Moving beyond passwords

New options for strong authentication help agencies find the right security for their needs

Since the early days of terminal-based computing in the 1960s, agencies controlled access to mainframe systems through passwords. This was usually true whether the system had a classified weapons database or a cafeteria lunch menu.

If security requirements were high, agency officials would use other tactics. They might create stricter password policies, such as replacing expired ones every month, or they might use physical access controls, such as placing the terminal in a locked room or beyond a security checkpoint.

Yet both approaches have problems. Studies show that as password policies become more complex, users are more prone to write passwords down, compromising security. And although a locked door certainly offers some protection, it limits users to specific machines in specific locations.

Fortunately, thanks in large part to ever-shrinking microprocessors and new technologies such as biometrics, agencies have fresh security options that include the best aspects of the earlier approaches, minus the inconveniences.

The concept is known as strong authentication. In a nutshell, it's a security process that grants access only after users have produced at least two of the following:

Something they know, such as a personal identification number (PIN) or password that they enter into their computers. Something they have, such as a smart card or pocket-sized hardware token. Something they are, namely a unique physical or biometric characteristic that can be scanned, such as a fingerprint. Among the most popular strong authentication devices for computer networks are one-time password and challenge/response tokens, according to market researcher IDC. They come in a variety of forms, including credit card-sized units with display screens and input keys, and even small plastic units that are designed to serve as key chains.

The one-time password tokens work by generating and displaying a single-use password, which users type into a network computer to gain access authorization from the server. With a challenge/response token, the user reads server-generated text shown on the PC and types it into the token device, which then displays a one-time password that is used to log in to the network. These devices are popular because the management software they use needs to be installed only on the server, not on client computers.

That client-side flexibility was appealing to officials at Los Alamos National Laboratory. "We have 15,000 users, and many heterogeneous systems," said Alex Kent, deputy group leader for network engineering at Los Alamos. "We needed something that was easy to implement."

The lab uses CryptoCard Corp.'s CryptoCard, a one-time password token, to control access to virtually all lab systems. Kent said lab officials considered smart cards and USB tokens, which are like smart cards but instead of being swiped on a reader, they are plugged into a computer's USB port. But smart cards would have required the lab to provide readers at every computer and, like USB tokens, they needed special software drivers loaded on each client computer to work.

On the other hand, traditional passwords alone were not sufficiently secure for a national weapons lab. "We've found that too many people write them down," Kent said. "And some of our older systems don't encrypt the password, so the network could be sniffed."

Los Alamos has been using CryptoCard since 1999."It's part of the culture," he said. "Just as people would never come to work without their badges, they won't show up without their password tokens."

Double duty

Still, not all agencies want their employees to carry one identification card for physical access and another for access to the computer network. For example, the 110 trademark attorneys who telecommute at the U.S. Patent and Trademark Office (USPTO) currently use SecurID one-time password tokens from RSA Security Inc. to access the trademark databases and other applications. But next year, when USPTO moves to a new facility that will require smart cards for physical access, the agency may have those cards do double duty and control access to PCs as well.

"All of our lawyers work at home, and we didn't want to worry about what system they were using, what readers they had or even if they had available USB ports," said Debbie Collin, group director at the office.

However, USPTO officials can see the writing on the wall. "We believe the government is moving toward heavier use of smart cards," said Wes Gewehr, deputy chief information officer at the agency. Although users may prefer a single card, there is the issue of installing drivers and smart card readers on all PCs. One solution officials are evaluating is providing the attorneys with laptops that contain smart card readers.

"If we give them the computers, we'd have better control of what is installed on the machines," Gewehr said.

In a sign that off-the-shelf smart card integration with PCs may become more common, Dell Inc. announced last month that its customers can now configure new laptop and desktop computers at the time of purchase with built-in smart card readers and software. Several models of the company's Latitude notebook computer line now feature an integrated smart card reader, and Precision and OptiPlex desktop computers can be configured with external keyboards that have integrated readers.

Trent Henry, an analyst at the Burton Group, said the main advantage of smart cards, besides their ability to provide physical and logical access control, is that they can contain digital signatures and private keys that can be used to authenticate users and encrypt transactions as part of a larger public-key infrastructure (PKI).

At the same time, Henry said that the PKI capability is also one of the primary barriers to smart cards' wider acceptance. "The problem with smart cards is that to take full advantage of them, you have to set up" a PKI, he said. "That can be a major undertaking."

The Defense Department has been successful with its large-scale smart card program called the Common Access Card, but the military's hierarchical structure facilitates the trust authority required for PKI, according to Willy Leichter, director of enterprise security product marketing at Secure Computing Corp. Other departments may have a harder time implementing the technology.

USB tokens share many of the pros and cons of smart cards for strong authentication (see chart, Page 27). Their biggest advantage over smart cards is that they don't require a special reader; the disadvantage is that they can't double as a badge or physical entry control device.

In theory, if users prefer carrying only one device, they'd be even happier if they didn't have to carry any card or token. That's the benefit of biometrics. But Charles Kolodgy, research manager for Internet security at IDC, said that except in a few niche areas, such as law enforcement, biometrics has not gained the acceptance many had expected.

"Most agencies don't see a need for it," Kolodgy said. "If you are going to buy biometrics scanners, why not just buy smart card readers, which many people find easier to use and less intrusive?" In fact, because of the lack of interest in the technology, IDC has stopped tracking biometrics as a means of controlling access to computer systems.

Nevertheless, the Social Security Administration has been experimenting with a biometric authentication system, though it is still working to eliminate some of the technology's downsides. The system uses voice analysis, but it doesn't require special readers and has a number of checks to overcome the potential security problems associated with other biometrics systems.

Developed for SSA by Authentify Inc. and using technology from Nuance Communications Inc., a proof-of-concept test is aimed at speeding up electronic wage recording. Currently, when employees are authorized by their companies to use the agency's online wage reporting function, SSA officials must send a confirming letter to the employee's supervisor, who has to sign and mail it back. Finally, the employee receives a PIN in the mail.

"The process can take over two weeks," said Chuck Liptz, SSA's director of employer wage reporting. "And when you're dealing with an online activity, that's a considerable period of time."

In the voice analysis system, when an employee applies for a PIN on SSA's Web site, the supervisor immediately receives an e-mail message with a link to a Web page and a telephone number to call. The supervisor reads a question displayed on the page and responds via the phone. If the supervisor's voiceprint matches answers recorded when the company first registered to use the system, the employee receives a PIN immediately.

Liptz said the biggest advantage of the system over other biometrics is that it requires something everyone has: a phone. It provides an extra level of security because the displayed questions, such as mother's maiden name, are usually not generally known. Additionally, anyone trying to fool the system by mimicking a supervisor's voice — Nuance claims a false positive is virtually impossible — would likely be discouraged by the fact that they'd be leaving their own voiceprint on the system.

SSA is evaluating the project, and Liptz said the average time it took for employees to receive their PINs was five minutes.

Many of the strong authentication methods are not fully mature. But security experts say no matter what the required confidence level, some strong authentication device or combination of devices can suffice. Agency officials have to select the one that works well with the culture and workflows they have and provides the needed level of security.

Stevens is a freelance journalist who has written about information technology since 1982.

NEXT STORY: New York MTA expands info online

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.