In the fiercely competitive business world protecting your data from hackers and unauthorised users, using a secure system, is essential. As we discussed last issue, passwords on their own are not sufficient as they rely on humans, who are the weakest link when it comes to security. In this article, we are going to look more closely at two-factor authentication alternatives, including THUS’ TokenID Authentication, and why they are more effective.
In the know
The different ‘authentication factors’ are: something you know; something you have; and something you are. Two-factor authentication typically involves the first two; a password and a device. Chip and PIN is the most common example. The chip is something you have and the PIN is something you know. Two-factor authentication works well here; stealing the PIN and card together is considerably harder than just stealing the card.
Similar security improvements happen online when you replace a simple password with two-factor authentication. Suddenly, the difficulty in obtaining the authentication credentials increases dramatically. The number of individuals placed who could actually steal the hardware token is considerably smaller than the many billions of people with Internet access who could potentially steal the password. Add to that the difficulty of actually stealing both pieces of information, the hardware and the password, and you’ll understand how effective two-factor authentication can be.
Types of two-factor authentication
Time-based tokens
These are small digital devices. They consist of a battery, a display and a small computer with a clock built in. The computer takes the clock, does some cryptography and displays a number on the screen. You log in using a PIN and the number on the display instead of your password. An authentication server on the network checks the PIN, then does the same cryptography and checks the number you’ve entered.
Challenge response token
Again, these are small digital displays but with a keypad underneath. When you log into a computer system it will prompt you with a number, you enter this into the token and the token does some calculations and displays your password. Again this should be used in conjunction with a PIN, which is sometimes entered into the token to unlock it rather than the computer. The number on the token changes every minute and each number can only be used to authenticate once. These two features make attacking the system relatively difficult.
SMS-based solutions
With these, the user receives a number via SMS to their telephone containing their next authentication code. When they log in they enter this in conjunction with their password. SMS costs make this type of authentication most suitable for users who use the codes relatively infrequently. This also makes a good interim service for users who have lost their hardware token, or those waiting for delivery in the post.
Biometric solutions
These lean on the third type of authentication factor: something you are. Biometrics is a unique and measurable characteristic of a human being used to identify an individual. On the face of it, a biometric solution appears to offer a high level of security even without other authentication details. Implementation flaws, difficulties with integration and hardware costs can make this type of authentication system expensive though. However, some laptops are available with fingerprint readers.
Interestingly, the UK government has just dropped a proposal to use fingerprint authentication. It feared that attackers would have no problem in cutting off the finger of an MP to gain access to Parliament.
Computer-based systems
Another class of two-factor authentication uses a secret that’s stored on the individual’s computer, either on disk or on a USB stick or smart card. Secure shell, a command line tool for accessing remote systems, offers this type of authentication as standard. It stores an encrypted key (basically a big number) on disk. The user enters a password into the software. The password is then used to decrypt the key, which is used in conjunction with some cryptography to authenticate the user.
The danger with any system that connects to the computer is that it could be compromised and the secret key copied. The user will not necessarily be aware that this has happened. However, should a hardware token be stolen, then the user will notice when they next attempt to authenticate.
Our solution
Our Token ID Authentication solution, mentioned in the previous issue, delivers a number of these two-factor authentication capabilities. The platform allows your users to authenticate with either the RSA SecurID time-based tokens or using SMS-based authentication codes.
Unlike the majority of solutions, the THUS solution, developed in conjunction with Signify Solutions, allows two-factor authentication to be set up without the installation of new servers. We’ve specifically chosen this system to ensure simple integration with the majority of applications, low initial expenditure and ease of ongoing management. The web portal and our automated helpdesk save users spending time developing and running otherwise complex processes for provisioning new users, managing lost PINs and handling lost tokens.
At THUS, we do not believe that passwords offer the most appropriate level of security required by many organisations. As such, we are committed to helping organisations of any size implement the most appropriate secure authentication and identity management system to ensure that their data remains protected from hackers and unauthorised personnel.
To find out more, visit http://www.thus.net/pdfs/token_id_authentication.pdf