Passwords are not enough

By prpr

John Stewart of Signify – The Secure Authentication Service – explains why two-factor authentication is better than one

Passwords are getting a bit embarrassing. Organisations are increasingly reluctant to admit that they only use weak static password protection to prevent access to their networks and resources.

A major problem is that people are forgetful. So when asked to pick a memorable combination of letters and numbers, most will opt for something simple like the name of a relative, pet, football team and the date of a birthday.

This drives IT managers crazy; but it’s not easy to change human nature. And even if users do use more complex passwords, they can easily be stolen through simple ‘shoulder surfing’ or using readily available software for password cracking, keyboard logging, or by installing a Trojan horse password piracy programme.

Once someone’s username and password have been hijacked, that person’s entire digital identity is vulnerable and the attacker instantly acquires all the access privileges of the victim.

Yet despite this, many public sector organisations and businesses – both large and small – still seem willing to take this risk.

The problem of identity management and authentication is further compounded by the increase in demand for 24/7 remote access to data and resources from remote and home workers along with the addition of new wireless networks.

The more you open up your infrastructure to Internet or wireless connections, the more you rely on digital identities to differentiate trusted users from the rest.

Two are better than one

A strong authentication system demands two or more distinct proofs of identity before granting access.

Known as two-factor authentication, the most common factors used are something you know such as a secret PIN or password plus something you have.

This can be a unique, physical device such as a token, smartcard or even a mobile phone or PDA.

The physical device is used to generate a One-time Passcode or OTP, so that the user presents a different passcode every time they login.

Therefore, even if a user’s session is snooped, the stolen passcode cannot be reused. Most OTPs require no special reader or input device, so the user is able to log in from any convenient PC or other Internet connected device.

Secure OTPs can be delivered to users in a variety of ways. Hardware Tokens such as RSA SecurID used in combination with a secret PIN form the most simple, secure and convenient way to generate one-time passcodes.

They are ideal for any form of corporate remote access and particularly for frequent users who usually simply attach the small token to their key rings.

But OTPs can also be delivered on-demand to a user’s registered mobile phone, PDA or email account by SMS or email.

This approach means that the user does not have another device to carry around, but requires an additional request stage.

It is therefore best suited to occasional users, contractors, part-time staff and those checking email from home for example.

It can also provide Extranet access to other departments, professionals and partners or for sensitive online services such as HR, e-commerce or access to health information.

Furthermore, having temporary, short term remote access to the corporate network is also valuable in emergency scenarios as a result of bad weather, strikes or terrorist treats, for example.

Smartcards & USBSmartkeys that require a form of reader or USB port, can be used to securely store a user’s Public Key Encryption (PKI) digital certificate to ‘digitally sign’ documents or for Single Sign-On and hot-desking applications where users will always be logging in from a corporate-controlled PC or laptop.

Finally, there is biometric authentication. Yet despite generating many column inches in the press, fingerprint, iris and other forms of biometric authentication are still mostly used for physical access security rather than as a digital ID for network and web access.

Because the user is tied to a using a computer with an appropriate scanner, most biometrics are not suitable for anywhere access applications.

Who’s doing 2FA?

Large pubic sector bodies and companies seem to be getting the 2FA message and are increasingly adopting two-factor protection in the form of tokens, one-time passcodes (OTPs) and USB devices.

Yet, despite facing exactly the same threats, many smaller departments and businesses continue to rely on weak password protection, making them vulnerable to attack.

Like most technology barriers, this probably comes down to cost, perceived complexity and fear of ongoing hassle dealing with a demanding 24/7 remote user community.

In addition, customers may be wary of the added costs and difficulty of deploying and managing the solution.

For example, with a token-based solution such as RSA SecurID, this means everything from despatching devices and rights administration to handling lost tokens or forgotten passwords.

But this needn’t put organisations off. With the emergence of Managed Security Service Providers (MSSPs), these factors are dealt with by those with specialist knowledge, infrastructure and support in order to comprehensively piece together the complexities of the security jigsaw puzzle.

It is one alternative for a quick, simple and affordable option to help alleviate the hassle and upfront capital cost of the move to two-factor authentication.

London Borough of Tower Hamlets

The London Borough of Tower Hamlets uses Signify’s managed RSA SecurID authentication service to provide secure access for all mobile users carrying wireless PCs and PDAs.

Staff can now securely access all corporate systems via LBTH or public wireless hotspots, where previously they had to return to the office to file reports and update necessary documentation.

For field workers in the Borough, secure authentication is providing increased productivity and business efficiency. Planning officers, care workers and councillors all have access to their calendar, email and relevant documentation throughout the course of their working day.

LBTH also wants to provide a more flexible working environment for staff with care and family commitments whilst reducing the amount of office space required.

Trials are taking place via ADSL connectivity with user authentication via Signify’s managed service.

And for social services and care workers Signify’s NHS approved secure authentication provides immediate benefits.

Using their RSA SecurID tokens, social workers can securely access the NHS N3 network, so the Borough can comply with mental health initiatives and the ESCR (electronics social care record).

Whether organisations choose token or token-less authentication or a mixture of both, the option of a managed authentication service makes it easy and affordable to eliminate weak passwords.

It is important that organisations realise that relying on basic passwords for network security is like putting cheap tyres on a Ferrari- it might save you money and hassle in the short term, but you will lose control in the first rainstorm!

For more information visit www.signify.net