHENTICATION TRENDS: BLURRED BOUNDARIES AND NEW METHODS 2018 p2). Nowadays, people own different account in different webpage, which is hard to user to remember different password in different account. So, many people like to create same password within different account. Once attacker hack password, they can use the password to access all user’s account (Passwords: Threats and Counter-Measures n.d.). In the case, multiple factor authentication is one of efficiency way to reduce the risk. Comparing with single authentication, multiple authentication is created by system, which mean it shouldn’t have likelihood problem on authentication (protect 2017 pp1).
If the key problem of single authentication is password leak or stolen, multiple factor authentication may be the best way to rid of it. Hacker can use several methods to steal password, but it is hard to theft one-time credentials unless they steal user’s device (protect 2017 pp1 - 2). One of examples is mobile device authentication. When user want to access their account, they not only need account id and password, but also is required to enter one-time pin from SMS. Of course, one of limits of the scheme is users’ population. If users are poor people, and they haven’t mobile device, the scheme not only let system become complex, but also lead to extremely bad user experience. However, there is expected that in the end of 2018, there are over 84% population (6.2 billion) own mobile device in whole world (Radicati 2014), which means mobile device already is a kind of universal device in world, and SMS authentication scheme is implemented.
When multiple factor authentication policy is used within system, there are minimum authentication message is left on device. In my opinion, generally, hackers can steal data from three sources, which are database, data transmission and private device. If first benefit is used to descript how multi-factor authentication against hacker to guess users’ password in database, and second one makes eavesdropping no longer meaningful, the last benefit is used for private device. Even if thief stolen data from local computer history, they still cannot view or access user account because they can’t pass others authentication (protect 2017 p2). Some people may think that employee thief seem quite raw, and it is happened in big company, it isn’t necessary to point out the benefit? If we just need to against virus or worn from internet, why don’t we just use firewall? In fact, it is not true. According to research with HISCO (Karpp 2017 pp2 & 6) that there were 2.2 million thief case in whole word and 68% of cases were happened in small or median companies in past four years. Meanwhile, data thief captures 18% of total employee thief, and 20% of reasons of employee thief cases are due to internet rule (EMPLOYEE THEFT: WHY IT’S ONE OF THE BIGGEST THREATS TO YOUR BUSINESS (AND HOW TO STOP IT) 2017).
As I mention before, not all multi-factor authentication scheme are efficiency to different business system. At follow, characteristics of multi-factor authentication methods will be discussed.
Generally, schemes of multi-factor authentication can be split to 7, which are universal 2nd factor security keys, physical one-time pin tokens, biometrics, smartcards, mobile apps, SMS & email & voice call and software certification (protect 2017 p2).
The method a kind of unsynchronized encryption method. When users apply any assessment, they will be required to click button to send public key to service. Then, server will verify whether the key correct and valid by private key. With the processing, server can verify user’s identity and provide or reject access requirement.
In order to implement the method, there are several requirements for employee and system. First, the system should be used frequently. Otherwise, it is meaningless if system keep long-term private or public key. Second, security key shouldn’t be store on any device for rid of any trace to hacker. Third, system is required send notification to ensure whether users get newest security key when the key is updated. If the point is ignored, authenticated user may cannot access document. Meanwhile, when user device sends security keys, version information should be required as well, which can against user send expired security key. Last but not least, when user lost or missing keys, they should report the situation as soon as possible, because it may lead to companies’ sensitive data leak (Protect 2017 p5).
Comparing with previous method, situation of physical one-time pin key is completely opposite. The method belongs to synchronized encryption theory, which means the key of server use to verify is same as the key in users’ device. Comparing with unsynchronized, the encryption can be creaked easily. For deal with the drawback, the lifecycle of the key is shorter than previous one.
Most of policies of one-time pin token is quite similar with previous one. However, because one-time pin key always is updated in short time, system needn’t inform user device. Otherwise it will be an annoying to update clients’ key within short time. As exchange, system is required to inform key when users require to access their authentication right (Protect 2017 p5).
