|
|
|
|
Control the Keys to the Kingdom
|
 |
|
September 2, 2002
By Mike Fratto
|
>> continued from previous page
It's All About Risk
The three main authenticators--what the user knows, what the user has and what the user is--have strengths and weaknesses, and we can make some generalizations about the credibility of the authenticator based on the difficulty of impersonating the user. The more assurance we can place in our authentication system, the more we can reduce the risk that user accounts will be hacked, which in turn lowers our overall exposure to attack. Getting that assurance takes the proper application of technology and the development and enforcement of authentication policies.
Let's consider study passwords, biometrics and tokens.
Each method has a a different level of strength. Passwords are considered weak because they can be shared or stolen, complexity rules are largely unenforceable and modern browsers offer the "convenience" of remembering user passwords. Although attempts have been made to strengthen passwords by disallowing simple words, users are ingenious at finding workarounds.
|
By the Numbers
52: Percent of 150 office workers polled who would download company information if asked to by a friend
42: Percent who would tell a friend his or her password
64: Percent who already gave his or her password to a colleague
2 out of 3: Number who gave his or her company password to the pollster!
Source: Human Firewall Council site, www.humanfirewall.org
|
While an attacker can attempt to crack passwords using the entire password space, a dictionary attack is faster because the number of dictionary words and combinations make a far smaller number. For example, if you require users to select numbers and special characters in addition to the letters of the alphabet, you can bet that many passwords will be dictionary words with 1 or ! substituting for the letter I or L, or @ for a. Password crackers like Crack and John the Ripper effectively attack passwords by checking for the most common permutations.
|
|
Bear in mind that requiring passwords to be more complex won't necessarily make passwords stronger (see "Password Woes? Look to the Users"). It does mean that users will comply with the rules and then promptly write the buggers on a notepad. You have to balance password complexity with user environment. Besides, why worry about cracking a password when shoulder surfing or fishing it out of a browser cache is so much easier?
Biometrics may provide a strong form of authentication--unless you suffer a major injury, your biometric can't be lost, stolen or used without your consent. However, the quality of biometric authentication is device-dependent because biometric readers are easily spoofed using tape, gelatin, camcorders and other high- and low-tech hijinks. In addition, biometric authentication is often used only for local access, such as logging into a workstation or server.
Tokens, on the other hand, make for stronger authentication because the user has to have the token in his or her possession and know a PIN to unlock or combine with the token code. Tokens are often called "two factor" because you need both the physical device and the PIN--something you have and something you know. Although PINs can also be shoulder surfed, they are useless without tokens. Because users have to carry their tokens with them they can be lost or stolen, but they can also be deactivated in the authentication server fairly easily.
Other authentication devices are available, such as proximity radio systems that detect badges within a specified radius and authenticate users; picture authentication packages, such as Real User Corp.'s Passface, which use pictures instead of passwords; and digital certificates, which fall under the "what you have" category. The problem is that any one system can be broken without great effort (you don't have to attack the technology, just the people), and users should have different authentication requirements depending on the sensitivity or value of the resources they are accessing.
We can strengthen the process by requiring multifactor authentication, thus increasing the overall assurance that a user is who she says she is and raising the cost and complexity of an attack. The relative strengths of the authentication methods should be additive, providing no two methods that share secret data. For example, combining passwords with tokens means an attacker who wants to impersonate a victim must get the passwords, the token and the token's PIN--that's harder than just shoulder surfing a password. However, if the user password and token PIN are the same, the assurance you can place in your authentication method is greatly reduced. In addition, if the attacker steals a user's token, he or she may be able to use that token before the rightful owner realizes it's missing and has it deactivated.
|
|
|
|
|
|
|
|
RSS
