Thursday, March 13, 2008

MultiFactor SecureAuth Mitigates "Account Lockout Attacks" by Garret Grajek, CISSP

A re-occurring theme in discussions is how to address not only phishing and identity theft, but "Account lockout"

In short, this is the issue of malicious users or processes intentionally attempting false logons w/ invalid passwords to block out legitimate users.

(The topic is covered in depth by Michael Coates blog titled, "Distributed Account Lockout Attack"

"The old attack would involve a single user who wanted to lockout another individual or group of individuals by entering multiple unsuccessful passwords. The goal isn’t to guess the password, but to lock the account by sending multiple unsuccessful login attempts. Now, if this user was particularly malicious he could try to enumerate all of the usernames for an online system and then use a script to lock out all of the users.")

This attack is certainly a problem for authentication sites that utilize standard username/password authentication with a "failed logon attempts" check mechanism. The MultiFactor SecureAuth product addresses this type of attack.

In a scenario where the SecureAuth solution is utilized, the legitimate user or attacker is never even prompted for the password unless the user first can input:

a) A set of non-phishable, non-exportable SecureAuth browser credentials (Image #1)

(Image #1)


b) The user had first registered the browser, in a Secure out-of-band method (Image #2 and Image #3):

- Telephony (Cell Phone or Land) One-Time-Password (OTP)

- SMS Text Message OTP

- E-mail OTP

(Image #2)

(Image #3)

In effect, only a user that has establish a reasonable set of "credibility" is even allowed to input a browser. (E.G., be in possession of the user's cell or land line or have access to a non-exportable key on the user's browser.) Neither a hacker nor an automated bot - would meet this criteria.

Thus by deploying SecureAuth, an enterprise takes a large step in mitigating "Account Lockout Attack".

We encourage all security analysts and security professionals to run the demo on our public site:

Garret Grajek is the president and co-founder of MultiFactor Corporation. He is a certified security engineer who has deployed 100s of security solutions while working for RSA, IBM, Cisco and others.

No comments:

Copyright 2008. MultiFactor Corporation. All Rights Reserved.