Replacing Passwords With Other Security Gadgets?

jfmiller asks: "I'm an intern at an anonymous government agency (not the TLA kind). I have been tasked with simplifying and increasing password security. At present each of our users must log into Novell (and winnt) then Lotus Notes, telnet into a both a local and a statewide mainframe and then log into the individual subunits of each of those systems. In all they have to remember something like 7 passwords. What technology is available to simplify this situation? What experience have people had? I'm especially interested in Biometrics. Remember: the sky's the limit, after all, it's your tax dollars at work."

Re:How many?

[tzanger]

with biometrics you can't reissue a retina. If someone gets an face scan of an employee they've got a login forever.

That's why most sane security measures take a combination of Things You Have and Things You Know. So a sane biometric-based security measure would be a face/eye/voice/fingerprint scan and a short (5-6 digit?) passcode. In the unlikely event that you lose the face/eye/voice/finger the system can train a new one through adminstrative or "group of knowns" means.

Re:two different problems

[Finni]

If you already have Novell, why not use Novell's Single Sign-On? [novell.com] It stores all the other auth credentials in NDS. All the user needs is their NDS password. To make it spiffier, you can add-on the Modular Authentication Services [novell.com], which will work with smartcards or biometrics.

Skip Biometrics

[scotpurl]

I mean, you're going to be accessing state-owned Mainframes.

What you need is a little password synchronization to simplify things.

First, install the Notes password synch services, which logs you in to Notes if your NT password matches the Notes password.

Next, use Samba to synchronize NT and Unix passwords. Set up Unix so that you're using NIS. Now we're up to 3 systems using the same password. Lotus Notes can be configured to use NT authentication, via IIS, but it's not easy. There's also several third-party products, but we frankly wrote our own.

As for "unified login" products, I've seen and used several, and they all sucked. Most of them just cache your password locally with encryption, then use the Windows APIs with calls to intercept logins, and present your credentials for you. There was no attempt to use the same credentials database on the back end. Think of it as a pluggable authentication module. Every one of your products should use the same authentication on the back end. Each time you eliminate one of those credential databases, you elminate jobs, complexity, software, problems, password-resets, hardware, and you save money.

If you can ditch either NT or Novell (more likely Novell), then you can reduce the number of logins. Most folks I've seen using Novell are using NDS for just basic authentication, and adding only complexity (meaning, they don't get what NDS is for). That, or they're just doing print spooling, which Samba, NT, or a decent LAN card for a printer can all do.

Biometrics, dongles, java buttons, SecureID cards, and all that are interesting, but if you either forgot your little device, or the computer doesn't have a way to read that device, you can't log in. That's why the use of passwords and login names will be the norm for about 15 more years.

Password Synch - UNIX Mainframes NT Notes Novell

[CoderDevo]

Full disclosure: I work for this software company as a developer. It's a great company - happily employed.

We offer a product that does this: "Control-SA [bmc.com]"

BMC Sofware Security Management Solutions [bmc.com]

You can centrally manage user accounts and group profiles for a wide variety of systems. You can take it further by assigning employees to roles which causes user accounts to be created with the necessary authority to do their specific job.

The Control-SA server runs on UNIX; the administration GUI runs on NT or UNIX.

Password synchronization is done by catching the password when it is changed on a system and sending it out to that user's accounts on other systems. Passwords are not stored in Control-SA. Another way to do password synch is to use the "Control-SA PassPort [bmc.com]" product which lets users type in their new password in a HTTPS(SSL) web page. The new password then gets pushed out to their accounts by our server.

I have a question though. How will you synchronize passwords on California's state mainframes without requiring software to be installed on them?

Sorry for the advertisement, but I have a lot of respect for this product and my co-workers. It is very popular with large & medium companies and government agencies.

Smart Cards

[dbullock]

Litronic ( www.litronic.com ) has some nice smart card enabled technologies.

How many?

[holloway]

How many people are you catering to? If there's only a few people using biometrics might be OK - you can control that. But I wouldn't use biometrics for anything larger than 100 people (unless there was very tight security at login terminals). The reason is that if passwords are stolen you can change them - with biometrics you can't reissue a retina. If someone gets an face scan of an employee they've got a login forever.

...Though I guess you could move around body parts when one was compromised. Har! har!

Re:Simplify, simplify, and simplify?

[anticypher]

you will need to develop a means of synchronizing passwords across the enterprise. This is a task in itself.

This is such a huge task, there really doesn't exist any simple solution.

A variety of schemes have been created to provide single logon capabilities, the most recent and most promising is directory services, the protocol is called LDAP. Directory services exist in Novell (NDS), M$ has a tech called ActiveDirectory, Cisco has Directory Enabled Networking, there are add ons for Oracle DBs, and the list goes on. Check into LDAP based security authentication and authorization products for each system you have to convert. You'll be out of luck for older systems, but even if you can add directory services to half what you need, people will notice the improvement.

I don't know of any security dongle/card/biometrics reader that can easily allow logons to legacy applications or bespoke systems. A tremendous amount of engineering effort will be required to change the logon/authorization mechanisms, and if you don't know what you are doing you will probably create all kinds of security holes.

Since the TLA has asked jmiller to find a way to circumvent statewide mainframe access controls, it shows a level of naivety bordering on the criminal. If I were running an important legacy system which required each user to authenticate through a tested and understood mechanism, I would immediately cut access to any little agency that tried to automate that process. Certainly access should be denied if they choose an engineer who had to post a question to /. rather than find the budget to bring in some real security professionals for guidance.

the AC

Simplify, simplify, and simplify…

[Kefaa]

It appears your requirements are to simplify the login and security process. Regardless of the solution on the front end, you will need to develop a means of synchronizing passwords across the enterprise. This is a task in itself. I am certain someone here knows of a software package that does this.

