IAM Pulse Episode 2: Out of Band Authentication, What is it and Why is it Essential?

Transcript:

Hello everyone, welcome to another episode of IAM Pulse, a podcast dedicated to discussing Identity and Access Management topics brought to you by BIO-key International. Today, we’re talking about out-of-band authentication, which authentication methods are available to implement it, and the pros and cons of each of them. 

On the panel today we have three members of the BIO-key team, Kim Johnson, VP of Product Marketing, Christopher Perry, Sr. Technical Support Engineer, and Kevin Wiser, our Solutions Architect.  

Let’s switch over to our panel and see what they’re talking about. 

Kimberly Johnson 

So let's start with the first one. So what are the top things in band versus out of band or O O B what is it and is it different than multi-factor authentication? So let's start there. Christopher, I will point that to you first, to kind of address that, that first question. What is it and is it different than MFA? 

Christopher Perry 

Sure. so again, anybody Kim, Kevin feel free to chip in as I'm speaking, but I'm just going to start with the easy part of that question, which is what is MFA multifactor authentication. the easiest way to explain it is kind of like what you've already familiar with, right. to F a being essentially MFA is two factor something that you have and something that, you know, and the something, you know, is usually your username and password. That's considered just a single factor. and then something that you have is another, you know, a token, a one-time passcode at a biometric, something of that nature, out-of-band authentication is kind of an extension to that. It's actually in reference to the something that you have portion of multi-factor, essentially looking at using a separate communication channel to prove that something that you have is actually something that you, the intended user possesses. for example, in some scenarios, and this can get very particular, you might have a token on the laptop that you're also using to authenticate. And if that is just 

Kevin Wiser 

Tied to the web browser that you're using, that's not really adequate proof that you actually have that token because that's something that can be easily manipulated and, you know, fraudulent captured by a man in the middle of the tech, essentially. so that's the real difference out of band is in reference to the authentication type being used, whereas multifactor authentication, isn't overall sequence with two different factors. 

Kim Johnson 

That's great. And I, and I, I remember actually when, you know, MFA, I won't date it, but back in the day, when MFA was coming out and being regulated, a lot of the financial institutions, if you remember did password and then knowledge-based questions, right? So they would ask you to fax two things that basically you're knowing or aware of. And so when you looked at that, the regulation, all of a sudden went, wait a minute, it wasn't strict enough. It wasn't precise enough, came back out and said, no, it actually truly has to be the other types of factors, right. Something, you know, or something you are or something that you have. and so I remember a lot of these progresses that we've made throughout the years to get to where we are today and now out of band is really been deemed as term and is really used to describe it has to be through a different channel or a different method altogether to be that secure, like you said, so that it can't get interrupted or having my in the middle Kevin, anything to add there too. 

Kevin Wiser 

Yeah. It's kind of interesting, you know, out of band is, is, is kind of a tricky concept. I think for some people to grasp, I mean, it's tricky for me to grasp sometimes cause it's like, well, you know, typically the, the argent is like, well, if it uses a different communication channel and it's like, okay, well, what if I have, you know, we, we're going to talk a little bit about like PKI cards or a CAC or PIV card, PKI, public key infrastructure cards where there's a cert on them. If I'm using a separate secure layer to talk to a server somewhere, am I out of band? And most people would say, well, yeah, technically that is out of it. And then a lot of people like stick to the, but like don't, I have to have a completely different, like I'm out of the band of communication, you know, or frequency of by normal connection or my normal authentication string. 

Kevin Wiser 

And it's like, yeah, that X also technically works as well. Like that's, those are both kind of like technically correct answers. So generally, like what you're looking for here is, is do I have some type of communication or some type of assertion that's being made outside of the normal username and password workflow. So that's an important kind of distinction to understand and make there. And it's kind of the easiest way to make sure that you're grabbing all encompassing there. That's why, you know, when, when the, I was surprised that nobody said push tokens in the, in the, poll, because it's like that, that is ideal because, because I'm getting a push from a server somewhere to a separate device, usually on a separate network, like a cell network. Right. And then I'm answering that back actively to a server somewhere else. Like that is, I mean, you know, without, without question, you know, that's very out of band, right? Like that, that, that entire process involves out of bed. so yeah. you know, it's just important to keep your head in the game. So in so far as like identifying, like, okay, is there kind of a separate communication channel involved here in some form or another? And if yes, then I'm out of bed. 

