The complexity with passwords
We all know we need secure passwords, or at least keep them
secret. The problem is that we are asked
to increase the complexity of passwords, either with the addition or inclusion
of upper case characters, lower case characters, special characters or
numbers. Making
the passwords more complex must increase security… or does it lead to users writing
the passwords down or recycling the same passwords for a number of environments?
“Something you know, Something
you are given, Something you are”
Obviously one of the downsides with passwords is that they can be
passed from person to be person, but you lose the accountability of the actions
from the user who has logged in. This is
where the requirement for multi-factor authentication arose, so there would be
a number of elements to confirm the validity of the person and action.
Multi-factor authentication is said to be made up with two of the
follow three elements. “Something you
know”, such as passwords and PINs, “Something you are given”, such as one time
passwords, and “Something you are”, such as iris and fingerprint scans.
Some people will such that using multiple of the same type of
authentication, such as the use of multiple passwords and PINs, would make it
multi-factor. I disagree, and would call
that “Strong authentication” or I’ve heard of it referred to as “1.5 factor
authentication”.
Two-Factor Authentication
requires a specialist?
In the past, there was a high level of complexity associated with
two-factor authentication and should only be tackled by specialists within the
field. In the past, there were
complicated multi-server implementations to build resiliency, administering
more databases, managing a variety of tokens and that even before anything is
deployed or secured!!
Hacked… June 2011!
Undoubtedly, most people reading this will be aware of a compromise that
was reported in June 2011, where one of the world’s largest token vendor had (reportedly)
40 million tokens compromised. Suddenly
all that hard works seems to have been for nothing. What did all the complexity bring, other than
complexity for complexities sake?
Commoditised market?
There are a number of vendors offering two-factor authentication, but
most organisations see it as a must have, rather than a want to have. The barriers to entry were not only
complexity, but security, administration time and in the current economic
climate, cost.
Cloud or On-premise?
A cloud service will reduce the hardware cost, the running cost, power,
energy, and all the other benefits associated with moving to a host
solution. There is always a concern
about physical security, so ensure the provider meets the right criteria and
standards. There will be concerns around
uptime, so ensure there is a good SLA in place.
With data security, ensure data is encrypted and not sent to the
internet in clear text.
If these concerns are insurmountable, then look at an on-premise
solution, but ensure the solution is highly available, if the access is
business critical. Ensure that the
administrators looking after the solution can manage it correctly, or have the
relevant support contracts to provide this.
It would be useful to have a choice of platforms, whether it is cloud
or on-premise.
Ease of use?
In most IT environments we have to manage multiple systems, so we all
want an easy to use system.
An intuitive, simple to use management console, with good help
features, as well platform parity between the cloud and on-premise solution
would be the way forward.
Token options?
Some providers will only offer hardware tokens, some will offer
software tokens, some will offer tokens to run on mobile devices, some will
offer SMS and/or email tokens, some will offer OATH tokens, and some will offer
grid tokens.
What does your user base need?
What mix of tokens is required?
Will there be a company policy to define the type of tokens that will be
offered? What sort of mobile phones need
to run tokens?
The preference would be to have all the token types available, but have
them at an attractive price point.
Event or Time-based?
To simplify the way a one-time password is generated. With time based, it take the time, encrypts it
using a seed and an algorithm, to generate the one-time password. With event base, it takes a pseudo-random
value encrypts it using a seed and an algorithm, to generate the one-time
password.
There are arguments for both solutions, with the time-based potentially
going out of sync, or event-based where the password is valid until it is
used. More of a concern is the seed that
are pre-populated onto the token, as if that were compromised; someone with it
can potentially generate your one-time password!
Ideally, you want to ability to choose either time-based or event-based
authentication, and have the ability to generate your own seeds, so even the
two-factor authentication vendor would not know it.
Authentication Methods?
Most solutions support RADIUS; some will support Windows logon; some will support integration with OWA, SharePoint, IIS, Apache; some will support Citrix; and occassionally support SAML.
You don't want to be limited with what you can authenticate with, but want a solution that will support standards such as SAML, as this will be used more and more as cloud application usage increases.
Longevity?
With so many new start-ups and small organisations now around, and the
largest two-factor authentication vendor being compromised, it is difficult to
know who to trust!
We want a vendor with a good security history, but with the foresight
to innovate, develop and implement solutions for the future.
Cryptocard
Offering a cost effective solution, with large variety of tokens, with
the ability to choose either a cloud-based or on-premise platform, with an easy
to use interface, the ability to have either time-based or event-based tokens,
the ability to populate the tokens with your own seed, support a large number of applications and standards, from a company that has
been around for over 21 years, makes Cryptocard the solution that should be
considered first.