Blog posts tagged in Authentication

The recent massive distributed denial of service (DDoS) attack on 21st October 2016 affected numerous cloud service providers (Amazon, Twitter, GitHub, Netflix, etc.). It is interesting to note that this attack leveraged hundreds of thousands of internet connected consumer devices (aka IOT devices) which were infected with malware called Mirai. Who would have suspected that the attackers involved were essentially consumer devices such as cameras and DVRs?

A Chinese electronics component manufacturer (Hangzhou Xiongmai Technology) admitted that its hacked products were behind the attack (reference: ComputerWorld). Our observation is that the security vulnerabilities involving weak default passwords in vendor’s products were partly to blame. These vulnerable devices were first infected with Mirai botnet and subsequently these Mirai infected devices launched an assault to disrupt access to popular websites by flooding Dyn, a DNS service provider, with an overwhelming amount of internet traffic. Mirai botnet is capable of launching multiple types of DDoS attacks, including TCP SYN-flooding, UDP flooding, DNS attack, etc. Dyn mentioned in a statement – “we observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack” – such is the sheer volume of the attack by leveraging millions of existing IOT devices out there.

Subsequently Xiongmai shared that it had already patched the flaws in its products in September 2015, which ensures that the customers have to change the default username and password when used for the first time. However, products running older versions of the firmware are still vulnerable.

This attack reveals several fundamental problems with IOT devices in the way things stand today:

  • Default username and passwords
  • Easily hackable customer-chosen easy-to-remember (read as “weak”) passwords
  • Challenges with over-the-air (OTA) updates etc.

The first two problems are age old issues and it is surprising to see these come up with newer technologies involving IOT devices as well. Vendors have still not moved away from these traditional techniques of default username and passwords, nor have customers adopted strong passwords. Probably it is time, we simply accept the latter will not happen and remove the onus from customer having to set strong passwords (it is just not going to happen!).

One-time passwords (OTP) can be quite helpful here. One-time password, as the name suggests, is a password that is valid for only one login session. It is a system generated password which is essentially not vulnerable to replay attacks. There are two relevant standards for OTP – HOTP [HMAC-based One-Time Password] and TOTP [Time-based One-Time Password]. Both standards require a shared secret between the device and authentication system along with a moving factor, which is either counter-based (HOTP) or time-based (TOTP).

GS Lab’s OTP-based device authentication system presents a novel approach which helps address the challenges faced by IOT device manufacturers today. It provides unstructured device registry which is flexible enough to include information on various types of devices and an authentication sub-system which caters to authenticating IOT devices tracked in the device registry via OTP. The authentication sub-system is built on top of existing OTP standards (HOTP and TOTP) and helps alleviate the need for static (presumably weak) passwords in IOT devices. It provides support for MQTT and REST protocols which are quite prevalent in the IOT space. More support for additional protocols (like CoAP, etc.) is already planned and in the works. OTP-based device authentication system is built on top of our open source OTP Manager library.

Here are some of the advantages of using GS Lab’s OTP-based device authentication system:

  • Strong passwords – system generated based on shared secret key
  • Not vulnerable to replay attacks – passwords are for one-time use only
  • Freedom from static user-defined passwords
  • Standards based solution – HOTP and TOTP standards
  • Relevant for resource constrained devices – crypto algorithms used by HOTP and TOTP standards work with devices with limited CPU, memory capabilities.
  • Ability to identify malicious devices – rogue devices can be identified using HOTP counter value
  • Provides device registry for simplified management



Last modified on
Hits: 485
Rate this blog entry:

Posted by on in Technology


There has been much discussion around various authentication methods, which range from username-password to leveraging OTPs, hardware tokens or biometrics, to client certificates etc. Each of these methods provide varying level of confidence in the overall authentication process. This makes one wonder which authentication method is best for a particular organization’s needs. The fundamental question is - is there is any one ‘silver bullet’ authentication method? The answer is ‘no’. You may need to decide which one to use depending on the environment and context.

Understanding the need

As an example – let’s compare an employee who is logged on to your corporate intranet (probably using AD domain authentication), requesting access to an intranet application, with someone from outside. In the latter case, you would want to request for stronger authentication to ascertain the identity of the person. Here you may choose to ask for OTP in the authentication process as an additional factor. This is a good example of leveraging context to determine the type of authentication required.

Let us consider another scenario where someone is trying to access a privileged application outside of business hours or from an unknown IP address. In such a case, again you would want to request stronger authentication depending on the nature of the privileged application.

Understanding the authentication context

Context is essentially the surrounding detail about the environment, which can be determined passively (i.e. without need for user intervention). Some typical examples of context include:

  • Location context - Using geo-location to determine where the user is logging in from.
  • Known machine - Has the user logged in using this machine before? This is typically done by computing something known as a device fingerprint and tracking it.
  • Time of the day - Is the user logging in at an odd time of the day or night, which does not match with the users' typical login patterns?
  • IP address – Has the user logged in from the same IP address before?

If we look at the above pieces of information which form the context, then we realize that leveraging context-aware authentication essentially means ‘compare the current context with what is considered normal for that user’. Thus, we have to first establish what can be considered normal behaviour for any given user. This is where analytics come in to play. Using intelligent analytics, we can identify typical normal patterns for users and this system keeps on learning newer patterns or registers outliers. Based on these learnings, it can request for step-up authentication whenever required.

How does this work?

The solution closely follows and tracks user activity to determine normal patterns (using analytics). For every new authentication attempt, the system compares the authentication context with what is considered normal for given user. It identifies the variance from the normal level, and translates that variance to a risk score. Depending on the risk score identifies, it determines the need for step-up authentication along with the type of step-up required.

For example – a user’s typical pattern is to login from North America during business hours. Now this user tries to login from Asia Pacific region from a known machine, then she/he will be prompted for OTP as well. If this user tried to login from Asia Pacific region from an unknown machine, then she/he could be prompted for biometric authentication as well.

How does this help?

The end user is not prompted for strong authentication unless there is an explicit need for it. This helps provide a better user experience while doing the delicate balancing act of providing strong authentication whenever required. Best of both worlds!

Last modified on
Hits: 1171
Rate this blog entry:
Very low screen size go to mobile site instead

Click Here