An Authentication Mechanism That Cannot Be Bypassed or Tampered

Introduction

In the world of computers and software, security is always a concern for many users, engineers, and designers. So, software designers are keen on a secure design that ensures the highest degree of security, making the data safe in any attack. Defects and errors that occur in any system are typical, but it is noted that most of those errors are caused by defects in the design. In this report, we review one of the significant design flaws through which security violations occurred, which is using an authentication mechanism that cannot be bypassed or tampered with.

Summary of the selected flaws

In the research paper titled Avoiding the Top 10 Software Security Design Flaws that published by the IEEE Computer Society Center for Secure Design, the researchers clarified that the authentication is a verification process designed to prevent an entity from accessing without authentication. Moreover, the researchers explained that authentication techniques contain more than one factor as in "N-factor" and recommended the use of stronger forms of authentication in sensitive processes such as changing the password. Principally, the system must consider the authentication strength before taking any action — the ability to bypass authentication results in unauthorized entities accessing systems that do not require authentication data support. Failure to use authentication methods that fall under a known classification allows unauthorized access to the system as occurs in some user-based IP authentication. Even on devices that are connected to each other, authentication is done with IP addresses that are easy to deceive and are not necessarily associated with a particular user for a long time. Also, the researchers asserted that it is easy to impersonate other users when they rely on easy-to-use authentication codes such as a username. It should not be easy to forge credentials, so the system designer might use time-tested encryption systems like Kerberos instead of constructing a new one. The authentication system must have an interaction lifetime limit to prevent access to other users who do not have authority, as happens on public devices. Substantially, authentication is defined as a process where the security is implemented on a computer system to enhance data security. Implementation of an authentication mechanism ensures that authentication measures cannot be bypassed or tampered. An authentication mechanism seeks to validate the identity of a user accessing a system. Enacting a security mechanism is one of the goals for securing the design structure of a system.  Authentication enhances control to the access of a system by ensuring that only permitted users access the system.

The reason why the selection is important

Authentication has been selected because it is ranked second among the top 10 OWASP (Open Web Application Security Project) (Hydara, Md Sultan, Zulzalil & Admodisastro, 2015). Authentication is also crucial and applicable in all aspects of networking, database, web applications, mobile devices, and other applications like the Internet of Things (IoT). In order to enhance the security system in the computers, the system should consider the strength of the authentication system such that there could be more security control and measure (B. S., 2016). The process takes real security servers that bring a sound system that can be implemented over a network. Information needs to be secured; therefore, authentication help to maintain the security of data. The ability to bypass authentication can result in allowing unauthorized access to the system where the intruder will be affected.

Failure to properly authenticate a system, there can induce vulnerability to the system. Hackers can compromise the system, which can result in Denial of Services, theft of data, or ransomware attacks. In the flawed system, the mechanism for authentication should be useful in its design. The action of authentication can result in the development and creation of a token. The token can be used to authenticate users through verifications. (Novack, 2015). 

Literature review

Biometric authentication is based on the unique characteristics of an individual, which are either physical or behavioral. Physical biometrics include facial recognition, DNA, eye scan (iris, retina), and fingerprints, while behavioral biometrics include voice and signature. The process of biometric authentication consists of measurement, signal processing, pattern matching, and decision making. An example of biometric authentication is Biostar, which is a web-based biometric mechanism. The company uses analysis n sensing the biometric characteristics to create a reference model and for comparison in every trial of authentication. However, its biometric authentication is not 100% accurate (Jiang, 2016).   There is an aspect of also reject, denying authorized personnel access to a system. False acceptance allows one who is not what they claim to be, are the typical errors in biometric authentication. 

Passwords are a widely used authentication method. It requires one to create a key or code that is only known to them, and the website used to access information. Passwords have become quite difficult to monitor as they can be easily compromised. For example, pins or passwords set using one's date of birth or any other ordinary thing can be easily guessed. Hackers can use brute attacks to crack password authentication by the use of computer programs that can run thousands of password combinations in seconds (B. S., 2016). Malicious software can also be used to access accounts unauthorized. 

Password authentication flaws can easily compromise databases. For example, yahoo, an internet dominant, over one million users, suffered a data breach. This compromised names, email addresses, dates of birth, and telephone numbers of its users. A case of password breach also happened to the uber app disclosing driver's licenses of fifteen million uber drivers and some of its users (Stojmenovic, I., Wen, S., Huang, X., & Luan, H. 2016). This can cause significant loses if critical information, such as credit cards, is revealed.

