Almost everyone uses them, many people have lots of them, they control access to our most valuable asset—information—and yet we don't guard them properly. We share them with others, we write them on bits of paper, and we rarely bother to select good ones. What am I talking about? Passwords, of course (or more accurately, a set of credentials consisting of a username and password).
Usernames and passwords have been used to control access to computers and networks,
and the data stored on them, for decades. The problems associated with usernames
and passwords are well known, and yet no amount of technology, awareness, or
education seems to matter. They remain one of our biggest security vulnerabilities,
yet businesses continue to use them. It's almost impossible to make an online
purchase without first creating or logging on to an account. I personally have
more than 30 accounts, ranging from my online banking and investment accounts,
to shopping sites, to professional associations. These are in addition to the
accounts (both end-user and administrator-level) that I use to access the various
computers and networks required to perform my job.
How does one keep track of so many sets of credentials? The obvious answer
is to use the same set of credentials for each account. This practice is risky
because if an attacker discovers the set of credentials you use to access one
account or system, then he or she has access to all your other accounts. Another
option is to store your credentials somewhere (e.g., on a piece of paper in
your wallet or on a device such as your smart phone or Pocket PC). This approach
also has risks. If your wallet is stolen or your device is compromised, then
all your accounts are compromised. Even if you store your password separate
from your username, you might still be at risk if only the password is compromised,
as often usernames are easily guessable. For example, many Web sites force you
to use your email address as your username. (For more information about best
practices for situations in which you must use passwords, see the sidebar "When
You Must Use Passwords")
So, what can a security administrator do to avoid the risks associated with
passwords? A bewildering array of alternatives to the use of usernames and passwords
exists— some supported natively by Windows and some not. Three of the
most popular alternatives are smart cards, tokens, and biometric readers. After
a brief look at some basic authentication principles, I'll discuss the pros
and cons of each solution and the scenarios in which they work best.
The Basics of Authentication
Current authentication technology uses three types of identifiers: something
you know; something you have; or something you are. When a system uses just
one of these identifiers, it's known as one-factor authentication. An example
of one-factor authentication is the humble username and password, which is based
on something you know. When an authentication system uses two of these methods,
it's called two-factor authentication and is considered more secure than one-factor
authentication. An example of two-factor authentication occurs when you use
your ATM or debit card and PIN, which requires something you know and something
you have. Figure 1 shows an excerpt from the
June Windows IT Pro "Two-Factor Authentication Tokens" Buyer's Guide
table, which lists some two-factor authentication products that are currently
available. To learn more about two-factor authentication and to view the complete
Buyer's Guide table, read "Two-Factor Authentication Tokens" InstantDoc ID 49938.
Some banks recommend that you have your photograph added to your ATM or debit card. This is an example of three-factor authentication, which is more secure yet. A sales clerk checks the card's photograph for a match with the person presenting the card before inserting it into the point-of-sale (POS) terminal and asking the person to enter his or her PIN.
Consider the example of your ATM or debit card and PIN. You need both the card
and PIN to withdraw cash or make a POS purchase. A stolen ATM or debit card
is essentially worthless without the PIN, which is why your bank recommends
that you never write it down or tell it to anyone. Because most PINs are only
four digits in length giving a maximum of 10,000 possible combinations, a user
must enter the correct PIN within a specified number of attempts, usually three,
before the account associated with the card is locked out. Without such a threshold,
an attacker with a stolen card could leisurely attempt each possible PIN to
gain access to the account. Some card issuers have introduced the concept of
a duress PIN. A duress PIN is an alternative PIN that, when used, tells the
card issuer that the account owner was forced to give up his or her card and/or
PIN, and to make it look like a transaction (e.g., a funds transfer) is working
or to report that there are insufficient funds for the transaction to complete,
while the appropriate authorities are notified and dispatched.
It's important to note that successfully authenticating yourself to a system doesn't give you unrestricted access. For example, before you can access your bank account or files on a server, you must be authorized. Authorization is governed by limitations such as sufficient funds or permissions in a discretionary ACL (DACL).
Smart Cards and Certificate-Based Tokens
Smart cards, such as those from Gemplus (http://www.gemplus.com/smart/cards/basics), and certificate-based tokens, such as SafeNet's iKey
series (http://www.safenet-inc.com/products/tokens),
are examples of two-factor authentication technologies. They have much in common.
Both contain microprocessors that support cryptographic operations such as the
generation of keys and hash functions. Each also contains a small amount of
memory, usually between 8K and 32K, to store one or more X.509v3 digital certificates
and associated private keys. The primary difference between smart cards and
certificate-based tokens is that a smart card requires an attached or built-in
reader on each laptop or workstation, whereas a certificate-based token usually
has a USB interface and requires only an open USB port, which most laptops and
workstations already have. Windows ships with the necessary drivers for using
smart cards and certificate-based tokens with many popular devices.
Before a user can use a smart card or certificate-based token to authenticate
to Windows, the user must have a certificate issued to the device. An enrollment
agent—typically an administrator or other privileged user who has the
ability to create and associate certificates to user accounts—inserts
the smart card into a reader or the certificate-based token into a USB port
on an enrollment station before launching the enrollment application. The enrollment
station usually is a secured computer with the necessary hardware and software
required by the smart card. The enrollment application might be a standalone
tool or something as simple as a Web browser pointed to the Certificate Services
enrollment Web site (http://<CAwebserver>/certsrv).
This authentication scheme requires a Public Key Infrastructure (PKI) integrated
with Active Directory (AD). The good news is that Windows 2003 and Win2K ships
with a Certification Authority (CA) and the necessary enrollment components.
When the enrollment agent enrolls a user to use a smart card or certificate-based
token, a public/private key pair is generated on the smart card or certificate-based
token device and the public key is sent to the CA. The CA creates and signs
a certificate and returns a copy to the enrollment station, where it's written
to the authentication device. A copy of the certificate is also stored in AD
as an attribute of the user to whom it was issued. During the enrollment process,
the enrollment agent is asked to enter a user PIN, which is used to restrict
use of the private key on the device. The enrollment agent might also set an
administrator PIN. The user PIN can be entered only a specified number of times,
usually three, before the card becomes locked. Once locked, the administrator
must use the administrator PIN to unlock the card and enter a new user PIN.
If a smart card or certificate-based token is lost or stolen, the certificate
stored on it can be revoked, making the device useless for authentication purposes
even if the PIN is known or guessed.