Secure Authentication: What’s the factor

Passwords are Passe – Not!

Passwords hold the position of favorite tool for user authentication. Passwords are easy to administer, but without the proper controls, they are too easily guessed. Sometimes passwords are even found written down in some conspicuous place, like on a Post-ItÒ note next to the monitor or under the keyboard. With stricter laws on the books for the enforcement of data privacy and protection against the inadvertent disclosure of confidential information, companies are scrambling to beef up their authentication practices. One popular response is to beef up passwords with additional security control(s), in what’s called two or three-factor authentication. The typical authentication factors are something you know (a password, for instance), something you have (a smart card or token, see below), and something you are (your thumbprint or iris scan, for example).

Passwords will not be replaced soon. Several competing technologies, however, are vying for leadership in two-factor authentication. Hardware tokens, popularized by Security Dynamics’ SecurID tokens (now part of RSA), are one alternative. Vendors like Vasco, Rainbow, and Aladdin also sell hardware-based tokens for two-factor authentication.

Two newcomers, Griffin Technology and Ensure Technologies, are going to market in to the authentication game with some new twists. Griffin (www.griffintech.com) is promoting an easy to deploy and administer token-based authentication system for small to medium business. Ensure Technologies (www.ensuretech.com) is combining proximity-based detection (used in physical access security, for example) with employee authentication.

Don’t forget the smart card vendors like Schlumberger and Gemplus who also have solutions for this space. The use of smart cards for authentication have not caught on in the U.S., and hard to use implementations like Visa’s smart card initiative have not exactly helped the cause.

The digital certificate vendors such as Baltimore, Entrust, Verisign, and RSA Keon would also like to see their products used more as a user-based authentication method. However, the challenges in rolling out these solutions combined with the heavy upfront investment has limited their effectiveness.

Prime Time for Biometrics?

Interest in biometrics, which is the process of using a person's unique physical characteristics for computer identification, has exploded in the wake of the terrorist attacks. September 11th has probably done more to promote the awareness of biometrics than any other event in the last 10 years. Unfortunately, much of the attention is misguided (although well-intentioned), as biometrics will make for a lousy anti-terrorist solution. The problem is sheer numbers - the orders of magnitude difference between detecting a small number of potential suspected terrorists against an incredibly vast sea of non-terrorists. Bruce Schneier did an excellent analysis shortly after the 11^th that calculated with biometrics you were 1,000 times more likely to detain an innocent law-abiding citizen than catch a terrorist.

That’s not to say that the Biometrics companies should shelve their marketing plans, for biometrics does have a role to play in more pedestrian applications such as providing stronger authentication for remote access and more sensitive applications in finance, health care, and the government.

The Bottom Line

Two factors are better than one (and three is better than two) when it comes to security. But don’t expect the world to move overnight to stronger authentication. Security can be improved with better password management and not every application needs, or can be justified by, two-factor authentication. RCL & Associates recommends that system managers take the following precautions when it comes to protecting password-based systems:

Enforce strong passwords; no dictionary words, no easily guessed words or phrases. Consider investing in a password-cracking program such as L0phtcrack (now LC3) located at www.atstake.com/research/lc3/index.html and use it religiously.

Enforce a "no written passwords" policy and explain to all account holders the importance of not writing passwords down and not revealing them to anyone. Remind them that the human factor is always the "weakest link".

Require passwords to be changed on a regular basis (i.e., every 30 or 60 days)

When adding or deleting user accounts, make sure that all the accounts associated with a user have strong passwords and are deleted when the user changes job functions or leaves the company.

As for the present genre of two-factor solutions, we predict that the winning ones will be the simplest to use and the most ubiquitous. Just think of the possibilities if my Mobil Speedpass also serves as my EZ-pass on the Massachusetts Turnpike, and can log me in to my corporate network to boot?