Security Advisor

Forget Your Passwords

There are plenty of easier and more secure ways to authenticate users.

Passwords and user names are by far the most common form of authentication. They're easy to set up and easy to use. Let's face it, though -- they're not very secure.

Most users choose insecure passwords, either simple birthdays or just text characters without numerals. They write them down or let others look over their shoulders as they type them. They also frequently forget their passwords, which creates extra work for you and the other network admins. Fortunately, there are several alternatives to password authentication that are both easier to manage and often much more secure.

Leave Only Fingerprints
The police use fingerprints to identify criminals, so fingerprint recognition ought to be a fairly reliable way to identify users. However, a few years ago some enterprising individuals demonstrated they could easily fool many of the current fingerprint readers using artificial fingers or actual fingerprints transferred to a sheet of gelatin.

As a result, fingerprint technology acquired a reputation for being insecure. Since then, the technology has become much more reliable and is considered sufficiently secure. Some laptops even include a fingerprint reader as a standard feature. In many cases, you can use these readers for pre-boot authentication or Windows log-on.

Lately, I've been using the USB-based Eikon To Go from UPEK. While this particular device is targeted at consumers and has no central-management capabilities, UPEK and other manufacturers also sell devices you can manage. This is crucial if you need to deploy fingerprint authentication to even a moderate number of users. The beauty of fingerprint authentication is that it can reliably identify a person and it improves the user experience.

New Face of Smartcards
When Windows 2000 came out, it was one of the first operating systems to support smartcard authentication. Smartcards, which look like credit cards with an embedded chip, are essentially tiny computers that store a private key. That key corresponds to the user's certificate.

When a user inserts a smartcard into a reader and enters the correct PIN, the smartcard can prove to Windows that it holds the correct private key. The private key never leaves the card, nor can it be copied to another card. If a smartcard is lost or stolen, it permanently prevents access to that private key after a certain number of incorrect PIN entries.

Many larger organizations use smartcards, either for VPN authentication or for regular interactive log-ons.

However, relatively few small to midsize companies are using them. The reason for this is simply that smartcard deployments can often be difficult, time-consuming and expensive.

One of the largest smartcard vendors, Gemalto, is trying to ease this process for smaller organizations. It offers a smartcard-management solution called the Device Administration Service as a Web-based hosted service.

Another reason for the slow rate of smartcard adoption is that they require a built-in or attached smartcard reader. Also, the credit-card form factor doesn't work for everyone.

Today's smartcards have overcome both issues. First, Microsoft has added most of the software Windows needs to use smartcard readers to the OS, essentially providing a plug-and-play experience.

Also, many of today's smartcards aren't even cards at all -- many of them look like flash drives. They integrate with the card reader hardware and you can plug them into any USB port. If such a device is too big for you, or you're worried about losing it because it's too small, you can choose from a multitude of sizes and shapes.

Unfortunately, managing smartcards can still be a challenge. For example, if you buy Gemalto's .NET smartcards without subscribing to their management service, you'll have to build your own certificate infrastructure with Microsoft's Identity Lifecycle Manager to perform even common tasks like changing the device PIN.

Authentic Convergence
Many of today's authentication devices also have other useful features. For example, the fingerprint scanner I use also stores Web site passwords. There are several models of smartcards that can double as encrypted flash drives. An increasing number of smartcard devices include a onetime password generator for RSA SecurID authentication. Many companies use this for authenticating VPN connections.

These devices have a small screen that displays a number combination. This combination changes once every minute. The numbers are unique to the token and others can't reuse them, so anyone recording your log-on credentials won't be able to use them later to break into your corporate network.

Another combination device, the plusID from Privaris, is just a little larger than most flash drives. It provides authentication for long-range sensors and proximity sensors. It also holds certificates and even includes a small display screen for SecurID onetime passwords. You can connect it to a computer with a USB cable or through an encrypted Bluetooth connection. The plusID also has a fingerprint reader to ensure that only an authorized person can use the device.

Here's an example of what the plusID can do. As you approach the parking garage at work, you push one of the device's four buttons and then swipe your finger across its surface for authentication. The garage gate uses a compatible long-range sensor, so it opens in time to let you drive into the garage without having to stop. Before entering your office building, you push another button, swipe your finger and hold the device up to a sensor to unlock the door. Fingerprint matching ensures that it's really you who enters the garage and the building. In contrast, a regular badge would have let anyone in who was holding the badge.

Next, walk up to your desk. Push yet another button and swipe your finger. The plusID establishes a secure Bluetooth connection to your computer and logs you on using the certificate stored on the device. The log-on completes before you even touch your keyboard. Throughout the day, you may use the same method to access highly encrypted confidential files. When you finally get home and start a VPN connection to work, you turn the plusID upside down to see your onetime password on the display screen.

The only downside is that plusID devices aren't cheap. They're well worth the price, though, when users need multiple authentication mechanisms and handle highly confidential data. Privaris' management software is very capable, but you'll still have to set up a certificate infrastructure to make everything work. You'll also need to coordinate with colleagues who handle physical security to get the plusID device to open building doors and garage gates.

Stealth Security
The Stealth MXP security device from MXI Security provides authentication, but it also goes one step further. The Stealth is a slightly oversized USB flash drive -- with a capacity of up to 8GB -- that uses data encryption and fingerprint authentication.

The most interesting aspect of the Stealth MXP is the type of data you can store and the many ways you can use the device. Just like a smartcard, the Stealth has cryptographic capabilities that let it generate certificates, store private keys and use them for authentication. It can also generate SecurID onetime passwords and automatically transmit them, so you don't have to read them off a small screen and retype them.

The most interesting aspect is the Stealth's ability to include read-only and read-write data partitions. You could use these to store confidential files that you can only access after successful fingerprint authentication. This device also can store all the programs and shortcuts you need to access your corporate network. For example, you could include a shortcut to a Web portal and automatically log the user on with a onetime password that the device creates.

My favorite feature is that the Stealth MXP can hold an entire self-contained virtual machine. You could even include a Citrix client, completely configured to start an authenticated terminal connection to the office. You can then plug the device into any computer. After it has verified your fingerprint, you run your own pre-configured computer inside the virtual environment with little or no interaction with the physical computer. The virtual machine can establish a VPN connection to your office or run your favorite apps on any computer.

The Stealth MXP is a great solution for creating a portable trusted computer environment with simultaneous access to several types of credentials. Fingerprint authentication protects both the credentials and the data.

MXI Security's ACCESS Enterprise software handles device management and data deployment.

Devices like the plusID and the Stealth MXP are among my favorite security products. These are only some of the many new authentication products that have recently come on the market. Take a good look at what's available, and you may find just the right one to convince you that you can get rid of passwords once and for all.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


comments powered by Disqus