Two Factor Authentication Systems? 69
HerculesMO asks: "I've been given a project to undertake that involves setting our internal network systems up to have two factor authentication. I need suggestions to take in front of our CIO that shows how the security model works, cost vs benefit/features, and the different options. At this point, the name brand is RSA and I'm pressed to find any others even though I've done looking around. We are open to biometric tokens as well, because they may be used for digital certificate signing for e-mails. Sadly, it has to integrate with our Windows 2003 Active Directory set up... it's not Linux, but I figure Slashdot readers can come up with lots of Linux security tokens that will work under Windows too, so please have at it! :)"
RFQ (Score:5, Insightful)
What you might ask
But you know your system and requirements best.
Re:RFQ (Score:3, Funny)
Can weaken security? (Score:4, Interesting)
Now we have switched to cisco VPN plus RSA software token. This is not any better. Now we have a certificate, rsa token, and then we enter a pin number, as short as 4 digits.
This has not improved security one bit, it has actually weakened it. If a laptop is stolen, the "piece you have" went with it. The software token doesn't provide any security over the vpn certificate. Then, the "piece you know", the PIN, is significantly weaker than the old piece you had to know, the domain password (which was a real password with moderately strict rules on complexity).
The whole thing is a counterproductive wankfest. Perhaps you can do it better, but this should be an example of what not to do.
-molo
Re:Can weaken security? (Score:1)
Re:Can weaken security? (Score:2, Informative)
Re:Can weaken security? (Score:4, Insightful)
Re:Can weaken security? (Score:1)
Couple of choices that I remember (Score:5, Interesting)
Now, what's nice about SecurID is AFAIR it's the only token that does *time*-based auth (ie, the displayed number sequences change constantly as a function of elapsed time). However, there's a really ugly problem with their auth servers that we accidentally discovered trying to set up a replicated server for failover purposes. To wit: the servers only sync based on a timed (as opposed to event-based) schedule. So, in the normal course of events, you can sometimes reuse the same token (# stream on the hardware device) even though they supposed to be single use. This happens when you attempt to have both servers service requests, and login 1 uses server A to authenticate against, and login 2 ends up using server B to authenticate in a very short period of elapsed time. Server A hasn't had a chance to tell server B yet that it's already seen that particular number sequence, so B happily accepts it.
Now, the devious-minded can see a problem here... You can be sniffing a network connection, get the token, pin, and password from the network ("hey, we have these hardware tokens, why should we ssh/ssl/vpn?" or what annoyed me, "we can't use ssh key authentication, we *must* use password auth with this"), then DoS one of the auth servers, and attempt a login with the same credentials, hoping to get an alternate, not-yet-synced auth server. Bang, you're in (eventually). So much for the whole non-replayable 2-factor authentication thing.
I don't think this problem was ever solved satisfactorially (I've since moved off that contract), but you can "solve" it by only having a single auth server...
Unfortunately, I know a lot less about CryptoCard, since we went with SecurID ourselves and didn't find the warts until later.
Oh, yeah, good thing this is just windowss, as linux was ok, but Digital Unix and Irix were a bitch to get working with SecurID.
Re:Couple of choices that I remember (Score:2, Insightful)
2. Neither CryptoCard, nor any oth
Think bank cards (Score:3, Insightful)
easy. (Score:3, Funny)
See this article for pointers (Score:3, Informative)
It gives pointers to various offerings, including one-time passwords, hardware tokens, smart cards, and biometrics.
Two-factor Coming to 1 Million Paypal Accounts (Score:3, Informative)
This is significant, since you have a lot more phishing attacks targeting Paypal and eBay than the major banks these days.
Re:Two-factor Coming to 1 Million Paypal Accounts (Score:4, Insightful)
Secure Computing SafeWord (Score:2)
Re: (Score:2)
Re:Secure Computing SafeWord (Score:2)
Smart cards (Score:5, Insightful)
There are several providers of smart cards for use as a second authentication factor. The one I'm most familiar with is ActivCard [activcard.com]. Their stuff is reasonably good, and if it helps in your corporate environment IBM Global Services has a team that does a lot of ActivCard integration, so you can get plenty of support from a reliable provider (for a price :-) ).
