A taxonomy of authentication systems

The provocation

So the other day, there was an ad on Reddit for WiKID, software-based two-factor authentication “that doesn’t suck”. So my bastard brain says: this can no way be comparable to a smartcard. Let’s find out.

The case

Suppose you run the ICT department of a company. Your employees are sometimes outside of your network, but they will have to access your secure intranet site. Or maybe you run a bank. Will SSL with a password be enough security for you?

Of course, this depends on what you require. Maybe SSL with a password is enough for declaring worked hours, but you may want more for controlling multimillion-dollar wafersteppers.

The demands

I think this is a fair list of differentiating attributes of authentication systems. Attribute xa is weaker than attribute x.

0) Cannot get session or eavesdrop with control over network packets, given smart user (minimal basis IMHO, usually by means of SSL*)
0a) Cannot intercept credentials without intrusion, given smart user
1) Prevents user from entering credentials or single-use session key in HTML phisher
1a) Prevents user from entering credentials in HTML phisher
2) Stolen client hard drive does not leak credentials
3) Stolen running client system cannot leak credentials
4) No malicious authentication after detection, in case of client intrusion
5) No malicious authentication after user leaves client, in case of client intrusion
6) No malicious authentication, in case of client intrusion (in general impossible)
6a) No malicious authentication, in case of light* client intrusion (theoretically possible since Windows Vista, I think)
7) Prevents intruders in a client (lack of security holes, intractible)
8) Prevents intruders in a client in the presence of stupid user (requires closed system*)

The suspects

SSL is assumed.

  • SMS: 2, 3, 4
  • Password: 0, 2, 3, 4
  • Password + SMS: 0, 1a, 2, 3, 4
  • Iris: 0, (1), 2, 3
  • WikID: 0, 1a, 2, 3, 4
  • Client certificate: 0, 1, 4
  • Client certificate with password: 0, 1, 2, 3, 4
  • Smartcard-based certificate + PIN: 0, 1, 2, 3, 4, 5
  • e.dentifier2 + PIN + USB (‘sign what you see’): 0, 1, 2, 3, 4, 5, additionally 6 for signing

I am not sure to which architectures/implementations 6a applies.

The fine print

Definitions and assumptions:

  • The attacker can stand outside the building with a sniffer.
  • SSL: SSL with strong enough encryption and validated server-side certificate
  • Intrusion: attacker controls privileged process during period where user logs in
  • Light client intrusion: intruder controls process with user’s permissions on client, but cannot intrude relevant session with server. Disallowing a user to install software (and likewise measures) makes more intrusions fall in the ‘light’ category. This could happen when Adobe Reader is invaded.
  • Closed system: a client where it is so hard to install session-invading malware that users wanting to see dancing pigs will give up. An unrooted bug-free Android device would fall in this category, for instance.
  • When a client is stolen, the attacker does not know any passphrases. They are also not cached in memory.
  • Remark: 2 can also be implemented using hard drive encryption.

The verdict

While WiKID is better than only a password, it’s worse than client-side certificates with a PIN, and I wouldn’t call those “two-factor”. But I want to know your opinion. Are there significant criteria or systems missing? Does such a canonical list already exist? Please leave your comment below.