As we know, every biology own unique characteristics comparing with others. So, why don’t we use the characteristics as second factor authentication? When user want to view or access data in cloudy, server will require user to provide part of characteristics in their body to identity user. Some people think it is ridiculous because it is hard to implement. However, the kind of method already is used in real word. But it is used to detect crime except authentication. According to research, FBI and some countries use biometrics to detect crime (Kabir & Bose 2017).
However, comparing with previous methods, biometrics owns its limitation. One of problems is encryption problem. Even if people characteristics is difference, it need to transfer to digital data. If hacker eavesdropping data transmission, they can receive user’s characteristics data as well. What’s more, because biology’s situation is dynamic, after swimming or growing, parts of body characteristics is difference with before, which may cause server denied users’ application.
For the reason, the policy of the method is different with previous method. User should receive notification when server require authentication. Then, except biometrics, system should provide other verification method when user cannot use the biometric(Protect 2017 p6).
Smartcard belongs to unsynchronized encryption theory. It is device which own algorism and can calculate dynamic private key or password for user. When user want to access account, they need to insert smartcard into their device, which can send dynamic password or private key to server with user application. Server can accept or reject the applications with password or private key.
Due to the mothed use same theory as first scheme, the policies of smart cards is similar with first one. The only one difference is that because smartcard is a device, which means user make lose it in daily life. So, user is required to report it as soon as possible when they lose smartcard (Protect 2017 p7).
Smartcard is a kind of device to calculate out dynamic private key, why don’t we immigrate the function to mobile devices? User isn’t required to buy smartcard anymore and people wouldn’t cannot access their account because they forgot smartcard.
It sounds good, but, in fact, the protection of mobile device is lower than computers. It means attackers can easily hack password or key if they confirmed user’s mobile device.
For the reason, the policy of the method is mobile app only implement on lower value account. Meanwhile, the expired time of dynamic password or keys is shorter than smart card (Protect 2017 p7 - 8).
SMS, email and voice call are kinds of medium to transfer short-term synchronized key to user. When users are enrolling, they will be required to enter above message, which is the address of one-time pin send to, and user need it to access their account.
The advantage of the method is similar with mobile app, which require lowest development cost. However, because of service limitation, user may cannot receive one-time pin, especially oversea. Second, the method cannot provide any encryption, and it can be stolen if hacker eavesdropping SMS, email or voice call. Third, if user use web browse to view message, which may explore to employee thief.
The polices of SMS, email and voice call is same as smartcard (Protect 2017 p8).
Not only mobile app, software is other method to replace position of smartcard. Computer can install a software to store certification. When user want to access their account, software will send certification to service. Once identity successful, server will accept users’ application.
However, because software is installed into system, hacker can compromise users’ device to hack certification. What’s more, if hacker has ability to hack algorism of certification, they can elevate their accessing right for long-term hack ability. For the reason, only low value transaction is suggested to use the method.
It is impossible to update certification in short-term in software, so certification is required to store in Trusted Platform Module or certification store. The other policies is similar with smartcards (Protect 2017 p9).
All in all, because more and more sensitive data is stored in cloudy, and cybercrime number increase, second factor authentication should be implemented in system. However, it is important that isn’t every second factor authentication is suitable to different business case. Designer should pick correct scheme with data value and server configuration.
Browse our vast selection of original essay samples, each expertly formatted and styled
Where do you want us to send this sample?
Be careful. This essay is not unique
This essay was donated by a student and is likely to have been used and submitted before
Download this Sample
Free samples may contain mistakes and not unique parts
Sorry, we could not paraphrase this essay. Our professional writers can rewrite it and get you a unique paper.
Please check your inbox.
We can write you a custom essay that will follow your exact instructions and meet the deadlines. Let's fix your grades together!