IMO, smart cards are a better solution than SecurID tokens. They're cheaper, allow your logical authentication token to be the same card you use as an ID badge (and perhaps for door access) and can do a lot more things. They can act as one-time password generators, just like a SecurID (but guarantee non-reusability of the passwords, unlike SecurID, as mentioned by another poster) but they can also:
The major disadvantage of smart cards as compared to SecurID tokens is that smart cards have no display, so you need a smart card reader to use them. This means that, for example, you could use a SecurID to authenticate to a corporate web site from an Internet cafe, whereas you might not be able to attach a smart card reader to some random PC. As a partial solution, handheld, calculator-like smart card readers exist that can retrieve a one-time password from the card and display it on a screen. I say it's a partial solution because carrying two devices is less convenient than one SecurID. The cost of such a device, plus a card, plus a regular PC-attachable card reader all totals to something less than a SecurID token.
Disclaimer: I work for IBM Global Services, in the group that does smart card stuff, including ActivCard integration work, so I have some biases, but I also have a deep knowledge of the industry and, at present, I think the ActivCard product set is the best choice available, overall. Cryptocard has some good stuff as well, but it's not as complete or as mature, especially in the area of enterprise card management (issuance, re-issuance, revocation, etc. all needs to be integrated and automated, complete with automatic key escrow and recovery, etc.). Both ActivCard and Cryptocard support Linux and OS X, though ActivCard's support for Tiger isn't there yet, and Cryptocard's is, mostly. ActivCard also supports Solaris, including SunRay environments. IBM has some nice assets that we use to build customized solutions, but our stuff is focused more on multi-factor biometric authentication for physical security than logical security.
Two-factor Authentication Conductor School (Score:2)
"Factor" means factor.
This concludes your intensive six-week training course.
A few pointers... (Score:2, Informative)
The biggest and most overlooked issue is the requirement for client-side software and drivers. The various OTP solutions (SecurID, etc.) are zero footprint. They can be used from any computer. If portability is as imporant as strong authentication, you should consider an OTP solution.
Smartcards and biometric devices require drivers at a mi
On the flip side (Score:3, Insightful)
Re:On the flip side (Score:3, Interesting)
Or worse yet, "Something that can be removed from your body with a saw;" in the case of biometrics. This is why biometrics don't appeal to me... if somebody wants my id with a password or smartcard, they don't have to do serious physical damage to me to get it (granted, they might anyway just to be malicious) but with biometrics
Re:On the flip side (Score:2)
You said it, man.
P.S. It's this kind of thing that makes me want to vote libertarian, as maybe companies won't be as stupid as the government about such biometric identity...
Re:On the flip side (Score:1)
It wasn't the users who, as passwords became more vulnerable, laid upon them these Draconian rules which mandate routine changes in all passwords, each to conform to some standard of sufficient complexity that guarran
Re:On the flip side (Score:2)
I'd say this is why a great many security schemes fail: contempt for the user
Contrary to what many believe the computer is there to help someone do a job, not to be an impenatrable vault for information. Anything you do that makes things o
One Time Password by Mobile Text (Score:3, Interesting)
Check out this link for more information on one time password authentication. I work for this company so of course I'm biased =) but its the best OTP service I've used. It will integrate fine with your AD or any other LDAP/SQL user source.
http://www.nordicedge.se/produkt_otp.shtml [nordicedge.se]
The major reason why hardware tokens are not so popular in my experience is that people think they are clumsy to lug about everywhere. Even the keychain versions are annoying. Smart cards are great but you need a computer with a smartcard reader.
I think we'll be seeing more and more applications aimed at users mobile phones, for the simple reason that everyone likely to use an online service is also likely to have a mobile phone.
Most people are much more likely to notice a lost or stolen phone, than a lost or stolen token device...
Good Luck in your solution.
Sigh, netkey is the *real* answer (Score:2)
You run a program locally (here's some [demon.co.uk]) or incorporate it into your client in which you enter your password and it spits out the 5 digit hash. Tell the server what the hash was, it compares it to what it thinks you should have entered.
All very simple and works just fine over unencrypted links !
plan9 uses it for ftp access
Apache / Firefox also support something similar for HTTP Authentication - your password is md5'd with some salt instead of just being base64'd
that is al
Re:Sigh, netkey is the *real* answer (Score:2)
vasco ? (Score:2, Informative)
my bank (SEB in sweden) has been using them for years.
the system is pretty easy to use. you don't need a CS major to work it.
