Case Studies

The Password Factor

SMBs say two-factor authentication increases security with the least inconvenience to end users.
This story appears in the December 2008 issue of BizTech Magazine.

 


Photo: Shane van Boxtel
Matt Jennings of accountancy Virchow Krause says two- factor authentication makes it significantly more difficult for would-be attackers to access the company's network.

Your birthday? No. Your children’s names? No. Your favorite sports team? Maybe. Face it: Passwords that are easy to remember are easy to guess.

“But when passwords get complex, people write them down, which is worse,” points out Matt Jennings, senior IT manager with Virchow Krause, a leading CPA and consulting firm with offices throughout the Midwest. That’s why Jennings, like many other data security professionals, no longer relies on them.

Jennings recently deployed technology known as two-factor authentication, which makes users pass a two-step process to access a network, using something they know and something they have.

The something they know is usually a static four-digit personal identification number (PIN), and the something they have is tangible, such as a bankcard, portable USB drive, PDA or mobile phone. Think of it as an ATM card that lets users access the corporate website.

That thought is appealing to network administrators trying to balance security with ease of use: Worldwide sales of two-factor authentication products are expected to nearly double, to $764 million in 2009 from $492 million in 2005, according to IDC.

For Jennings, making the switch to two-factor authentication was obvious. Regardless of how aggressive his company became in requiring more complex passwords, he believed the intrinsic weakness of password protection was still a major concern.

Why? The human factor, says Jennings. “The younger people were better at remembering multiple passwords,” he says. “But a lot of the [staff] ends up writing down their passwords.”

That’s a problem, given Virchow Krause’s workforce of 1,300 employees, many of whom often work on the road.

Passwords can be lost not only to memory but also to cybercriminals who crack them before installing rootkits and other malware on computer hard drives. Symantec reports that during the second half of 2007, the primary cause of data breaches that could lead to identity theft was the theft or loss of a computer or other device on which data is stored or transmitted, such as a USB key or a backup medium.

That’s why adding hardware into the security mix — in Virchow Krause’s case, Gemalto’s Protiva .Net Dual token — is so important to Jennings.

“We felt that switching to a two-factor mechanism greatly increased our protection in this area with the least inconvenience to our end users,” he says.

Secure Tokens

Two-factor authentication products, including those from Gemalto and competitors Secure Computing and RSA, require remote workers to carry either a hardware or software “token.”

Typically, hardware tokens come in the form of a key fob or a “smart card” the size of a credit card that contains a microchip. To gain access to a system or network, a user enters a PIN into the token, which then generates a random one-time password that is valid for 60 seconds or less. This makes it all but impossible for anyone to penetrate the system by stealing or hacking a static password. Software tokens use the same password algorithms, but conduct the calculations using software downloaded on the user’s PDA or phone.

Almost always, one-time-password schemes are combined with directory services, notably Microsoft Active Directory, used by administrators to assign policies, deploy software and apply critical updates to an enterprise. They are also used frequently with software-based authentication mechanisms, such as digital certificates. Digital certificates are electronic “credit cards” that establish user credentials when doing business or other transactions on the web.

Which of the following best characterizes your company's use of two-factor authentication?

15% We have deployed the technology.
28% I am not familiar with two-factor authentication.
34% We have no plans to deploy.
14% We are currently evaluating.
6% Don't know
3% We are in the process of deploying.

Source: 577 BizTech readers

The Gemalto Protiva .Net Dual token that Virchow Krause chose is a hardware device that can be used two ways. When inserted in a USB port, it works like a smart card, using digital certificates for network authentication. When the device cannot be connected, for example, at an airport Internet kiosk, the user can push a button and a one-time password is displayed on the token’s tiny LED screen that can then be manually typed into the computer or kiosk keyboard.

That combination of ease-of-use and tight security helps Virchow Krause’s financial and health-care clients meet their regulatory obligations.

“Every day we work with confidential client information that involves accounting and financial reporting, and information on mergers, acquisitions and private investment banking,” Jennings says.

First Steps

Similar regulatory compliance concerns prompted Priority Health, an insurer that employs 1,000 people in Michigan’s Lower Peninsula, to switch from simple password protection to two-factor authentication in 2004. In fact, two-factor authentication is the first step the U.S. Department of Health and Human Services recommends health-care businesses take to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations that govern the protection of personal health information.

Priority Health now uses RSA’s SecurID hardware token to add an additional level of security to the virtual private networks (VPNs) it creates.

“To address the issue fully, each staff member who is approved for remote access is given a unique user ID and issued a token,” says Paul Melson, information security officer at Priority Health.

Priority Health ran a pilot of certificate-based authentication for smartphone VPN clients, says Melson. “While the technology works fine, we have no plans to expand the use of certificates at this time.”

Catalyst Repository Systems, a provider of electronic-discovery and document-processing services based in Denver, offers its clientele a choice of two-factor authentication tools that include Secure Computing’s SafeWord software and hardware tokens.

“We host large volumes of data for corporations, law firms and insurers, and some of them use the secure tokens,” says John Tredennick, Catalyst’s CEO. “They have worked well, are no problem to support and seem to do the job.”

Just how much tighter is security with two-factor authentication? That’s difficult to measure, say Jennings, Melson, and Tredennick because none of their companies suffered a security breach before moving to the technology.

“I can’t give definitive proof that it has thwarted any attacks, but I can definitively say that the fact that all network and remote logons require two-factor authentications makes it significantly more difficult for a would-be attacker to gain access,” says Jennings.

Sign up for our e-newsletter

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.