Biometrics, while having some very cool technology, does have some drawbacks. Mainly, they depend on people to remain somewhat consistent across your workforce. While this would seem easy enough, consider that fingerprint scanners assume you have one. That eliminates most people missing hands, although they may be capable of doing the job.

Retinal scanners, and voice print have some issues with consistency (i.e. colds, hangovers, etc.) that can present an issue especially if you are not in a very high level security area. (You will become immediately unpopular the first time your boss cannot get her presentation, because of a head cold).

Now there are ways around all of these issues. However, if you have to handle the exceptions in the normal process of business, then what is the point?

You may want to try a key fob RSA SecurID [rsasecurity.com].[I am sure there are other companies too] The fob changes its code every 30 seconds in synchronization with its host. A friend consults at a company that uses this to create a connection from anywhere. They have it set up to use a pin, key fob, IP combination to authenticate. If any one piece is changed, the access is rendered useless. After signing in, you are set to go. Now she did end up with two fobs but I believe that one is the "normal" environment, and the other authenticates the high security system when she needs access there.

Good luck, and I would be interested in hearing what you decide upon.

- There's so much I still don't understand...as it should be

Centralized Authentication, SSO, or tokens?

[Nonesuch]

There are three issues here-

1. Centralized Authentication.
   Do you need a cluster of 'authentication servers' so all the various systems can use a single authenticatior?
2. Single Sign-On.
   Do you need users to authenticate once at the beginning of the session, and be able to access distributed resources without having to re-authenticate for each server/service?
3. Password Replacement
   Do you need to eliminate insecure reusable passwords and provide a multi-factor (Something you know, something you have, something your are) authentication mechanism?

There are various solutions that solve some or all of these problems. As it happens, I consult on these issues for a living.

Eye Remember my password

[milgram]

I guess I won't have to remember where I left my eye...

two different problems

[peccary]

first off, trying to consolidate everything into a single authenticator is not a problem of biometrics. What you're looking for is something called "single sign-on", in which a single authenticator can be used to obtain authorization for a variety of different services. It's been a couple of years since I worked in that field, but in 1996 or so, IBM was doing some interesting work. I think they called their product something creative, like, GSO (Global Sign On). They did support the systems you named, and they provided an interface to develop authentication hooks for the other systems.

Now, if you want that single authentication process to include a biometric scan or hardware token, that would be sorted out after you design (or even implement) the single signon infrastructure.

Rainbow's iKey

[petee moobaa]

I've seen mention of Dallas' iButton [ibutton.com]; thought I'd also mention Rainbow's iKey [rainbow.com].

Plus for the iKey: it's a USB device, so most PCs can chat to it. There's even an NT stack for it, though I suspect that non-M$ OS support is lacking. I do believe that there is a single-logon software suite that supports the iKey.

Dallas Semiconductor's Java-Powered iButton

[PatJensen]

I've posted this before I think, but Dallas Semiconductor makes a Java-Powered secure iButton, which can connect via a parallel or USB reader. The drivers support Windows 98, NT 4 and Windows 2000. It can store private key certificates, with a password. The built-in Java based PC can lock the iButton after 5 invalid logins as well.

They are about $24/person and are quite indestructible. It also supports one touch Windows 2000 system logins too and they open source most of their development kit and have some good resources if you are designing a solution. Check out www.ibutton.com.

-Pat

Re:How many?

[ffsnjb]

Any decent software for face recognition is able to tell the difference between an actual face and a photo, or even if you were a freak like Hannibal, cut off the skin of the person you were trying to fuck with, and use it as a mask. 3 dimensions are a good thing.

An easy step

[nurikochan]

I have been tasked with simplifying and increasing password security. At present each of our users must log into Novell (and winnt) then Lotus Notes, telnet into a both a local and a statewide mainframe and then log into the individual subunits of each of those systems.

An easy way would be to GET RID OF TELNET!!! It sends passwords as PLAIN TEXT! If you want ANY security here's my reccomendation: GET RID OF IT! Implement either Kerberos authentication or use SSH.

Novell logins

[Whatever Fits]

You can readily integrate the Novell login into the NT login. I see it all the time at a local unnamed government entity who is one of my customers. In addition to all the other mentions regarding SAMBA, etc. to synchronize passwords with systems, I really like the hardware keys and biometrics.

I use fingerprint authentication on several systems here. I enjoy it. It works. To a point. Just don't was your hands right before logging in. That causes enough tissue swelling that you can't get an accurate reading. I use a $100 scanner from Digital Persona [digitalpersona.com] that we routinely pick up at Fry's. These things are very flexible and cheap enough to be used on any USB system. They currently only have Windoze support for their drivers, but I haven't checked in a while. I like the hardware tokens like iButton [ibutton.com] which can store enough data to provide a login for each individual system. Some awefully large amount of storage for keys and completely waterproof, etc.

If you want to keep people from taking them home and losing them, have a security guard type checkout for these bad little boys. That depends upon your level of security, of course. If someone loses one, it can be disabled from the network immediately and a new one issued. Every time they lose one, dock their pay! I know their union would have a fit for that! ;-)

Perhaps

[JediTrainer]

Maybe an iButton [ibutton.com] might do the trick. You can put these in keyfobs, on rings, build them into wallets etc. You can get one of the ones guaranteed to have a unique id on them (they're cheap too), and issue them to all of your staff.

Unfortunately you might have to write some software to automate the login process there. The bonus will be that they won't even have to remember their password at all - let the iButton handle that!