Better Than Best PracticesMultifactor Authentication

There is a fundamental truth concerning passwords: The best password is one the user does not need to know.

At the core , a password is not a bad mechanism for authentication. The problems with passwords all stem from the fact that human beings cannot remember very good ones. Computers will always have better memory than users. We can use that to our advantage by not using passwords at allor at least using passwords in conjunction with other things. A password is (hopefully) "something you know." Supplement that with "something you have" such as a smart card, and you have multifactor authentication. Smart cards will always provide better security than passwords, and the cost of implementing them is within the reach of almost every organization. A basic system can be built with as little as one Windows Server 2003 system and some USB tokens that look like smart cards to the OS. For most interesting environments, however, you need to investigate building a full-fledged Public Key Infrastructure (PKI). A full discussion of PKI is beyond the scope of this chapter, but it is a topic that just about any security administrator needs to investigate.

A very interesting form of multifactor authentication is one-time passwords. In 2004, RSA and Microsoft jointly announced SecureID for Windows. SecureID is essentially an electronic form of the code book system used for centuries. A code book simply has a list of passwords or crypto keys, and the sender and recipient (or the user and the authentication system) agree a priori on which one to use when. SecureID is a hardware token that generates a pseudo-random sequence of six-digit numbers . Each number is shown on the token for 60 seconds. To log on using this token, the user types in the username, optionally the password, and the six-digit number currently shown on the token. The authentication system knows what number should be shown on each token at any given time, and if that number matches what the user typed there is reasonable certainty that the user is in possession of the token.

There are other forms of multifactor authentication as well. Commonly referred to as "something you are," we find the various biometric devices, such as fingerprint readers, retina scanners , voice-recognition systems, and so on. Although they certainly have their value and space, none of them provide enterprise-grade security like smart cards or one-time password tokens. There are several reasons for this. First, most of the "tokens" used for biometric systems are actually detachable. If you lose your thumb, you cannot really go to your administrator and ask for another one! If you are worth less to the attackers than the data you are protecting, you are in for a world of hurt. Closely related is the fact that you do not get an unlimited supply of tokens. If you lose your smart card, you can revoke it and get a new one. If you lose your thumb, you cannot really revoke it, and, although you do have one more, that is not a lot for a lifetime of authentication.

Third, many of the systems can be broken with low-tech means. For instance, many fingerprint scanners can be fooled with a gummi bear. Some retina scanners can be fooled with a picture. The Chaos Computer Club in Germany has posted an instructional video showing how to manufacture a copy of a fingerprint using a fingerprint from the victim, a scanner, a printer, some ethyl alcohol, and some wood glue. Other devices have also been used to circumvent these devices, such as flour, freon, and so on. Overall, smart cards and one-time passwords provide a more secure and stronger solution than biometrics.