Moving beyond passwords

Since the early days of terminal-based computing in the 1960s, agencies controlled access to mainframe systems through passwords. This was usually true whether the system had a classified weapons database or a cafeteria lunch menu.

If security requirements were high, agency officials would use other tactics. They might create stricter password policies, such as replacing expired ones every month, or they might use physical access controls, such as placing the terminal in a locked room or beyond a security checkpoint.

Yet both approaches have problems. Studies show that as password policies become more complex, users are more prone to write passwords down, compromising security. And although a locked door certainly offers some protection, it limits users to specific machines in specific locations.

Fortunately, thanks in large part to ever-shrinking microprocessors and new technologies such as biometrics, agencies have fresh security options that include the best aspects of the earlier approaches, minus the inconveniences.

The concept is known as strong authentication. In a nutshell, it's a security process that grants access only after users have produced at least two of the following:

Something they know, such as a personal identification number (PIN) or password that they enter into their computers. Something they have, such as a smart card or pocket-sized hardware token. Something they are, namely a unique physical or biometric characteristic that can be scanned, such as a fingerprint. Among the most popular strong authentication devices for computer networks are one-time password and challenge/response tokens, according to market researcher IDC. They come in a variety of forms, including credit card-sized units with display screens and input keys, and even small plastic units that are designed to serve as key chains.

The one-time password tokens work by generating and displaying a single-use password, which users type into a network computer to gain access authorization from the server. With a challenge/response token, the user reads server-generated text shown on the PC and types it into the token device, which then displays a one-time password that is used to log in to the network. These devices are popular because the management software they use needs to be installed only on the server, not on client computers.

That client-side flexibility was appealing to officials at Los Alamos National Laboratory. "We have 15,000 users, and many heterogeneous systems," said Alex Kent, deputy group leader for network engineering at Los Alamos. "We needed something that was easy to implement."

The lab uses CryptoCard Corp.'s CryptoCard, a one-time password token, to control access to virtually all lab systems. Kent said lab officials considered smart cards and USB tokens, which are like smart cards but instead of being swiped on a reader, they are plugged into a computer's USB port. But smart cards would have required the lab to provide readers at every computer and, like USB tokens, they needed special software drivers loaded on each client computer to work.

On the other hand, traditional passwords alone were not sufficiently secure for a national weapons lab. "We've found that too many people write them down," Kent said. "And some of our older systems don't encrypt the password, so the network could be sniffed."

Los Alamos has been using CryptoCard since 1999."It's part of the culture," he said. "Just as people would never come to work without their badges, they won't show up without their password tokens."

Double duty

Still, not all agencies want their employees to carry one identification card for physical access and another for access to the computer network. For example, the 110 trademark attorneys who telecommute at the U.S. Patent and Trademark Office (USPTO) currently use SecurID one-time password tokens from RSA Security Inc. to access the trademark databases and other applications. But next year, when USPTO moves to a new facility that will require smart cards for physical access, the agency may have those cards do double duty and control access to PCs as well.

"All of our lawyers work at home, and we didn't want to worry about what system they were using, what readers they had or even if they had available USB ports," said Debbie Collin, group director at the office.

However, USPTO officials can see the writing on the wall. "We believe the government is moving toward heavier use of smart cards," said Wes Gewehr, deputy chief information officer at the agency. Although users may prefer a single card, there is the issue of installing drivers and smart card readers on all PCs. One solution officials are evaluating is providing the attorneys with laptops that contain smart card readers.

"If we give them the computers, we'd have better control of what is installed on the machines," Gewehr said.

In a sign that off-the-shelf smart card integration with PCs may become more common, Dell Inc. announced last month that its customers can now configure new laptop and desktop computers at the time of purchase with built-in smart card readers and software. Several models of the company's Latitude notebook computer line now feature an integrated smart card reader, and Precision and OptiPlex desktop computers can be configured with external keyboards that have integrated readers.

Trent Henry, an analyst at the Burton Group, said the main advantage of smart cards, besides their ability to provide physical and logical access control, is that they can contain digital signatures and private keys that can be used to authenticate users and encrypt transactions as part of a larger public-key infrastructure (PKI).

At the same time, Henry said that the PKI capability is also one of the primary barriers to smart cards' wider acceptance. "The problem with smart cards is that to take full advantage of them, you have to set up" a PKI, he said. "That can be a major undertaking."

The Defense Department has been successful with its large-scale smart card program called the Common Access Card, but the military's hierarchical structure facilitates the trust authority required for PKI, according to Willy Leichter, director of enterprise security product marketing at Secure Computing Corp. Other departments may have a harder time implementing the technology.

USB tokens share many of the pros and cons of smart cards for strong authentication (see chart, Page 27). Their biggest advantage over smart cards is that they don't require a special reader; the disadvantage is that they can't double as a badge or physical entry control device.

In theory, if users prefer carrying only one device, they'd be even happier if they didn't have to carry any card or token. That's the benefit of biometrics. But Charles Kolodgy, research manager for Internet security at IDC, said that except in a few niche areas, such as law enforcement, biometrics has not gained the acceptance many had expected.

"Most agencies don't see a need for it," Kolodgy said. "If you are going to buy biometrics scanners, why not just buy smart card readers, which many people find easier to use and less intrusive?" In fact, because of the lack of interest in the technology, IDC has stopped tracking biometrics as a means of controlling access to computer systems.

Nevertheless, the Social Security Administration has been experimenting with a biometric authentication system, though it is still working to eliminate some of the technology's downsides. The system uses voice analysis, but it doesn't require special readers and has a number of checks to overcome the potential security problems associated with other biometrics systems.

Developed for SSA by Authentify Inc. and using technology from Nuance Communications Inc., a proof-of-concept test is aimed at speeding up electronic wage recording. Currently, when employees are authorized by their companies to use the agency's online wage reporting function, SSA officials must send a confirming letter to the employee's supervisor, who has to sign and mail it back. Finally, the employee receives a PIN in the mail.

"The process can take over two weeks," said Chuck Liptz, SSA's director of employer wage reporting. "And when you're dealing with an online activity, that's a considerable period of time."

In the voice analysis system, when an employee applies for a PIN on SSA's Web site, the supervisor immediately receives an e-mail message with a link to a Web page and a telephone number to call. The supervisor reads a question displayed on the page and responds via the phone. If the supervisor's voiceprint matches answers recorded when the company first registered to use the system, the employee receives a PIN immediately.

Liptz said the biggest advantage of the system over other biometrics is that it requires something everyone has: a phone. It provides an extra level of security because the displayed questions, such as mother's maiden name, are usually not generally known. Additionally, anyone trying to fool the system by mimicking a supervisor's voice — Nuance claims a false positive is virtually impossible — would likely be discouraged by the fact that they'd be leaving their own voiceprint on the system.

SSA is evaluating the project, and Liptz said the average time it took for employees to receive their PINs was five minutes.

Many of the strong authentication methods are not fully mature. But security experts say no matter what the required confidence level, some strong authentication device or combination of devices can suffice. Agency officials have to select the one that works well with the culture and workflows they have and provides the needed level of security.

Stevens is a freelance journalist who has written about information technology since 1982.