Kim Johnson 

No, that makes a ton of sense. And, and so when you're saying communication channel, remind me, so these are servers that you're going to need to have or different. It's just a different method altogether in terms of the communication. So I think push token, right. We think phone-based, or we think it's going to some kind of mobile app, would it be out of band if you have the mobile app receiving the, let's say, push token, but you're trying to get on to something that's on your phone. 

Kevin Wiser  

it's a really good question. So yes, technically yes. Depending on how the, the app I want to access is configured. So like if I have a username and password there and I'm submitting it, and that generates to me a push in another app, right. As long as there's like a secure communication between the push, you know, whatever is doing the push, you know, whatever app or service is, is creating that push authentication. Let's, let's use do a push as an example because they're fairly common. you know, as long as I'm communicating separately across a channel that the duo app is communicating with a duo server, you know, securely on its own, then technically yes, that should be out of band because there's a separate kind of communication layer going on, even if it's all true traversing, the same network layer, if that makes any sense whatsoever. 

Kim Johnson 

Yeah, no, it does. to me and audience, please use that question panel, if you have any questions about that scenario or, you know, these are kind of nuanced things, right. Where I think industry terms we get out there are, are confusing, right? We're good at acronyms, we're good at labeling things. and I think now you have a multitude of, of terms you have MFA two factor you have out of band in band, right. push, right. So it's, it's a little bit challenging. And actually by the poll question, I'm not super surprised because hardware, tokens, I would say are very tactile things that you can touch see and feel are very by themselves. Right. There's no, soft barriers I would say, to say, are, is that factor truly out of band or not that, you know, if you have an RSA hardware token or YubiKey or something like that, you're going to see that that truly is, its own individual device, which I think sometimes gets confused with, an out of band has to be a separate device altogether, which isn't isn't necessarily the case. 

Kevin Wiser 

Correct. Yep. So 

Kim Johnson  

Why is this important? Right. and I think Christopher, you touched upon it a little bit, in terms of the, the attack vector. So can you talk a little bit more, or just remind us what you said, was it man, in the, was the primary attack that you see? 

Christopher Perry  

The one that always comes up the most with this out-of-band authentication, it's a way to mitigate those as a viable attack vector because they are, I don't want to say the most common, but highly common attack factors for authentication scenarios, especially where to FFA is enabled. I kind of leave it there. 

Kim Johnson  

Yeah. Yeah. And they're just interrupting, right. They're getting in between the, the communication channel, like we said, to be able to give that factor or pass that, that credential through, is that correct? 

Christopher Perry 

Basically like an interception. so you're passing along your user name and password and they're saying, Oh great. Now I have your username and password. so without multi-factor right, the old standby is, Hey, I'm in the middle of the intercept of my credentials. Now they have them, they've just compromised, you know, my entire system or anything that uses that, that password, multifactor, especially out of ban, it's like, yeah, you might've intercepted, you know that one credential, but you're still not gaining access. Cause you don't have access to the second one because that single channel that you've compromised doesn't account for this out of band MFA. and that touches on what Kevin was saying. Like with the duo example, you might even with a hardware token, right? You might input the six digits into your form to provide the two factor, but that's one part of the validation with duo, for example, they take the validation on their end and then communicate it to using portal guard as an example, the portal guard server for that final authorization portion. 