Avoiding security flaws

Software security design flaws can be avoided. Password authentication has a way to secure weakness. First, there should be a stipulated number of login attempts and password resets that a user does. When the maximum number of attempts is reached, the account automatically blocks for a short period, usually ten to fifteen minutes. An IP address can also be prevented when unusual behavior is observed overtime on a website. Password strength also differs depending on the characters used. A mixture of numerals, letters, and symbols can increase password strength, which translates to more safety (Hydara, Md Sultan, Zulzalil & Admodisastro, 2015). Apart from brute-force attacks, dictionary attacks and critical logger attacks are common in password authentication. 

Key logger works when there is malware, a full-blown virus where the user’s keystrokes are recorded. It can be avoided by having a multifactor authentication. It requires not only a password but also a onetime access code by a token to the user’s smartphone. (Stojmenovic, 2016).  A company that has succeeded in avoiding security flaws is Cisco. Cisco has an authenticated system that makes it difficult for unauthorized access, as even a hacker would need to provide a second security factor. Cisco has security measures that can be used to prevent authentication breaches (Hydara, Md Sultan, Zulzalil & Admodisastro, 2015). For example, logging out of a site after use can be a great way to ensure secure databases. If an authenticated location is closed without logging out, an attacker can easily access and tamper with or disclose information. 

Other methods 

Creating stronger passwords can also make it difficult to guess. Elimination of malware and clearing viruses may prevent possible critical loggers from accessing private credentials.

Saving passwords and pins on phones or writing them on papers is a dangerous way of storing information. Phones can be easily accessed. Passwords should be kept on secure devices or memorized to avoid leaking them. Checking user permission is another strategy to prevent authentication attacks. For example, Kaspersky ensures that normal users do not have admin rights to prevent authentication bypass. Kaspersky enforces restrictions with multifactor authentication enhances security (Hydara, Md Sultan, Zulzalil, & Admodisastro, 2015).  For example, if a user’s smartphone is hacked or stolen, the intruder would not have access to the smartphone due to the second layer of authentication. However, multifactor authentication can lead to advance damage or data loss if the access code is accessed mainly where a single sign-on strategy is implemented.

Conclusion

Authentication techniques are ways to secure systems. They are not a guarantee but provide varying degrees of security depending on the authentication method used. Bypassing an authentication mechanism can lead to a data breach, which can cause great loses. Prevention of authentication bypass increases security but does not guarantee. However, users should choose which authentication method to use depending on the convenience and how expensive an authentication method is.

References

• Avoiding the Top 10 Software Security Design Flaws. (2015, December). Retrieved from
• https://ieeecs-media.computer.org/media/technical-activities/CYBSI/docs/Top-10-Flaws.pdf.
• Stojmenovic, I., Wen, S., Huang, X., & Luan, H. (2016). An overview of fog computing and its security issues. Concurrency and Computation: Practice and Experience, 28(10), 2991-3005.
• Jiang, Q., Ma, J., & Wei, F. (2016). On the security of a privacy-aware authentication scheme for distributed mobile cloud computing services. IEEE systems journal, 12(2), 2039-2042.
• Novack, B., Andres, R.J., Birkes, J., Whitescarver, J., Drake, I.A.W., Toretti, G.A., Zeljkovic, I., Wilpon, J., Garay, J.A. and Stent, A.J., AT&T Intellectual Property I LP, (2015). Authentication techniques utilizing a computing device. U.S. Patent 9,021,565.
• Khan, M. F. F., & Sakamura, K. (2017, October). A tamper-resistant digital token-based rights management system. In 2017 International Carnahan Conference on Security Technology (ICCST) (pp. 1-6). IEEE.
• Hydara, I., Md Sultan, A., Zulzalil, H., & Admodisastro, N. (2015). Removing Cross-Site Scripting Vulnerabilities from Web Applications using the OWASP ESAPI Security Guidelines. Indian Journal of Science And Technology, 8(30). doi: 10.17485/ijst/2015/v8i30/87182
• B. S., M. (2016). Security Mechanism for Authentication. International Journal of Engineering And Computer Science. doi: 10.18535/ijecs/v4i10.13