Authentication: The Next Frontier
Authentication is the process of verifying someone's identity. (Not to be confused with authorization the process of verifying what a user is allowed to do). Although these terms have been used interchangeably there are slight differences.
Authentication has been a process that has challenged IT professionals for decades. Passwords have always been the de facto standard when authenticating users to almost any environment. Passwords are used to keep our systems safe and on many occasions are the only control standing between unauthorized access and access to highly sensitive data. When the correct passwords are typed in, the right of entry to the system in question is granted.
Over the past few years a consensus has been reached that more needs to be done to keep systems and data more secure. Security professionals are finding that passwords are easily cracked and if they are too complex users write them down and then it's a matter of reading them and retyping them to gain access.
But how many systems are actually compromised using password cracking? To paint the picture, after attending a yearly security conference where these kinds of topics are discussed it was found that almost all password protected systems, given enough effort and time, will be cracked, even if the passwords are set to lock the user out after a few attempts as there are techniques that can be used to overcome this limitation. International studies have found that passwords are a prominent cause of vulnerability throughout all platforms.
What are the problems with passwords?
- Passwords can be written down.
- Passwords can be sniffed over the wire as sent in plain text (normally the case)
- Passwords can be captured locally using tools like key loggers
- Multiple passwords cause users to use the same password across multiple systems resulting in one password being compromised, all system accessible.
- SOX, HIPPA, GLB and other compliance requirements now specify stricter control that password controls do not perform.
What can be done?
Now that we know about the vulnerability of passwords what can be done to structure stronger authentication in your organization?
Something you can't write down. Onetime password or two factor authentication.
What password can you not sniff? An encrypted password or you can try encrypting your LAN and then the internet but that's going to take a long time, however a onetime password will do the trick.
Local password capture is difficult to thwart especially with physical key loggers available today. They are difficult to detect using software detection tools and in most cases difficult to spot unless detailed hardware security audits are performed. Onetime passwords will help here.
One time passwords are passwords that are issued for one use only after which they have no value, these passwords are often generated by token devices that have a sync with a server, the server challenges the user for a password and the user uses the token to generate a password, this one time password is then used to authenticate along as part of the normal username and password credential challenge mechanism.
Single Sign On
Multiple systems that need to be accessed and different credentials are required per platform or application. Single Sign On (SSO) should be used. These SSO systems typically capture your credentials then change them to unique very complex strings that are sent when your credentials are requested. Your credentials are then stored centrally on the SSO server as well as locally in an encrypted form. Together with a second factor of authentication you are on your way to a more secure authentication mechanism.
Why use SSO?
Single Sign On simplifies system access and reduces the number of credentials that a user needs to remember. Be warned, although SSO sounds like utopia a failed implementation of SSO can result in undesired results. There are cost savings that an organization can experience when using SSO but these need to be carefully quantified by a third party or an in house expert that does not have a conflict of interest. Correctly deployed SSO really does save time and this translates to money.
What is multifactor authentication?
Multifactor or strong authentication typically consists of two or more authentication mechanisms. Think of strong or multifactor authentication like locks on a door. Multiple locks = extra security. Layers of security, but these layers are only effective in certain instances. Detailed design will need to be carefully planned and thought through in order to effectively implement an effective multifactor authentication solution.
Something you know
The term something you know refers to a sequence of characters like a password or mouse clicks on a screen or a code like on a keypad.
Something you are
Something you are refers to something the user is, like finger prints, retina patterns and voice recondition, the user actually is the password.
Something you have
Something you have, refers to something the user actually has, like a token device that issues one time passwords or OTPs, or a smart card that the user will insert when authentication is required. These mechanisms are becoming very popular and are often used in conjunction with something you know like a password or a PIN.
If two or more of these authentication mechanisms are used, two factor or strong authentication is achieved.
For over 15 years banks have used multifactor authentication mechanisms like a bank card with a magnetic strip and a PIN to gain access to your funds Although primitive the solution is more effective than typing in a username and password at an ATM as you need both the card and the PIN to complete a transaction.
Why has there been reluctance to change to stronger authentication mechanisms?
Traditionally implementation of stronger authentication mechanisms have not been properly supported and have been difficult to integrate and implement, this has changed and many vendors are starting to leverage their skills and technologies to assist organizations with strong authentication. As these solutions become more utilized users will become familiar with the technology and the technologies start to become the norm. Wherever access control is a key element of security be it a logical or physical solution strong authentication is preferred. Like insurance it's not important till you need it. The key elements to look out for are LDAP and directory integration and system and application compatibility as these are key elements to the effectiveness and management of the solution.
Passwords are easy, it's what we know
People use what they are familiar with, if we do not know about something we are more inclined to use what we do know, until we find that doing something another way is really better. Many organizations and their decision makers are just happy using passwords and only passwords. A new solution would mean more change and possibly expense. There is a bigger picture, if you are protecting confidential client data and there is a compromise the company can suffer reputational and financial damage. In today's competitive environment this is the last thing any company needs and then suddenly the learning curve and the extra expense seem insignificant.
Support and knowledge of alternate systems
How does the solution get supported, and what new solution are we to use, is the question most asked by organizations when looking to implement stronger authentication solutions. My typical response is: try and use the technology you already own. This not only reduces the cost but the implementation and integration of the solution. Detail the list of requirements and then match the list to a set of features that the software provides. This is the best way to start. If not all the requirements are being met then look for a similar product that may meet those requirements.
Compliance is not strict
Up until 2007 few people have been jailed for not compiling with bills and acts passed. As the laws and bills get stricter, more people will be held accountable. Systems like strong authentication and multifactor authentication help in legal cases, as the solutions offer a level of non repudiation difficult to implement and audit when passwords alone are used. Especially where biometrics are used it is difficult to prove that someone had your eyeball when the $5,000,000 went missing and that in fact you were not on the scene.
Now more than ever, more hardware is being designed and retailed with security features as a standard. Vendors are developing interesting solutions like keyboard dynamics, signature dynamics, body heat recognition and many other fascinating unique biometric solutions. Biometric fingerprint readers are being integrated into keyboards, and laptop computers. Retina scanners are being used at international airports like Heathrow to speed up security checks, and voice recognition is being used at banks to verify your identity when calling the helpdesk.
This is only the beginning, the paranoia of being tracked and our privacy being invaded must be addressed but our resources and data must be kept secure, multifactor authentication is a start to the multilayered approach of defense in depth.