What level of authentication is needed?

Readers of Infosecurity know the fragilities of ‘password only’ systems. You will be sad to hear that the Business, Enterprise and Regulatory Reform (BERR) department of the UK Government found in its 2008 Information Security Breaches Survey that, although the use of strong (i.e. multi-factor) authentication has nearly doubled since 2006, only 14% of companies use such techniques.

"Authentication is still underused, under-applied and under-structured. The bulk of the market relies on static passwords that fall into two categories: The people that care, who change them regularly, and the people that don't," says Ian Kilpatrick, chairman of Wick Hill Group, specialists in secure infrastructure solutions.

But as Kilpatrick explains, caring about passwords does not necessarily make you more secure. It can lead to the familiar post-it note scenario, where passwords are plastered to servers and desktops on little yellow stickers.

A better password

Legitimate concern about such risks has created an industry in authentication technologies from obscured captchas (challenge – response tests used to ensure that the response is not generated by a computer), to grid and picture translators, smart cards and biometrics. Gary Wood, research consultant at the Information Security Forum (ISF), says the choice of authentication technology is often more about your company's particularly operating scenario than it is about perceived security.

"Drivers tend to be larger numbers of people working away from the office, the need to supply more security to the mobile community."
Andy Kellet, senior research analyst at research provider Butler Group.

"It's all about context and it's all about where these access mechanisms are going to be used. If you have an extranet you want to be accessed from anywhere then you probably want to use a different authentication mechanism to an extranet that can only be accessed from fully managed laptops that you provide to the individuals. On a fully managed laptop, you will know there is malware protection software, you know what version of OS it's running, what patches are installed," says Wood.

User profiles are also important. Howard Bashford, CEO at social networking site Finer Day explains the site's use of a pattern translation technology from GrIDsure. Finer Day aims to attract family members with a huge range of computer skills, he explains. "A number of our users haven't used technology before and they have never used passwords."

Bashford deliberately sourced an authentication technology that was both secure and not intimidating to either young children or adults with little internet experience. "We don't need to follow any protocol except ease of use. We don't want to make this too complex. It's four digits, very easy for a younger person to use, very easy for an older person to use and it's refreshingly different for a person having to remember 15 passwords for 15 different websites."

GrIDsure requires the user to remember a simple pattern on a grid of squares. It might be the shape of a cross or a heart, then when a matching grid of numbers is presented the user must type in the numbers corresponding to their chosen shape.

"For older women, who have followed knitting patterns, they actually find the pattern very easy to use," he adds.

Two Factor

Picture or pattern translations are a clever way of creating onetime passwords based on something the user knows. Howard explains that Finer Day houses family specific information, not banking or credit card details, and therefore he did not entertain stronger authentication or consider rolling out smart cards to his users.

Yet it remains the case that if you know somebody's pattern, or password, even with a translation step, the system is wide open. Which is not the case with a genuine two factor solution – i.e. something you know and something you have. The something you have is often called a token.

"One of our members said, 'It's important to know where someone's not as much as where they are'," reports Wood. "If you know they are not in the office you can shut off access to your systems."
Gary Wood, research consultant at the Information Security Forum (ISF).

"We split tokens up into three different types," says the ISF's Wood. "Software based tokens, hardware based where there is some kind of changing code, and the third type is smart cards. These are separate from other hardware tokens because there is a computer on the chip with its own processor and it can perform calculations”, he explains.

"The more complex smart cards have cryptographic steps on them. When they are powered up, the system sends data to the card, the card performs some operation and sends the answer back. The secrets are kept on the card," explains Wood.

Choice over which authentication token to implement is again driven by context. "A lot of focus at the moment is on improving security in and around mobile devices," says Andy Kellet, senior research analyst at research provider Butler Group.

Given that mobile workers will mostly have mobile phones, Kellet explains how an authentication token – in the form of a text message – can be sent to the phone for a onetime log on. "People are looking a lot more flexibly at how you achieve two factor authentication," he says. "The drivers tend to be larger numbers of people working away from the office, the need to supply more security to the mobile community."

In the same way that mobile phones are ubiquitous, people are also used to carrying payment cards. Two factor authentication based on smart cards is therefore growing in popularity. "They're secure, they're easy to use, people recognise them and protect them reasonably well," explains Wood.

"You can do a lot of clever things with them," he adds. "Organisations are looking at merging their physical and logical security. You can use it [a smart card] to access buildings as well as systems."

Token control protects law firm’s reputation

Celena Ho, IT manager at law firm Hodge Jones & Allen, is responsible for the security of sensitive client information. She must maintain user access to applications from office and mobile workstations, and from external individuals providing secretarial services.

With the escalating demand for home working, Ho found managing access, patching and policy enforcement increasingly onerous. A two-factor authentication, hosted service from Cambridge-based Signify offered considerable convenience and increased security.

Users are issued with a small RSA SecurID token that produces a unique one-time passcode (OTP) every 60 seconds. "They enter a user name and network password, then they have to key in their code and pin number from the Signify token, which is the size of a key fob," explains Ho. Ho has suffered few teething troubles, and users have accepted the two-factor mechanism without complaint. "I have had a short learning curve for myself, since I register all the users and issue the tokens to the users. But they log in without any problems," she says.

This gives a further benefit of adding user location into the authentication mix which can provide an additional factor. "One of our members said, 'It's important to know where someone's not as much as where they are'," reports Wood. "If you know they are not in the office, you can shut off access to your systems."

An inside job

But for all the smarts, the wolf may already be in the building. "There is an underlying reality, that in the 20 years I've cared about securing access to computer systems, the numbers are remarkable steady: about 60-75% of all inappropriate activity is carried out by staff, or people that have systems access through staff," says Wick Hill's Kilpatrick.

He believes you could buy an identity in the Government's biometric schemes, for a £2000 payment in the first instance and then considerably less after that. The task of setting up each identity is "delegated to low grade individuals. I would pay somebody who had systems access, to create another record."

Therefore, authentication does not end after log in. Even tighter access control can pay dividends if the benefits are worth paying the price. "It's a combination of how you authenticate people and how you protect the information that they then get access to," says Kellet. "You might accept the identity of the person involved, but you also want to know about the security of the machine. You need to check on patch updates, anti-virus levels, configuration etc."

It is for this reason perhaps that Gartner predicts 100% growth for network access control (NAC) in 2009 (from their market scope for NAC, first quarter 2008). NAC combines solutions for identity management, endpoint compliance and policy enforcement in one package, often an appliance.

CTO and founder of NAC vendor Bradford Networks, Frank Andrews, says "The relentless growth of mobile users and people in motion continues to make solving the [security] problems more important."

With the growth of NAC, Andrews expects a trend away from strict device specification towards central control and policy enforcement as the device connects. "Many organisations are forming more relaxed policies that allow use of personal machines at home. Enterprises are saying, 'I'm not even going to try and define, purchase, issue and maintain corporate owned devices anymore; it's a losing battle, it changes too fast. We'll give each employee £500 credit to buy their own device. We don't care.'"

Organisations must make their own risk assessments and technology decisions based on their peculiar circumstances. A single four character password will forever remain convenient, but is not secure enough for banking. Fingerprints may be good for clerical workers, but a building firm would have trouble keeping cement off the scanners, and two factor authentication will never succeed at a nudist camp. Authentication must always be a mixed bag of techniques.

What’s Hot on Infosecurity Magazine?