Saturday, September 11, 2010      

Read All My Articles

Article received from Doron Cohen,
CISSP, Aladdin Knowledge Systems Ltd

THE PEOPLE FACTOR OF STRONG AUTHENTICATION

Dragging Heels Out Of The 20th Century

My professional life as an employee presents interesting challenges when it comes to accessing resources and applications.  For example, I need to carry around a large amount of gear as a mobile worker, whether the traditional cell phone and laptop that I use on a daily basis or my physical access card, which is my key to get into the office building and floor, or my token that provides remote access authentication or even a USB drive to share and move documents around.  I believe I am not alone in this situation and that many others are in a similar position.

 

When I do access the business network, application access can get complex. The amount of passwords and login credentials that I need to use has already reached what is considered by most people unmanageable - it simply is not possible for most of us to effectively use passwords for dozens of services, applications and websites.

 

Furthermore, regulations and security practices are driving IT to establish policies for secure passwords, i.e. complex ones, which make memorizing them all even more difficult. Nevertheless, the strength generated by such policies is not always guaranteed. Most of us would agree that selecting “password” as your password is not secure and indeed, most password quality checkers will therefore block it. However, how strong would you consider “Password1” to be?   The Microsoft password quality checker can give some interesting results. Try it out at https://www.microsoft.com/protect/yourself/password/checker.mspx ...

 

The reality is that, while everyone knows that sticking your password on your monitor or under the keyboard is not safe practice, many choose to do just that.  Not because they are unreasonable – but rather because most of us just want to do our job and be effective rather than deal with forgetting and replacing passwords.

 

So, it is quite obvious that the way people are used to authenticating to networks and online services needs improving, not just on the security side, but also ease of use and usability. In many cases, the proposed solution would be multifactor authentication that involves a smart token with certificate and PKI technology or One-Time Password (OTP) technology. Indeed, getting into a strong authentication initiative reveals the need for effective security that is easy to use. 

 

Resistance to using multifactor authentication may often be associated with various concerns:

o        Portability - does strong authentication require that I have another device I must carry around?

o        Resilience – how durable is my device? What will happen if I leave it in my pocket for a spin in the washing machine?

o        Productivity – will the authentication device replace all my passwords? How will the authentication solution improve productivity?

 

A critical success factor in any authentication project is therefore the cooperation of the people involved. One thing to keep in mind regarding secure authentication misuse is the creativity of the employee who placed his OTP token in front of a webcam so that he would not have to worry anymore about carrying the token but could still access it from everywhere.  Convenient – possibly, but doesn’t that defeat the purpose of having multifactor authentication via an OTP token in the first place?

 

At the end of the day, I believe it all boils down to a very simple factor - in order for security and authentication technology to be effective, they must be simple to use, support end-user productivity and day-to-day patterns of use.

 

Fortunately, there are several advancements in the authentication market that support the simplification of the end-user experience while maintaining and improving security. Today, more and more solutions are available that support the consolidation of authentication devices - providing increased security functionality in a single device:

-          Integrated physical access via an embedded proximity coil and smart token or smartcard for logical access allow the elimination of one authentication device and at the same time increases security, as users would need these integrated tokens simply to access or leave the building.

-          Hybrid USB tokens – authentication tokens integrated with a flash memory USB drive enable employees to have a multi-use device that acts both as a thumb drive and a security device.

-          Mobile phone software for authentication enables employees to use their mobile phones as multi-factor devices, therefore reducing the number of devices needed.

-           

In addition to the unification of devices, user login to multiple systems can greatly improve user experience. Enterprise Single-Sign-On (ESSO) solutions that enable users to store user passwords and credentials on a smart token give the user seamless access to multiple applications and services are available today. Such systems enable employees to use a single token and password for all logical access. Not only can the employee use the same token for secure remote access outside the office and physical access in the office, but it also becomes the ultimate logical authentication solution. The user no longer needs to remember many passwords and enjoys the mobility and security of cached passwords and credentials on a secure smart token.

 

In conclusion, success in strong authentication initiatives can be significantly enhanced with attention to usability and ease of use, resulting in superior security and end-user productivity compared to legacy password-based authentication. Today, more than ever before, it is possible to achieve these goals with modern multi-use authentication devices and integrated single-sign-on solutions. Let’s make the people factor a top consideration in the journey for secure authentication.