The paper – penned by David Ryan, a security consultant with Corsaire's security assessment team – says that many methods of online authentication are putting both consumers and business users at risk of a serious security breach.
The problem, says the company, centres around hackers discovering new and innovative ways to bypass standard identification and verification (ID&V) techniques.
One of the more surprising findings revealed by Corsaire's research relates to the perceived improvement offered by multiple authenticators.
According to the firm, whilst the process of authentication typically relies on the submission of a single username and password, multiple authenticators are typically perceived as offering greater security.
However, in the majority of cases, Ryan claims that there are no significant improvements to a system's resilience to attack, even with these multiple authenticators in place.
"Even though the process of authentication is of vital importance when it comes to protecting sensitive data, many of the solutions being implemented in this area are merely providing a false sense of security", he said.
"In many cases, we've seen the use of 'multiple authenticators' as nothing more than a way of satisfying an external requirement, and often as a way of side-stepping real improvements in providing authentication solutions that would actually be strong enough to protect access effectively", he added.
So what is the solution?
The bad news is that, whilst a combination of multiple authenticators may offer greater resilience to attacks like these, they will often require an unacceptable level of complexity for users.
Without this level of complexity, however, Ryan says that an attacker will still be able to identify users of the system – by using someone's email addresses as his/her user name, which is now a common practice – and then mining public data sources to identify personal details, preferences and other pieces of data that may be useful in breaching the security of the system.
In his paper – titled 'Breaking the Bank' – Ryan says there are many options available to application designers and developers regarding the ID&V of users of financial service web applications.
"Clearly, a number of common approaches used within such applications offer very little improvement over the common username and password approach", the paper says.
And, he goes on to say, whilst some combinations offer more resilience to common attacks than others, these typically come with increased complexity for users.
"While multiple secrets do not bring the added benefits of multi-factor authentication, they can, if combined and implemented wisely, add to the overall strength of the ID&V interface by increasing the complexity and likelihood of failure of typical attacks", says the paper.
"However, this addition comes at a cost of increased complexity both to the design of authentication controls and to the user experience", Ryan's paper adds.
"If multi-factor authentication is deemed unnecessary, or cannot be deployed for whatever reason, project teams would be better spent investing effort into ensuring robust authentication policies and controls are in place, and on educating users to select a strong passphrase", the paper concludes.