Christopher Perry  

And then the front end just says, Oh yeah, great. And you've authenticated through your push token, but that's completely outside of the communication channel that just passed the credentials. So even if somebody managed to compromise that and steal that password, they're not actually compromising your account because they can't get that second factor. Absolutely. Right. I mean, if I, if I could for a second Kim, I mean, I don't know if everybody would understand like what that looks like practically in the real world, but, but a real common thing you'll see in the news in the last couple of years is, is what hackers are really just kind of social engineer. Bad guys are doing is if I have an SMS let's say, and, and or an SMS authentication, I was using that for out-of-band. What typically happens is I go to login to a website and then there's an automatic generation of preregistered by phone and my phone nber to this website, like a banking website. 

Christopher Perry  

And, what happens is once I enter my username and password, it sends a notification to my phone and SMS technically right. Of actual text message with typically an OTP one-time passcode, but one of those like nine digit nbers. So the way that this attack normally works is a, somebody has somehow stolen my username and password, and then they call up, my cell phone provider or, you know, those, aren't usually really hard to find because depending on, you know, social media, depending on there's lots of ways to find out who somebody's phone is. So then I call 

Kevin Wiser  

The phone carrier and I tell them, Oh, I lost my phone or whatever. I need to switch it to this other one. and if they, and this, this happens, this happens on a fairly consistent basis. And it's wildness, is you saying like, well, maybe we should back off on SMS, you know, in general, what they do is they get the phone nber, swap to their phone and then they can insert, you know, a SIM in. And when the S basically what they do is like, they use my username and password. They, they get their phone transferred and this all sounds complicated, but it's actually fairly easy to do with social engineering. You just have to kind of schmooze the person at the carrier enough to get them to switch over the phone line. Right. once they do that, now the SMS comes to their phone. 

Kevin Wiser  

and, and they could punch in that SMS and now they can access whatever that site was. So that's kind of the rub there. Something like a push notification is a little bit different in that those are tied to the hardware, like, like the, the, the, usually they're tied to like the device itself, like, you know, unique information that's built into the device, like it's, where they call the NAI codes or whatever. I forget. I'm not a cell phone guy anymore. really, but like, you know, that's tied something unique to that device, not just to the phone nber, which is transferable. So there's kind of like a key differentiator. That's kind of actually walks into the next question. I apologize, but that's kind of how those attacks typically work. 

Kim Johnson  

No, that's perfect. And as I say, I think you're, you're segwaying right into that the out-of-band authentication methods created equal. So, you know, all of the customers in the line, we support 15 plus authentication methods. some of them you've heard we integrate with duo, we can do Google authenticator. we can support the SMS email right by a metrics. but are they created equal? Right. And I think, Kevin kind of, you know, I'll keep it on you cause you're going down that path are they created equal? And what did we see from kind of the NIST guidelines that, I think what it was 2016, even it's been quite a few years since they came out with those guidelines. 

Kevin Wiser 

Right. So, so really what they're looking for is, again, kind of like that, that separate, secure channel working in one way or another. And again, I want to, it, that channel doesn't necessarily have to be a completely different network layer. That's not necessarily what we're talking about. Right. so it doesn't necessarily need to be communicating over the cell phone network versus communicating versus my hardware land at work. Right. there, there can be, it could be on that same network layer, but as long as it has a completely different communication channel to authenticate. So an example of that bio key makes a product that integrates with portal guard called a web key. And when we, when we utilize web key, we're centralizing a user's biometric information, specifically their fingerprint information and their fingerprint biometric information is stored on a server somewhere and has a communication, that is out of band from the normal authentication factor that comes into our app and our, our, our software, the target machine, 

Christopher Perry  

Right? The target, the target device you're trying to sign in on. And so when you go to authenticate, you're not authenticating directly to active directory. You're actually technically authenticating to a web key server and web key server is matching your biometrics and authenticating you and say, yes, we verify that, that is in fact you have an advisor that's trying to sign in and then passing that back down and then doing a handoff past that. So that communication happened separate from my, my normal authentication. And that's kinda what makes it out of band, right? Because I had a separate communication lawyer, that was occurring elsewhere with a different server, with, you know, different security measures, rather than directly all through, like, let's just say active directory. 