PortWise (Score:2, Informative)
Nice Submission - "sadly" (Score:1)
Why troll?
Re:Nice Submission - "sadly" (Score:2)
Why troll?
To get the article posted.
PassGo (Score:2, Informative)
Axent Defender and ANSI x9.9 authentication (Score:2)
The Defender Hand-Held Token [defender5.com] looks exactly like the old (physically unreliable) Axent Defender tokens, which used the (withdrawn in 1999 [x9.org]) x9.9 Asynchronous authentication algorithm which was later proven to be extremely weak crytographically.
Many existing token products, including Vasco, Safeword, and ActivCard include support for x9.9 for backwards compatibility, as do a
Re:Axent Defender and ANSI x9.9 authentication (Score:1)
Simple 2-factor authentication solution... (Score:3, Insightful)
The second piece is simple - this is your password, just as it always has been. The second piece is not as simple, but not as hard as you think.
First, determine (or guesstimate) the average number of logins a user will do in a day to your system (whatever it is). Let's suppose it is three times a day (that may be a ridiculously low number, I know). Take that number, and multiply it by the number of days that you want to allow the use of "something you have" - let's say 30 days (or approximately 1 month). So, there you have 90 unique instances. Multiple that number by something I will call the "secure factor" - that is, the number of "somethings I have, to type in" - let's say in this case "4", for a total of 360. Take the square root of that and round up to the nearest whole number (in this case, 19), square it again to get your "number of values" - or in this case, 361.
Now, have your system generate 361 keyboard typeable characters and store them as a string in the user's login profile. Present this list to the user as a grid of numbers (in this case, a grid 19x19), marked off along the X-axis by letters, and the Y-axis by numbers. For a website this system would be VERY easy to implement.
When the user updates their password (which expires each month), they get a new grid of numbers to print out and keep with them. When the user logs in, the system presents a challenge to them for them to type in as part of thier login procedure - in our case, 4 "secure factors", like "A7 D9 A18 E10" - and they would have to type those characters from their grid into the provided area. The system would then take this, check it against what it has stored in the user's login profile, and if those numbers match, the login matches, and the password matches, the user is allowed access. Those numbers used are "marked off" as used in the user's profile, and a different set is picked on the next login. When all sets are used up, the user is prompted to change their password, thus generating a new set for the user as well (with instructions to throw away the old set). This system should allow for 3 logins a day for 30 days, or a shorter combo which expire quicker because you run out of values (longer combos will expire on the password expiration).
Thus, essentially, the "what you have" becomes a grid one-time-pad, generated when the password for the user is updated. For this system to be truely secure, the grid should be delivered over a secure channel (in the case of a web server, SSL) when it is generated. Other issues to think about is what to do if someone is trying to guess the one-time pad (maybe they have a scrap of it?) - maybe flag the account on a wrong attempt and have the user update the password? You would also need to think about what to do if the user has lost the pad.
All in all, this solution or something similar could be pretty robust, fairly compact (if you make the printed OTP compact), and portable across all systems. Plus, it is fairly easy and cheap to implement (and train for). However, as I cautioned in the start, it is probably a patented method, but I think such a system is so obvious I wouldn't be surprised if there existed a PEAR (PHP) or CPAN (Perl) module for it...
Please elaborate... (Score:2)
Re:Please elaborate... (Score:2)
Then it's just a matter of planting a keylogger (software or hardware) or even just looking over the shoulder to get the "something you know".
I do agree it's a nifty solution that would be better th
Re:Please elaborate... (Score:2)
Re:Please elaborate... (Score:2)
For some reason I thought you proposed an OTP system where each password was crossed off by the user (so the OTP selection works on sequence). In this way, the system would at least expose when your card has been copied and used (because now the user's set of passwords is out-of-sequence). Except for when the attacker is able to temporarily get your card and mark off a few passwords for you, the way I pointed out in my other post.
B
Re:Please elaborate... (Score:2)
Re:Simple 2-factor authentication solution... (Score:1)
Re:Simple 2-factor authentication solution... (Score:1)
Re:Simple 2-factor authentication solution... (Score:2)
So no part of the matrix is every repeated; the eavesdropping attacker can't do anything with learned matrix elements, because the system will never ask for those elements again.
