The Password Factor
Your birthday? No. Your children’s names? No. Your favorite sports team? Maybe. Face it: Passwords that are easy to remember are easy to guess.
“But when passwords get complex, people write them down, which is worse,” points out Matt Jennings, senior IT manager with Virchow Krause, a leading CPA and consulting firm with offices throughout the Midwest. That’s why Jennings, like many other data security professionals, no longer relies on them.
Jennings recently deployed technology known as two-factor authentication, which makes users pass a two-step process to access a network, using something they know and something they have.
The something they know is usually a static four-digit personal identification number (PIN), and the something they have is tangible, such as a bankcard, portable USB drive, PDA or mobile phone. Think of it as an ATM card that lets users access the corporate website.
That thought is appealing to network administrators trying to balance security with ease of use: Worldwide sales of two-factor authentication products are expected to nearly double, to $764 million in 2009 from $492 million in 2005, according to IDC.
For Jennings, making the switch to two-factor authentication was obvious. Regardless of how aggressive his company became in requiring more complex passwords, he believed the intrinsic weakness of password protection was still a major concern.
Why? The human factor, says Jennings. “The younger people were better at remembering multiple passwords,” he says. “But a lot of the [staff] ends up writing down their passwords.”
That’s a problem, given Virchow Krause’s workforce of 1,300 employees, many of whom often work on the road.
Passwords can be lost not only to memory but also to cybercriminals who crack them before installing rootkits and other malware on computer hard drives. Symantec reports that during the second half of 2007, the primary cause of data breaches that could lead to identity theft was the theft or loss of a computer or other device on which data is stored or transmitted, such as a USB key or a backup medium.
That’s why adding hardware into the security mix — in Virchow Krause’s case, Gemalto’s Protiva .Net Dual token — is so important to Jennings.
“We felt that switching to a two-factor mechanism greatly increased our protection in this area with the least inconvenience to our end users,” he says.
Typically, hardware tokens come in the form of a key fob or a “smart card” the size of a credit card that contains a microchip. To gain access to a system or network, a user enters a PIN into the token, which then generates a random one-time password that is valid for 60 seconds or less. This makes it all but impossible for anyone to penetrate the system by stealing or hacking a static password. Software tokens use the same password algorithms, but conduct the calculations using software downloaded on the user’s PDA or phone.
Almost always, one-time-password schemes are combined with directory services, notably Microsoft Active Directory, used by administrators to assign policies, deploy software and apply critical updates to an enterprise. They are also used frequently with software-based authentication mechanisms, such as digital certificates. Digital certificates are electronic “credit cards” that establish user credentials when doing business or other transactions on the web.
Which of the following best characterizes your company's use of two-factor authentication?
15% We have deployed the technology.
28% I am not familiar with two-factor authentication.
34% We have no plans to deploy.
14% We are currently evaluating.
6% Don't know
3% We are in the process of deploying.
Source: 577 BizTech readers
The Gemalto Protiva .Net Dual token that Virchow Krause chose is a hardware device that can be used two ways. When inserted in a USB port, it works like a smart card, using digital certificates for network authentication. When the device cannot be connected, for example, at an airport Internet kiosk, the user can push a button and a one-time password is displayed on the token’s tiny LED screen that can then be manually typed into the computer or kiosk keyboard.
That combination of ease-of-use and tight security helps Virchow Krause’s financial and health-care clients meet their regulatory obligations.
“Every day we work with confidential client information that involves accounting and financial reporting, and information on mergers, acquisitions and private investment banking,” Jennings says.
Similar regulatory compliance concerns prompted Priority Health, an insurer that employs 1,000 people in Michigan’s Lower Peninsula, to switch from simple password protection to two-factor authentication in 2004. In fact, two-factor authentication is the first step the U.S. Department of Health and Human Services recommends health-care businesses take to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations that govern the protection of personal health information.
Priority Health now uses RSA’s SecurID hardware token to add an additional level of security to the virtual private networks (VPNs) it creates.
“To address the issue fully, each staff member who is approved for remote access is given a unique user ID and issued a token,” says Paul Melson, information security officer at Priority Health.
Priority Health ran a pilot of certificate-based authentication for smartphone VPN clients, says Melson. “While the technology works fine, we have no plans to expand the use of certificates at this time.”
Catalyst Repository Systems, a provider of electronic-discovery and document-processing services based in Denver, offers its clientele a choice of two-factor authentication tools that include Secure Computing’s SafeWord software and hardware tokens.
“We host large volumes of data for corporations, law firms and insurers, and some of them use the secure tokens,” says John Tredennick, Catalyst’s CEO. “They have worked well, are no problem to support and seem to do the job.”
Just how much tighter is security with two-factor authentication? That’s difficult to measure, say Jennings, Melson, and Tredennick because none of their companies suffered a security breach before moving to the technology.
“I can’t give definitive proof that it has thwarted any attacks, but I can definitively say that the fact that all network and remote logons require two-factor authentications makes it significantly more difficult for a would-be attacker to gain access,” says Jennings.
Form factor. Choosing whether your security token is downloaded to your BlackBerry or delivered using a USB thumb drive or a microchip embedded in a smart card is no trivial matter. Are your employees more likely to use or lose something attached to their keys? Will you need more memory on the device to store other data, such as digital certificates? Are you comfortable using software tokens that can be used on only one device?
Provisioning and cost. How widely do you want to distribute tokens? Should they be given only to employees, or should contractors get them as well, with limitations as to what sites they can access on the corporate network? Creating custom access profiles for those who need only limited access costs your company time and money. Also, consider the cost of licensing and technical support once those users come online.
Compatibility. Do you want your remote workers and contractors to have access to your applications? Then you need to be sure that the two-factor authenticators do more than just get them through the network’s front door. Be sure your authenticator is compatible with your VPN, web-based applications, corporate e-mail and other internal destinations.