Most network security systems rely on single-factor authentication. With this type of authentication,
end users need only one item to verify the username they enter when they log on. This one item is
usually a password, which often remains the same for a significant amount of time.
Most end users don't know what authentication refers to in the realm of computer security, but
when you ask them about passwords, they know what you mean. Passwords are a battle. End users want
passwords that are short and easy to remember. Security administrators want passwords that are long
and difficult to crack. Even if the security administrators have their way, nothing will stop the
proverbial Post-It note from appearing on a user's monitor with a long and difficult-to-remember
password written on it.
Even if users keep their password secret, accessing passwords is possible if you do not change
them regularly. A protocol analyzer can capture static passwords off the network. Someone with
enough computing horsepower can break an encrypted password.
Security experts agree that the current password-generation method that corporate computing uses
is not effective. The tremendous growth in the Internet (and intranets), telecommuting, and the
soon-to-be ubiquitous market of electronic commerce magnify password confidentiality and security
concerns.
Two-Factor Authentication
An alternative to the current security approach is two-factor authentication: The user provides
two items, a personal identification number (PIN) and a token code. The PIN is unique to each user
and is encrypted when it is transmitted over the network or WAN. Think of the PIN as the
security-equivalent of the PIN you use with your ATM card or credit card. A physical device called a
token generates the token code. The token displays a new code every 60 seconds; therefore each token
code is used only once.
Token-based authentication eliminates nearly all the risk involved with validating users in a
network. Token-based schemes improve security, lower per-user cost, centralize and reduce
administration costs, and minimize unauthorized access to services. A few major players that produce
token-based authentication solutions for the Windows NT environment are listed in the contact box.
The ACE System
Security Dynamics is a leading vendor of token-based authentication solutions. To give you an
example of a typical token-based authentication system, this article will explore the uses and
functionality of Security Dynamics' ACE/Server software and SecurID token.
ACE/Server provides authentication services for network resources; audit and reporting
utilities; realtime monitoring of logon and administrative activity; and GUI-based tools for
administering the ACE system, the users, and the PIN and token-code database. The ACE/Server
software runs under NT Server or various UNIX implementations and works with a client-side module,
the ACE/Client. The software is optimized for NT, and you can perform all security management
functions from the server or from an NT workstation. ACE/Server provides enhanced security for both
local network logons and remote logons via Remote Access Service (RAS).
The SecurID token is about the size of a credit card, but thicker. It contains an 8-bit
microprocessor, memory, a clock chip, and a lithium battery, and provides LCD output for the token
code. The token is a sealed device that does not require battery changes. A token that lets you
unlock it and replace the batteries is a significant security risk, so the microprocessor is
designed to erase its memory if the token's casing is breached or otherwise subjected to attack.
The code a SecurID token displays is a pseudo-random number that changes every 60 seconds. No
one can calculate, guess, or otherwise determine the next or future codes from a record of past
codes from that SecurID token. Determining a code is computationally impossible if you don't know
the seed numbers that were entered for the proprietary one-way function (OWF) hash algorithm that
calculates the code. The standard SecurID token runs for up to four years. During this period, it
generates 4 million to 8 million sequential calculations. You can also preprogram tokens to
terminate at a given date and time.
Each user is assigned a PIN that corresponds to the token. The PIN is between four characters
and eight characters long and can be all numeric or a mix of numbers and alphabetical and
typographical characters. Longer PINs obviously provide greater security against an attacker who
tries to guess a user's PIN or who tries to read a PIN over the shoulder of a user working at a
keyboard.
ACE/Server also supports a duress PIN in addition to the normal PIN. Users can enter the duress
PIN if they're logging on under coercion. With a duress PIN, the user is granted access and sees no
apparent difference in the system's response. But the system records the access in the audit trail,
and the ACE/Server administrator's account is immediately notified of the event. The administrator
sees a pop-up message or a message on a beeper. The administrator can then take appropriate action.