Kim Johnson 

No, that makes sense. That makes sense. And we did get, a question from Austin. It looks like, so what about your El spoofing protection? Some password managers detect this and protect you as well. So, either Kevin or Christopher, any information on kind of URL spoofing, that you've seen and, and ways to combat that, 

Christopher Perry  

I would hear that off to Christopher that probably he's asked more familiarity with, with portal guard that I do. no, actually I'll be honest that hasn't really come up that much. but in the concept of what we're kind of talking about with the out-of-band authentication, it's definitely worth considering, cause a lot of the, the URL spoofing, right. and again, unless I'm misunderstanding, Austin's question here, you see it a lot with like email spam, right? Where you get a form that looks perfectly like a Microsoft form said, Hey, your office three 65 account is expired. I need you to click here to reset it. You click the link and it even comes up with, you know, Hey, reset.microsoft.com and then maybe somewhere in a URL format, a query string, you might see something that's a little hinky, but for the average user, it looks like you're at the right spot and page looks right. There's a form that asks me for my current credentials so I can exchange it. And, you know, as far as we're concerned, that looks like the right spot or, you know, it's been, you know, the URL has been masked to look like the right one so I can find my credentials and then I've just failed that essentially I've just handed away the gate keys to the kingdom. so again in Austin and feel free to, clarify if I'm not overextending here. Okay. 

Kim Johnson 

Yep. No, clarification was email or message or mistyping site links. and so this is, you know, this is a very common thing that we're seeing now, I would say with, like phishing attacks or other attacks that people are doing, Hey, visit this site, right. It's like ups, but the dots in between, right. Some of the letters, I've seen some very good ones, to say the least. but at least in the experience that I've had to, that's where the MFA comes in, right. Or these out-of-band methods that, at least to say, Hey, the URL you're visiting, if they do try to get a login and they do try to get some kind of information, if let's say they are able to get the password, which is we've seen in recent attacks, solar ones not to mention, password guessing is very possible having those extra factors, especially the biometrics to say the individuals being identified, versus a device. Cause even Kevin just proved you can get the device information change, is really important and to consider what you're allowing people to use for MFA. so Allison, I hope that that answers your question. And I think it was also just a really good point versus a question as well, that that's one of the most common attacks we're seeing are these fraudulent links as they call them or these spoofed URLs to use people and to trick people, to get, to get into them. So, 

Kevin Wiser 

Yeah. And I would, I would point out what, just add one quick thing here as well. I mean, typically SSL, in general, the, the SSL cert secure socket layer certs, help with that problem a lot. Right? Because you, you get that notification on all the modern browsers anyways, like when you try to go to them that says, wait a minute, the cert does it match, or the cert doesn't exist for this site that, that, you know, that you're trying to access. And that usually unless your user is just like, no, no, no. I'm just going to click through and keep doing what I want to do. that usually interrupts most of the time. I don't want to, you know, speak, you know, unequivocally, but like most of the time can interrupt and stop those attacks. So generally just a good hygiene thing in general is, is to make sure that your users have, you know, SSL was that your users, that your systems have SSL enabled, you know, something along those lines anyways, you want to use a different technology. That's okay as well, but, but generally SSL cell should be used across the board as much as possible. especially if it's internet facing it's internet facing at all, it should be SSL at HTTPS, 

Kim Johnson  

Right? Yep. That's Oh man, my certificate authority days, those were, those are always fun to create the certificates. I can tell you no, that's a whole subject in and of itself. but yeah, I think we've seen common attacks. Some of them, you know, are just going to download malware onto the system. and, and that is, probably a in and of itself a problem. But like I said, I think the big thing here to the authentication piece is even if they are able to get the credential that's on the machine or something like that, if you have this out of band method, then it's going to be much harder to, gain access to the systems that they're potentially trying to hack into. So, great, great question, Austin. And, good conversation sparker so much appreciated for the question. so in terms of the, the Adavan authentication methods being created equal, you know, I think we highlighted on the NIST, component of this, that the, delivered OTP, which really has become, especially with like Fido Alliance and, and some of these standards that are coming out has just really been harped on right. 