Re:Simple 2-factor authentication solution... (Score:1)
And the 2 other problems still pose a big problem.
Face it - the idea is crap. Don't fix a bad problem (passwords are weak) with crap - all you get out of it, is a system that stinks.
Re:Simple 2-factor authentication solution... (Score:2)
Re:Simple 2-factor authentication solution... (Score:1)
And there is no one-time pad in the suggested solution. One-time pad is a (secure) encryption. There is OTP = One time passwords, which can be secure. The above would work I guess if you threw in
Re:Simple 2-factor authentication solution... (Score:3, Insightful)
Whilst I don't pretend to have the knowledge of even a first year undergrad specialising in cryptography, I have studied basic cryptographic techniques as part of my EE degree, and my understanding of the term "one time pad" is that it describes Alice and Bob both being in posession of the same list of arbitrary sets of data which can be utilised as secret
Re:Simple 2-factor authentication solution... (Score:2)
I have read over all of the comments, and yes, they all have merit. I may not have made it clear, but I was hoping to get across the idea that both the delivery of the OTP and the entry of the factors from it would be done via an SSL (or other) secured method.
Since my knowledge of crypto is weak (as clearly demonstrated by the numerous and insightful responses), I am curious as to how, if the delivery of the OTP and entry of the factors is done via SSL, how a man-in-the-mid
Re:Simple 2-factor authentication solution... (Score:2)
You probably know already what MITM is about, but let me waffle on some more
Re:Simple 2-factor authentication solution... (Score:1)
And no there isn't anyway that you can make this secure (as the other poster have said in his reply there is always the man in the middle).
What you need to make this secure is some advanced cryptology (or said in other words - don't try this at home kids).
The are several approaches, one being Zero-Knowledge (ZK). ZK is a proof that you know a secret without telling the r
Re:Simple 2-factor authentication solution... (Score:1)
A one-time-pad is when you use a shared secret to encrypt a message by taking the message and the shared secret and xor'ing them together.
Note that:
1. The key and message must have exactly the same length
2. The shared secret must be a uniform random (i.e. a shared sentence will not be enough)
3. The shared secret can only be used once
If that is satisfied it gives you the only provable 100% secure encryption (provided the shared secret is secret fo
RFP - (Score:1)
Dogbert Consulting Services
We secure your cash so you don't have to
Consider WiKID - FD: I work there (Score:2, Informative)
Available in both open (https://sourceforge.net/projects/wikid-twofactor/ [sourceforge.net]) and closed source (http://www.wikid.com/ [wikid.com] versions. Closed source supports wireless devices such as Blackberries, Palm, PocketPC J2ME. Unlike certs, there is no need to manage white & black lists (CRL) etc. Unlike RSA soft tokens, the PIN is stored on the server and communication between the token and the server is encrypted asymmetrically. If the token is stolen, the PIN must be checked at the
IdentityGuard (Score:1)
Stupid q: don't you mean three factor? (Score:2)
- Username
- Password
A system that simply lets walk-up users enter with no regard to who it is uses no authentication (think of a Windows system that boots to the desktop with no password prompt). A system where you have to identify yourself (username) but not verify the identity (password) uses one-factor authentication (think of a Windows system where there's a password prompt, so
Re:Stupid q: don't you mean three factor? (Score:1)
Simple answer: No
Why: UserID and Password are both from the same factor: Something the user knows
http://en.wikipedia.org/wiki/Authentication [wikipedia.org]
Not All Tokens Are Equal (Score:1)
Not even all OTP tokens from, say, RSA Security -- the vendor I know best -- are created equal.
Specific mechanisms for "strong authentication" -- since the 1970s, by classical definition, an app which relies on at least two of the three factors (something known, something held, something one is) by which a computer can validate the identity of a pre-registered human user -- are designed for a particular threat environment.
Typically, in a variety of f
Yeah, We've Got That (Score:2)
Features:
smart-card authentication for Active Directory clients.
It's really easy to convert as few or as many clients/users as needed.
Users can be enrolled and administered from any PC. (With proper authority and token)
If you have HID prox cards for physical security, we can manufacture a combination prox/smart card. If you have an ID card system, you may be able to re-issue
Multifactor Authentication (Score:1)
Entrust IdentityGuard (Score:1)