Two-Factor Authentication

Strengthening Authentication

Why proving a user's identity is more complicated than it seems, but 'pretty good' methods might be just right.

Strengthening Authentication"CLICK-CLICK." During the invasion of Normandy, paratroopers used toy "clickers" to identify friends from foes in the dark. One click-click was a query. An allied soldier would reply with two click-clicks. Although simple and generally effective, there was one problem: The bolt action of a German Mauser rifle sounded very much like a double click-click. Authentication— the process of proving we are who we claim to be— is much harder than it seems at first glance.

The Problem With Passwords

The basics of authentication are straightforward. You can prove your identity in three ways: something you have (for example, a key or a birth certificate), something you know (such as a password), or something you are (such as your fingerprints, used in biometric technologies). (See "It's Not All About Hackers," CT September 2005)

In the world of computers and networks, the most common form of authentication is a password. To reduce the vulnerabilities associated with password authentications, we generally require strong passwords (those that are difficult for a hacker to guess or gain by a brute-force attack), and change passwords on a regular basis. Changing passwords reduces the window of time in which damage can be done with a compromised password. Guidelines for selecting strong passwords are well known, and password management systems are widely available to ensure that passwords are changed regularly.

But wait: In order to remember a plethora of strong, frequently changing passwords, many of us write them down. Or worse, we often use the same password for everything. And in the process, we create a new, glaring vulnerability. Passwords can also be lost, or stolen via a multitude of techniques. Changing a password every three months— or even every three days— doesn't eliminate our vulnerability; it doesn't take a crook three days to empty out a bank account. Passwords will remain popular, however, because they are highly portable, easy to implement, relatively cheap, and convenient to use. And despite the potential for disaster, password security can be effective if we use strong passwords; if we keep our passwords secret; if we learn to recognize a phishing attack; if we only store our password list using an encryption scheme such as Apple's Keychain or GNU's Keyring; and if we have a bit of luck.

Two-Factor Authentication

It's indisputable: We can greatly strengthen password security by adding a second authentication factor. Because of the relatively greater cost of biometric devices, the second factor selected by educational institutions is usually "something you have." A number of "what you have" technologies have become common in business applications, and are often used in combination with a username/password (what you know) to provide true two-factor authentication.

Smart cards and USB tokens. A smart card is a creditcard- sized card with embedded integrated circuits, which can process and remember information. To authenticate, the user must swipe or physically insert the card in a special reader. Proximity authentication also can be done using radio signals. USB tokens have a similar function, but the form factor is insertion into a computer's USB port. Caveat: Smart cards and USB tokens can run $50 to $100 per employee. While $50 per person per year may seem very reasonable in a corporate environment, for an educational institution of 50,000 students, faculty, and staff, that translates to more than $2.5 million per year. Moreover, the need for mechanisms to replace lost cards quickly also presents an issue.

One-time password (OTP) device or token. An OTP device generates a temporary password that can be used to authenticate the person who holds the token. If an external intruder obtains the password by listening to network traffic, it has limited value because the correct password changes frequently. The cost of an OTP device is similar to that of a smart card. To overcome some of the management problems associated with tokens, many OTP vendors offer managed services as well.

OTP software runs on a portable device, such as a cell phone or laptop, and generates a one-time password. The incremental cost of the software is generally less than the cost of a separate dedicated device.

Wallet bingo card. In this low-tech, low-cost, OTP scheme, the user carries a piece of paper with a grid of characters. The host issues a randomized row and column challenge; the user responds with the corresponding value from the grid. Although uncommon in the US, this scheme provides the security of OTP devices at a fraction of the cost. A variation of this strategy is a scratch card containing randomly generated one-time passwords.

Though it is effective, two-factor authentication hasn't yet gained traction in higher education, for three reasons: 1) Despite recent privacy legislation and highly publicized hacker attacks, there hasn't been sufficient push for campuses to strengthen authentication, which often is perceived as running counter to education's culture of openness; 2) the cost of devices, support, replacing lost or stolen tokens, and maintaining and upgrading software can be prohibitive for colleges and universities; and 3) users often find two-factor schemes inconvenient.