Kim Johnson 

To be the method of choice. and I think that there's a lot more to consider when you're looking at what's available to you, what, you know, portal guard can obviously support. and so one of those is the biometric, capability. So I wanted to touch upon that, you know, one, the things we have is that it positively identifies not the device, but it's positively identifying the, who is gaining access, which I think is, is very critical. and going to the kind of that third question, which probably would be more for you, Kevin. and I can touch upon it too, but there's this perception when we say biometrics, I I've heard multiple things, right. And Christopher, you probably heard these too is like, well, I don't know where I'm going to use it. Right. Or it's super expensive. or it's really for these highly regulated industries. and there's now predictions out there, even from Gartner saying that a lot of authentication actually the most secure and convenient method is biometrics. so, you know, let's talk to that a little bit, I guess, Kevin, let's start with you. in terms of, you know, is it really just for these highly regulated industries or are we seeing it come across and be kind of proliferated across other, use cases? 

Kevin Wiser 

No, it is definitely not just for highly regulated industries. I mean, biometrics is, is an depending on the underlying infrastructure and, and like underpinning technologies, biometrics is probably the best or one of the best ways to accomplish out of band MFA. it's, it's very secure users. Can't, well, it's very secure depending on again, the underlying technologies. but, but, it's not something that could be easily lost. you know, it, it's something that potentially an end devices readers can be head for as little as, and, and even at vole, even cheaper, but as little as, you know, 30 and 40 bucks, you know, for a reader that you can use on technically like every device that you own, because they're, they're all plug and play or, you know, depending on, so, you know, potentially like that is, and again, if vole, you know, if I'm buying 10,000 of them or something, those can be had at much lower prices, because of the vole pricing. 

Kevin Wiser  

but so, you know, a lot of the assed barriers to biometrics are, are not really barriers. They're more perceived barriers or, a lack of under standing of availability and how they can be leveraged like ours. you know, our technology, we have something like, 14 different patents that we, that we, own and operate with arts to biometrics our CTO mural acoustic. Oh, it's 14 of those personally. and she's, she's brilliant. but like biometrics are, are, and that doesn't necessarily have to be fingerprint. We focus a lot on fingerprint cause that's, you know, kind of what we've built our name and our brand on. but you know, voiceprint analysis, you know, even, even facial is getting better, although not still not a big fan of facial personally, for, for reasons. but, but you know, w Palm Palm is getting really good and it's very unique and, and, can be that's where you literally scan a user's Palm and you can look at the individual lines of that kind of thing in the, in the layout, their, of their, their veins. 

Kevin Wiser  

And there's actually, if you look, you can actually see, you do have somewhat like a fingerprint lines on your Palm itself. Those can be read by, by a camera device, or a scanner. And, you know, there's a couple of different ways to do biometrics, but they're very, very secure. They tend to be very, very, very, very unique, even more unique than, you know, something like, like a, like a UTF token or something. and, and everybody has one, right? So, I mean, you know, well, you know, there's, there's even an argent. Occasionally it comes up like, well, okay. So if you work around, heavy tools or objects or caustic chemicals, that could actually, or age even can wear down your fingerprints eventually to a point where they get hard to read, that's where having a provider that can provide you with a couple of different methods can really be, you know, a standout like, you know, we can support you through both voiceprint and fingerprint right now, I'm coming later this year. 

Kevin Wiser  

the goal is by the end of year to have, facial and Palm as well. So, you know, I mean, those are, those are still in the, you know, in, in, in the Crock-Pot so to speak, we're, we're working on those right now, but, you know, we've already got two biometric methods that are completely separate, that are ready to go today. And we'll have a total of, at least four, by the point, you know, by the end of the year, but having a provider that can provide you with a couple of different options and technologies that can be used by all your different users across all their bases, becomes really, really clutch. And I just want to emphasize, again, it's not just for the medical industry or healthcare. It's not just for financial it's potentially for anybody, you know, anybody that, you know, it needs to access secure information. 

