Two-Factor Authentication
Strengthening Authentication
Why proving a user's identity is more complicated than
it seems, but 'pretty good' methods might be just right.
"CLICK-CLICK." During the invasion of Normandy,
paratroopers used toy "clickers" to
identify friends from foes in the dark. One click-click
was a query. An allied soldier would reply
with two click-clicks. Although simple and generally
effective, there was one problem: The
bolt action of a German Mauser rifle sounded
very much like a double click-click. Authentication—
the process of proving we are who we
claim to be— is much harder than it seems at
first glance.
The Problem With Passwords
The basics of authentication are straightforward.
You can prove your identity in three ways:
something you have (for example, a key or a
birth certificate), something you know (such as
a password), or something you are (such as
your fingerprints, used in biometric technologies).
(See "It's Not All About Hackers," CT
September 2005)
In the world of computers and networks, the most common
form of authentication is a password. To reduce the
vulnerabilities associated with password authentications,
we generally require strong passwords (those that are difficult for a hacker to guess or gain by a brute-force attack),
and change passwords on a regular basis. Changing passwords
reduces the window of time in which damage can be
done with a compromised password. Guidelines for selecting
strong passwords are well known, and password management
systems are widely available to ensure that passwords
are changed regularly.
But wait: In order to remember a plethora of strong, frequently
changing passwords, many of us write them down.
Or worse, we often use the same password for everything.
And in the process, we create a new, glaring vulnerability.
Passwords can also be lost, or stolen via a multitude of
techniques. Changing a password every three months—
or even every three days— doesn't eliminate our vulnerability;
it doesn't take a crook three days to empty out a
bank account.
Passwords will remain popular, however, because they
are highly portable, easy to implement, relatively cheap,
and convenient to use. And despite the potential for disaster,
password security can be effective if we use strong
passwords; if we keep our passwords secret; if we learn
to recognize a phishing attack; if we only store our password
list using an encryption scheme such as Apple's
Keychain or
GNU's Keyring; and if we
have a bit of luck.
Two-Factor Authentication
It's indisputable: We can greatly strengthen password security
by adding a second authentication factor. Because of
the relatively greater cost of biometric devices, the second
factor selected by educational institutions is usually "something
you have." A number of "what you have" technologies
have become common in business applications, and are
often used in combination with a username/password
(what you know) to provide true two-factor authentication.
Smart cards and USB tokens. A smart card is a creditcard-
sized card with embedded integrated circuits, which
can process and remember information. To authenticate, the
user must swipe or physically insert the card in a special
reader. Proximity authentication also can be done using radio
signals. USB tokens have a similar function, but the form factor
is insertion into a computer's USB port. Caveat: Smart
cards and USB tokens can run $50 to $100 per employee.
While $50 per person per year may seem very reasonable in
a corporate environment, for an educational institution of
50,000 students, faculty, and staff, that translates to more
than $2.5 million per year. Moreover, the need for mechanisms
to replace lost cards quickly also presents an issue.
One-time password (OTP) device or token. An OTP
device generates a temporary password that can be used
to authenticate the person who holds the token. If an external
intruder obtains the password by listening to network
traffic, it has limited value because the correct password
changes frequently. The cost of an OTP device is similar to
that of a smart card. To overcome some of the management
problems associated with tokens, many OTP vendors offer
managed services as well.
OTP software runs on a portable device, such as a cell
phone or laptop, and generates a one-time password. The
incremental cost of the software is generally less than the
cost of a separate dedicated device.
Wallet bingo card. In this low-tech, low-cost, OTP
scheme, the user carries a piece of paper with a grid of
characters. The host issues a randomized row and column
challenge; the user responds with the corresponding value
from the grid. Although uncommon in the US, this scheme
provides the security of OTP devices at a fraction of the
cost. A variation of this strategy is a scratch card containing
randomly generated one-time passwords.
Though it is effective, two-factor authentication hasn't
yet gained traction in higher education, for three reasons:
1) Despite recent privacy legislation and highly publicized
hacker attacks, there hasn't been sufficient push for campuses
to strengthen authentication, which often is perceived
as running counter to education's culture of openness;
2) the cost of devices, support, replacing lost or
stolen tokens, and maintaining and upgrading software can
be prohibitive for colleges and universities; and 3) users
often find two-factor schemes inconvenient.
