February 2002

Computer Systems Security in an Internet Age—Authentication Beyond Passwords

Although passwords are the most common form of protecting access to systems, password security is far from the strongest means of establishing identity. The reasons are obvious: passwords are easy to snoop by looking over a user’s shoulder while they are logging in; passwords are often easy to guess if you know the user personally; and they are often easy to crack by applying readily available tools.

The next level in establishing identity, beyond basic passwords, is called strong authentication. Basic authentication (password security) is like saying you are someone and showing a business card to prove it. Strong authentication is like showing a passport or a driver’s license with a photograph, making it much harder to impersonate someone. Strong authentication comprises something that you know (a user ID and password) and something that you possess to prove you are who you say you are. Probably the most familiar example is your bank card: your PIN (personal identification number) code is the thing you know, while the card is the thing you possess.

One method of strong authentication comprises a token (a device that each user carries with them) and a server. The server and token are synchronized to generate a number that changes every 60 seconds, based on a mathematical formula. The token and the server coincide to permit the user to log in with his or her user ID and a passcode. The passcode includes a personal PIN code and the changing number that is generated every 60 seconds and appears on a small liquid-crystal display (LCD) screen on the token. The system the user is logging into passes the log-in request to the authentication server, which either approves or denies it.

This is far from the only means of strong authentication available. Another form is digital certificates. These are special computer files that contain information specific to you and “vouch” for your identity. They are often used as a means to encrypt or decrypt data, since establishing identity is a critical part to determining whether encrypting or decrypting data is safe. In this case, the certificate becomes something you possess, and take with you to establish identity. One of the problems with digital certificates is managing them: how do you monitor generating them for users when they are needed; how do you move them from system to system; how do you control expiration and renewal, etc. To address these concerns, vendors have created Public Key Infrastructure (PKI) software to manage the certificates and the processes. Microsoft and Novell include their PKI server software for free in the Windows 2000 Server and NetWare 5 and 6, respectively, but other vendors offer PKI software that you can purchase, with more elaborate features and capabilities.

Digital certificates can be stored on your computer or on “smart cards” that can establish your identity for your computer systems, plus perform other functions (for example, authenticating building access and serving as an employee ID badge). We are starting to see digital certificates stored on specialized tokens that connect to your computer, often through the USB (Universal Serial Bus) port that most current computer systems have, to establish identity. Regardless of the form, the concept behind these products remains largely the same.

Another area where technology for authentication is becoming more reliable and commonplace is biometrics. Since tokens and smart cards can inconvenience users (you must have the token with you to log in), what better way to eliminate this problem than by using the human body as the token. Fingerprint-reading technology has evolved the fastest, and is the most commonly accepted of these technologies. As an example, Compaq offers a fingerprint reader for roughly $100 that connects to the USB port of your computer, allowing fingerprints to replace or supplement passwords as a way of logging in. However, retinal scans and face recognition products are rapidly evolving, too, and over the next few years will be moving from “science fiction” to mainstream, commercially accepted solutions for business.

Multifactor authentication, sometimes referred to as graded authentication, is the logical next step in a comprehensive security system. On a typical network, there are often different assets to be protected, with different levels of importance. Therefore, the level of security can fluctuate according to the importance of the asset. In a multifactor authentication solution, basic access to the network from inside your building might require a simple password, since it is fair to assume that if someone has building access they are a trusted resource. However, if they are connecting remotely, then you may wish to use a token since they are connecting from the outside and you do not know who they are. Access to high-security systems containing highly sensitive information, such as a financial or accounting server or a human resources database, might require biometrics.

Neil Rosenberg is president of Quality Technology Solutions, a network integrator in South Orange, N.J., that specializes in Internet security solutions. He holds technical certifications from Novell, Microsoft and others, and is a 17-year industry veteran. He can be reached at nrosenberg@QTSnet.com.

Editor’s Note: This is the sixth in a series of columns that focus on computer systems security issues and solutions. Following this column, there will be a break in the series, with the remainder to resume at a later date. The intent behind the series is to examine considerations from a business perspective, identify options to improve security, and scrutinize best practices, all in a manner that is understandable to the layperson.