Kevin Wiser 

And I would argue all of your users need to access secure information and one way or another, if they're accessing a computer system and it's behind a username and password, you have to ask yourself, well, why is it behind a username and password to begin with it's because that information needs to be secure for one reason or another, right? So there's no such thing as a non-critical user. even even the, the person accessing, you know, a time timecard system or something, you know, do you want them to be able to hand their username and password off to another user and be able to log in and register that, you know, they arrived at a certain time or left at a certain time, you know, because somebody else did it for them. I would asse the answer's no, because most people wouldn't want that or most admins. So all of those users are accessing some system with some critical nature and they need to be secure. 

Kim Johnson  

No, that's a great point, I think, in the, in the world we're in today. and we still talk to customers that are just doing username and password, for authentication. And so it's, it's, you're securing it, it needs to be secured. And, and now we just kinda know, you know, with the recent tax and even years of it, you know, passwords aren't enough as the canned phrase. so yeah, in terms of biometrics too, the one quick point I'll make on that also is that there's biometrics that are device-based biometrics, right. That are, that are essentially, we're getting more familiar with those. but then there's the really true, they call it true biometric MFA, which is server-based, and that's what the bio key solution is. and that's what really we consider, you know, the industry standard, is, is going to be, so a lot of people have concerns with fingerprints being stolen or all these other things are there. 

Kim Johnson 

They're thinking that the touch ID right. Is like true biometric. and so it is something to be careful of with what biometrics are being offered and that it's not just, again, these device centric kind of methods that are, they're only identifying the device. So Christopher you're, you're really in the trenches, I would say day in day out of helping people set up out of band authentication or setting up multi-factor. so how, you know, level of effort and kind of difficulty is this possible, and, and kind of any type of tidbits or tips that you have for people that are maybe sitting there thinking this is a big challenge to overcome, but it may not be 

Christopher Perry  

Sure. And I don't want to stomp on any toes, but in answering that question, one of the things I want to just be abundantly clear about is we've talked a lot about biometrics, but that's by no means the only true out of band method that you can take advantage of. So if you're still in that boat where you're thinking, well, great, I want a really secure MFA option using outer band, but I don't want biometrics. There's still options. So you definitely do not have to, you know, lose hope there. but it really comes down to taking a good look at what options you have implementing these things with the right provider. I can only speak to my experience with implementation with portal guard. but even though we offer, you know, 15, 16, 18 different methods, depending on what's available to you, choosing the right one for you, doesn't need to be all that complicated. 

Christopher Perry  

And that's the hardest decision when it comes to implementation, as long as you know what you're getting into. Say, if you want to dive into biometrics, or if you'd rather use a mobile authenticator, because you still like the idea of using the phone, but want to use the Muller secure approach. those can all be very straightforward to set up something like portal guard. you get the right engineer myself or somebody on our team here to assist you. And it's really a to point B. the biggest bit of advice is really just to, you know, don't bite off more than you can chew, which I know we settled during the last one a lot, but it is still the biggest piece that you can keep in mind because a lot of people will do is say, Oh yeah, I know I want Google authenticator. That's the one I'm going to implement. And then they try to turn that on for 1200 users and things can go awry real quickly because they didn't consider two very minor things that have an impact on, you know, half the users. so that's the biggest piece of advice that I can give from the trenches is just stop and think. 

Conclusion to the Episode 

Thanks Kim, Kevin, & Christopher for more information about what is out-of-band authentication and the options you have around authentication methods to achieve it. Again, I want to highlight that among all the authentication methods, biometrics is the one option that many organizations overlook, but provides the highest level of security and convenience. Along with biometrics, there are many more authentication methods to choose from that BIO-key offers because remember...one method does not fit all. 

Anyways, that wraps up today’s episode of IAM Pulse. Thank you for listening to the show. If you want to see where out-of-band authentication can be part of your MFA strategy, go to our website: www.bio-key.com. Join us next time to learn more about IAM and how to secure identity the way you want. Talk to you soon.