Computer Identity Strategies
There's another way to achieve two-factor authentication:
computer identity strategies. With this method, the first
time a user logs into a host system with a username and
password, the host system "fingerprints" the user's computer.
Specifically, it captures information about the user's
computer (such as a serial number) that can be used in the
future to determine if the login request is coming from the same machine. In this way, the computer itself becomes—
to a relatively high degree of probability— "something you
have," and can be used as a second factor in the authentication
process. A number of schemes have been developed
to remotely identify a computer:
Device characteristics. The host records characteristics of
the user's computer, such as the serial number of the motherboard
or the software installed on the desktop.
File authentication. The host places a web cookie or
flash cookie on the user's computer, which it looks for the
next time the user seeks authentication. One problem with
web cookies is that many genuine users disable or regularly
delete cookies. Flash cookies, on the other hand, are set
through a mechanism in Macromedia's
Flash Player (which is installed in most computer
browsers), making them more inaccessible to user control.
An internet profile contains information such as a
device's IP country, IP city, ISP, IP owner, connection type,
and user agent. These data do not provide unique identifiers
of a device, but can be used with other information to
provide a reasonable level of authentication.
Because they depend on information gleaned from the
user's computer, computer identity schemes suffer from
the problem of portability. Should logins from an airport
kiosk be allowed? If so, what secondary authentication is
used? Moreover, all of these authentication schemes can
be defeated to some degree, and provide only a probability
of correct identification.
Despite recent privacy legislation
and highly publicized hacker attacks, there hasn't been sufficient push for campuses
to strengthen authentication.
Risk-Based Authentication
Last year, the banking industry was faced with federal requirements
to provide something better than password-only
authentication for online banking transactions. While some
have adopted true two-factor authentication using smart
cards and one-time password tokens, many have adopted
what is called "multifactor" or "risk-based" authentication.
In risk-based authentication, after a user logs in with his or
her user ID and password, the host system applies the computer
identity strategies discussed above. That information is
then subjected to a risk analysis, to develop a risk score. If
the risk score is below a defined threshold, the user is granted
access to the session; the threshold is selected so that
most access requests are granted without further action. If
the risk score exceeds the threshold, further secondary
authentication is required. For example, if a user logs in using
a different computer or the login location suddenly changes
(for example, a user who has been in New York City for the
past year suddenly logs in from Romania), secondary
authentication might be requested.
Secondary authentication is commonly achieved in one of
two ways: out-of-band communication, or a secret question:
Out-of-band communication consists of
creating a second communication link, separate
from the primary link used for the initial
login. For example, when a user forgets a password,
an e-mail can be sent to his or her e-mail
account of record. Or, upon setting up an
account, a web user can be asked to provide
the host system with a cell phone number that
can be called if there is a question about the
authenticity of a subsequent web session.
Secret question. In this scheme, a first-time
user is asked to answer several questions from
a list provided by the host. The answers to
those questions can then be used for subsequent secondary
identification. One caveat: If you make the question
too obscure, people won't remember the answer, but if
the question is too common (for example, What is your
mother's maiden name?), phishers will seek to log it along
with username and password. Some organizations have
gone so far as to engage psychologists to develop effective
questions.
'Pretty Good' Authentication
In many ways, risk-based authentication schemes can be
regarded as "pretty good" authentication, a term reminiscent
of Phil Zimmermann's PGP (pretty good privacy) encryption
software, created 16 years ago as a low-cost (initially nocost),
now ubiquitous e-mail encryption method. While not
as strong as true two-factor authentication, these techniques
are more effective than one-factor authentication (using a
username and password alone). They also address the user
inconvenience and cost problems associated with twofactor
schemes. I remember a comment made many years
ago by Clifford Swartz in The Physics Teacher: "If a thing is
worth doing, it is worth doing well enough for the purpose at
hand (and it is surely silly and probably wrong to do it any
better than that)." Risk-based strategies are pretty good for
the purpose at hand, and should be seriously considered by
the education community as a relatively easy and inexpensive
way to strengthen authentication.
-Doug Gale is president of Information Technology Associates, an IT consultancy specializing
in higher education.