Computer Identity Strategies

SecurityThere's another way to achieve two-factor authentication: computer identity strategies. With this method, the first time a user logs into a host system with a username and password, the host system "fingerprints" the user's computer. Specifically, it captures information about the user's computer (such as a serial number) that can be used in the future to determine if the login request is coming from the same machine. In this way, the computer itself becomes— to a relatively high degree of probability— "something you have," and can be used as a second factor in the authentication process. A number of schemes have been developed to remotely identify a computer:

Device characteristics. The host records characteristics of the user's computer, such as the serial number of the motherboard or the software installed on the desktop.

File authentication. The host places a web cookie or flash cookie on the user's computer, which it looks for the next time the user seeks authentication. One problem with web cookies is that many genuine users disable or regularly delete cookies. Flash cookies, on the other hand, are set through a mechanism in Macromedia's Flash Player (which is installed in most computer browsers), making them more inaccessible to user control.

An internet profile contains information such as a device's IP country, IP city, ISP, IP owner, connection type, and user agent. These data do not provide unique identifiers of a device, but can be used with other information to provide a reasonable level of authentication.

Because they depend on information gleaned from the user's computer, computer identity schemes suffer from the problem of portability. Should logins from an airport kiosk be allowed? If so, what secondary authentication is used? Moreover, all of these authentication schemes can be defeated to some degree, and provide only a probability of correct identification.

Despite recent privacy legislation and highly publicized hacker attacks, there hasn't been sufficient push for campuses to strengthen authentication.

Risk-Based Authentication

Last year, the banking industry was faced with federal requirements to provide something better than password-only authentication for online banking transactions. While some have adopted true two-factor authentication using smart cards and one-time password tokens, many have adopted what is called "multifactor" or "risk-based" authentication.

In risk-based authentication, after a user logs in with his or her user ID and password, the host system applies the computer identity strategies discussed above. That information is then subjected to a risk analysis, to develop a risk score. If the risk score is below a defined threshold, the user is granted access to the session; the threshold is selected so that most access requests are granted without further action. If the risk score exceeds the threshold, further secondary authentication is required. For example, if a user logs in using a different computer or the login location suddenly changes (for example, a user who has been in New York City for the past year suddenly logs in from Romania), secondary authentication might be requested.

Secondary authentication is commonly achieved in one of two ways: out-of-band communication, or a secret question:

Out-of-band communication consists of creating a second communication link, separate from the primary link used for the initial login. For example, when a user forgets a password, an e-mail can be sent to his or her e-mail account of record. Or, upon setting up an account, a web user can be asked to provide the host system with a cell phone number that can be called if there is a question about the authenticity of a subsequent web session.

Secret question. In this scheme, a first-time user is asked to answer several questions from a list provided by the host. The answers to those questions can then be used for subsequent secondary identification. One caveat: If you make the question too obscure, people won't remember the answer, but if the question is too common (for example, What is your mother's maiden name?), phishers will seek to log it along with username and password. Some organizations have gone so far as to engage psychologists to develop effective questions.

'Pretty Good' Authentication

In many ways, risk-based authentication schemes can be regarded as "pretty good" authentication, a term reminiscent of Phil Zimmermann's PGP (pretty good privacy) encryption software, created 16 years ago as a low-cost (initially nocost), now ubiquitous e-mail encryption method. While not as strong as true two-factor authentication, these techniques are more effective than one-factor authentication (using a username and password alone). They also address the user inconvenience and cost problems associated with twofactor schemes. I remember a comment made many years ago by Clifford Swartz in The Physics Teacher: "If a thing is worth doing, it is worth doing well enough for the purpose at hand (and it is surely silly and probably wrong to do it any better than that)." Risk-based strategies are pretty good for the purpose at hand, and should be seriously considered by the education community as a relatively easy and inexpensive way to strengthen authentication.

-Doug Gale is president of Information Technology Associates, an IT consultancy specializing in higher education.

comments powered by Disqus