Monday 17 August 2009


I was giving a web demostration today and the conversation turned to authentication.

They currently run VASCO, but found it a bit of a hassle having to issue and manage tokens, and it would not allow for pandemic situation, where there would be a need for more people than usual to have access to a remote solution.

There was mention of some solutions that relied on grids, picture, icons, keys on screens or security questions.

I had to take a step back and talk about two factor authentication, which should be:
  • Something you know - Username, password, passphrase, answers to static questions
  • Something you are given - One time password, digital certificates
  • Something you are - Biometrics, such as fingerprint, iris scan
Two factor authentication is made up of two of the above.
If you are using a solution that still relies on something you know, such your username and password, along with a picture/icon you know, it surely is still just one factor of authenication, albeit a strong one. This may stop brute force attacks on keyloggers, but all the security is all based on information you know. As we all the know, security is normally compromised by the human element!
Although it can be an administrative overhead running a Vasco solution, you don't have to pre-issue the tokens. Send an unassigned token to the user, and get them to log into a self assignment website. This will obviously remove the need for the administrator to go through the time consuming process of assigning a token and then posting it out to a user. There is also a security concern as the token is already assigned, and the user details are probably on the envelope!!
As VASCO can work with an existing RADIUS server, which is normally considered "AAA" or triple A. The "AAA" stands for Authentication, Authorisation and Accounting. The VASCO server will carry out the Authenication component, but a RADIUS server can then deal with the authorisation and the accounting. This way we can be sure of who the user is, what services they can access and account of what they have used.
There was also a comment about not liking hard tokens, so why not use VASCO tokens that run on mobile phones, soft tokens to run on a computer, or an SMS solution to text the one time password out to mobiles.

No comments:

Post a Comment