The Authentication Factor

07/15/2008 09:58

With the increasing sophistication of malware and other security threats, it has been obvious for quite some time that the standard “locks” we are using to secure our information may not be up to the task. The venerable “username and password” combination is generally used for everything from securing firewalls to stop intruders; to locking down our servers to secure our files; to logging into websites to do our banking. Since these passwords are the keys to the kingdom, they have been targeted innumerable hacks, trojans, worms and keyloggers. However, there are reasonable and secure alternatives.

Passwords are considered to be a single factor authentication mechanism, something that you know, to prove you are who you say you are. The problem with this is that others may find out that password, and then have your access. A much more secure authentication scheme is to use two factor authentication (or multi-factor authentication): something you know + something you have or something you are, or another something you know.

Two factor authentication has been around for quite a while. Banks and credit card companies have been using it for years. When you call them, they ask for your mother’s maiden name, social security number, etc., as multiple factors to verify that you are who you say you are (authentication). Two factor authentication is also fairly widespread for physical security, such as access badges with both your picture and an RFID chip or magnetic swipe.

In the computer world, many new laptop computers now include finger print readers, or even facial recognition systems. While these two factor biometric authentication mechanisms are wonderful for securing that single computer, they have some limiting factors. For example, they rely on specialized hardware and software, meaning that they can only be used when the person logging in has that special hardware and software. Great for the PC; not so great for securing a website. Legitimate users may be trying to access the website from a kiosk or home computer that does not necessarily have the appropriate hardware.

The two factor alternatives for securing servers, remote access, firewalls and websites have been around for a while, but until recently, were not competitively priced. These solutions generally make use of a One Time Passwords (OTP) as the second factor. Each user is issued a keychain sized device called a token. The token generates a unique passcode on an LCD screen that is linked to the token’s serial number (and then to the user’s account) and is only valid once. This passcode is then used in combination with the standard username/password: supplying both something you know (the normal password), and something you have (the token). Since both factors are required, either losing the token or having the password compromised does not permit unauthorized access.

Since the token is kept by the user and is independent of a computer being logged into, this can be used from anywhere. Even if the PC the user is connecting from has malware such as a keylogger to capture passwords, the One Time Password makes the captured information useless.

At work (SAGE Computer Associates), we are currently using two factor authentication from a company called AuthAnvil (www.authanvil.com) to secure our internal systems. In the near future, we will be using this for our clients at no extra cost as part of our commitment to security. Also, we will be reselling the service for anyone who wants to truly secure their networks. There are a number of other vendors in this arena as well, the largest being RSA, but AuthAnvil has a number of features that make it ideally suited for the integration service provider.