User Authentication Beyond the Password
Updated: Sensitivity to cost has caused enterprises to be slow to adopt two-factor authentication. But with open standards and open source back-ends, costs are coming down, and with the ubiquity of mobile phones, you might not even need to buy tokens for your users.
Editor's Note: This article has been updated.
Here's a simple fact: the security of your organization is at risk every time anyone logs on to your network. If it's an authorized user then you're probably safe, but if it's a hacker that's logging on then here's what could be on the menu: malware infections, network unavailability, server downtime, data loss or corruption, leakage of confidential or proprietary information, and much more besides.
Given all this, it's astounding that most businesses require only a user name and password to authenticate users onto their networks, even when logging in remotely. According to research house Gartner, about 94 percent of companies of all sizes require only single-factor authentication of this sort from their users.
It's astounding because single-factor authentication using "something you know"—a password, in other words—is notoriously insecure. If a password is to be easily remembered then it's probably easily guessable and rarely changed. If users are forced to use more secure passwords which are long, random and frequently changed, then the chances are they'll write them down on a sticky note "hidden" somewhere obvious.
Factor In Tokens
A sensible way to beef up security is to bump up authentication to a two factor process, involving "something you have"—some form of security token which users must be in possession of when they authenticate themselves to the network—as well as the "something you know" password. This is the model that ATMs use: a PIN that the user has to know, and an ATM card that has to be inserted to prove that it in their possession.
The most common form of network authentication credential is the SecureID token from RSA Security, part of storage company EMC. The SecureID token generates a one time password (OTP) which changes every minute or so, and the user has to type in this OTP to prove that the token is in his or her possession. The OTP is generated by putting a time value into an encryption algorithm using the token's unique "seed record" as the key. Since the only other entity in possession of the key is the authentication server, and since the server's and the token's clocks are kept in synchronization, the server is able to compare the OTP the user enters with the one it is expecting, and authenticate the user if it is correct.
But RSA is far from being the only player in town, with a number of other vendors active in the security token market including Vasco with its Digipass range, Secure Computing's SafeWord tokens, the ActivIdentity token range and Entrust IdentityGuard tokens. These products use a variety of systems, including event synchronous authentication. Such tokens generate an OTP each time they are activated (usually by pressing a button) and this OTP is compared with the next OTP that the server generates using the same crypto algorithm and key, and an incremental counter. These are in theory less secure than time synchronous systems as a hacker who gained access to one of these tokens temporarily could generate a sequence of OTPs for later use. These OTPs would remain useful until the next time the owner generated an OTP and submitted it for authentication, as at that point all previous OTPs would cease to be valid. These and other vendors (including memory stick manufacturers) also sell USB dongle tokens and smart cards which have to be physically inserted into a USB port or card reader of some sort during authentication.
Cost Slows Adoption
One reason why many organizations have so far been reluctant to introduce two factor authentication is the cost involved, according to Dr. Ant Allan, a research vice president at Gartner. "For a small enterprise, with a few hundred people working remotely, the cost has been something like $50 per user for a token, plus the same again for the infrastructure required," he says.
But Dr. Allan says the economics are changing rapidly. As well as RSA's time-synchronous tokens and time- or event-synchronous tokens from companies like Vasco and ActivIdentity, which use the ANSI X9.9 standard for identification codes, there's a significant project called OATH: the Initiative for Open Authentication. All tokens that use the OATH standard can be used with OATH-compatible authentication systems, unlike RSA SecureID tokens, for example, which only work with RSA back-end systems. "OATH has enabled the commoditization of security tokens," says Dr. Allan. "It provides the interoperability so you can implement a solution with OATH and buy some tokens from one vendor and others from another vendor. " OATH has been heavily promoted by security services vendor VeriSign, which wants to offer managed authentication services without having to be a token manufacturer or locking its customers in to a single token supplier, Dr. Allan says. Entrust, another security vendor, now supplies OATH based tokens for $5 each (albeit with a minimum order of 100), so token hardware costs have become almost negligible.
In fact, token hardware cost is rapidly becoming irrelevant for another reason: The increasing power and sophistication of mobile phones means that it is now perfectly practical to give users soft tokens-software which runs on a mobile phone or other handheld device which emulates a hardware token. "We actually see phone-based authentication tokens becoming increasingly popular, and we predict that 50 percent of future two factor authentication implementations will use phone-based tokens," says Dr. Allan. Once up and running these offer a similar level of security to hardware token based systems, he says, although he warns that enrollment issues (essentially getting the software to the right mobile phone) can be a potential security problem.
Vendors that provide authentication systems using cheap hardware tokens or software tokens make their money from the back-end systems (which they either license or provide as a service). Interestingly, authentication systems are available that uses precisely the opposite model: open source authentication server code which is supplied at no cost to work with more costly tokens. For this to work the tokens have to be differentiated in some way to be worth paying more for.
An example of this is the YubiKey, a tiny USB token from a Sweden-based outfit called Yubico. The YubiKey is "seen" by the user's device's operating system as a USB keyboard. Touching the YubiKey's single button automatically generates and enters an OTP into the active field on the user's computer without any other activity required on the part of the user. YubiKeys cost $20 each (in orders over 100), but since the authentication software is open source there are no annual license fees to be paid (although there are obviously costs associated with integration and maintenance). Yubico also offers a free basic managed authentication service -- it previously cost $2 per user per year -- for companies that do not wish to run their own authentication servers. (Ed. Note: See update)
"There are many companies providing expensive validation services and there is clearly a void in the market today for a no-subscription, "no strings attached" offering," says Stina Ehrensvärd, Yubico's CEO. "A buyer needs to look at the total cost of ownership and for large deployments that run for many years the Yubico offering is less expensive than the competition. We do not subsidize the tokens to regain on services." Ehrensvärd expects the price of the YubiKey to drop in the near future, and says by mid-August the device will support OATH.
Because the cost of token based authentication has historically been high, a number of other authentication methods have appeared, providing a variety of levels of security. The prevalence of mobile phones has led to a degree of popularity for out of band authentication methods using SMS messages, email, or even voice messages. A user attempting to log on has a security code sent to their mobile phone using one of these methods, and this code must be entered as part of the log on procedure. As long as the communication channel (in this case the mobile phone connection) is not compromised, this method is actually pretty secure. Problems occur if network latency means that the user has to wait too long for the security code to arrive - or if the user is outside a mobile phone coverage area.
Other authentication methods involve identifying the IP address from which a user logs in, or the device the user is operating (using network access control devices, or proprietary systems). These, however, authenticate a location or a device not a user, so they can't be used when a user is mobile (in the case of IP address authentication) or when a user wants to use a different computer system (in the case of NAC or other systems). It also leaves a network vulnerable to attacks from malware-infected, authorized machines operated remotely.
What's clear is that with the commoditization of tokens thanks to standards like OATH, and with open-source based solution using low cost hardware such as the YubiKey, the cost barrier to implementing strong two factor authentication is falling fast. "There has historically been an authentication chasm because the cost of hardware has been high," says Dr Allen, "but now that cost is shrinking." What that means is that there is now less of a reason than ever before to rely on user names and passwords for the security of your network. For a fairly modest cost you could introduce two factor authentication and increase the level of your network's security significantly.