Two-factor authentication: Difference between revisions

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 02:13, 20 October 2005

amigoster.com

@@ Line 1: / Line 1: @@
+amigoster.com
-'''Two-factor authentication''' (T-FA) is any [[authentication]] [[protocol]] that requires two forms of authentication to access a system.  This contrasts with traditional [[password]] authentication, which requires that a user only know a password to gain access to a system.
-Three authentication '''''factors''''' are recognized:
-* '''Something you know''', such as a password or PIN number
-* '''Something you have''', such as a credit card or [[hardware token]]
-* '''Something you are''', such as a fingerprint, a retinal pattern, or other [[biometrics]].
-Common implementations of two-factor authentication use '''something you know''' as one of the two factors, and use either '''something you have''' or '''something you are''' as the other factor.
-Using more than one factor of authentication is also called '''''strong authentication'''''; using just one factor, for example just a password, is considered '''''weak authentication'''''.
-[[Image:Chipandpin pad.jpg|right|thumb|A [[Chip and PIN]] system in use]]
-A common example of T-FA is a bank card ([[credit card]], [[debit card]]); the card itself is the physical item, and the personal identification number (PIN) is the data that goes with it.  See [[Chip and PIN]] for more information on this.
-According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online [[fraud]], because the victim's password would no longer be enough to give a thief access to their information. However, [[Bruce Schneier]] argues T-FA is still vulnerable to [[Trojan horse (computing)|trojan]] and [[Man in the middle attack|man-in-the-middle]] attacks{{ref|Bruce}}.
-== Examples ==
-Some examples of T-FA include:
-*[[AOL|America Online's]] Passcode service, in which users get a small handheld six-digit numeric code key. To log onto an AOL account equipped with the service, users must enter the six-digits, which refresh on the device every 60 seconds, in addition to the user's standard password.
-*[[RSA]]'s [[SecurID]] product. RSA is making this product available for [[Microsoft Windows]] users under the premise that it can help "ensure that valuable network resources are accessible only by authorized users" while "simultaneously delivering a simplified and consistent user login experience."
-*[[VeriSign]]'s Unified Authentication managed service, in which enterprises deploy Universal Serial Bus ([[USB]]) tokens to all their users and VeriSign manages the infrastructure.
-*[[IBM]]'s new [[ThinkPad]], which includes a [[fingerprint]] reader that signs users into all their passwords.
-*[http://www.wikidsystems.com/ WiKID Strong Authentication] uses asymmetric encryption to securely deliver one-time passcodes upon receipt of a validly encrypted PIN from a software token running on an internet-connected device (cell phone/Blackberry/Palm/PocketPC or a Windows/Mac/LinuxPC).
-== Problems with T-FA ==
-Deployment of T-FA tools such as [[smartcards]] and [[USB]] tokens appears to be increasing. More organizations are adding a layer of security to the [[desktop]] that requires users to physically possess a token, and have knowledge of a PIN or password in order to access company data. However, there are still some drawbacks to two-factor authentication - that are keeping the technology from widespread deployment - that are worth considering.
-=== Tokens ===
-Differences between the smartcard and USB token are diminishing. Both technologies include a [[microcontroller]], an [[operating system]], a security application and a secured storage area. There are some distinguishing differences, however.
-Smartcards, such as those offered by RSA and [[ActivCard]], are about the same size as a [[credit card]]. Some vendors, such as [[HID]] and RSA, are offering or developing smartcards that perform both the function of a proximity card and network authentication. You can authenticate into the building via proximity detection and then insert the card into your PC to produce your network logon credentials. The downside is that the smartcard is a bigger device, the card reader is an extra expense, the card is more likely to break due to its size, and it has less storage capacity than a USB token.
-On the other hand, the USB token has a much smaller form factor and can easily be attached to a key ring. Thus, it is easier to carry. The USB reader is standard equipment on today's PCs, and the token tends to have a much larger storage capacity for logon credentials than smartcards. RSA, Aladdin, ActivCard, [[Authenex]] and [[Rainbow (software)|Rainbow]] are a few of the vendors offering USB tokens.
-=== Biometrics ===
-In both cases vendors are beginning to add [[biometric]] readers on the devices, thereby providing three-factor authentication. Users biometrically authenticate via their fingerprint to the smartcard or token and then enter a PIN or password in order to open the credential vault. However, whilst this type of [[authentication]] is suitable in limited application, when a large number of users are involved results in this solution being unacceptably slow and comparatively expensive.
-=== The challenges of authentication ===
-So if smartcards or [[USB]] tokens provide all this security, why isn't everybody deploying them? It would seem to be a logical line of defense against intrusions and information loss. The first challenge to face is the difficulty of deploying the client [[IBM PC compatible|PC]] software required to make these systems work. Most vendors have created separate installation packages for [[network]] login, [[Web]] access credentials and [[VPN]] connection credentials. In other words, you may have four or five different [[software]] packages to push down to the client PC in order to make use of the token or smartcard. This translates to four or five packages on which you also have to perform version control and ensure don't conflict with your business applications. If access can be operated using [[web page]]s, it is possible to limit the overheads outlined above to a single application.
-A new category of T-FA tools transforms the PC user's [[mobile phone]] into a token device using [[Text messaging|SMS messaging]].  While such a method simplifies deployment and does away with the need of proprietary hardware token devices, there are trade-offs such as the recurring cost of SMS messages sent.
-=== Password security ===
-The next concern is the security of the T-FA tools and their systems. Several products store passwords in plain text for either the token/smartcard software or its associated management [[server]]. In either case this completely negates only one factor of the authentication since although an intruder could easily find the password/PIN used to authenticate to the device, they still need to be in possession of the relevant token or smartcard for this type of attack to work.
-There is a further argument there is nothing to stop a user (or intruder) from manually providing logon credentials that are stored on a token/smartcard. All an intruder has to do is boot in [[safe mode]] with network support and scan the hard drive with certain freely available utilities to show all passwords stored in [[Internet Explorer]]. However, making it necessary for the physical token to be in place at all times during a session can negate this.
-=== Software security ===
-Another concern when deploying smart cards, USB tokens, and other T-FA systems is the security of the software loaded on to users' computers. {{ref|TechTarget}} A token may store a users' credentials securely, but the potential for breaking the system is then shifted to the software interface between the hardware token and the operating system. Potentially rendering the added security of the T-FA system useless.
-==See also==
-* [[Authentication#Multifactor_authentication]]
-* [[security token]]
-== References ==
-<!-- Instructions for adding a footnote:
-   NOTE: Footnotes in this article use names, not numbers. Please see [[Wikipedia:Footnote3]] for details.
-) Assign your footnote a unique name, for example TheSun_Dec9.
-) Add the macro {{ref|TheSun_Dec9}} to the body of the article, where you want the new footnote.
-) Take note of the name of the footnote that immediately proceeds yours in the article body.
-) Add #{{Note|TheSun_Dec9}} to the list, immediately below the footnote you noted in step3.
-) Multiple footnotes to the same reference will not work: you must insert two uniquely named footnotes.
-   NOTE: It is important to add the Footnote in the right order in the list. -->
-# {{note|Bruce}} [http://www.schneier.com/blog/archives/2005/03/the_failure_of.html The Failure of Two-Factor Authentication (Bruce Schneier, March 2005)]
-# {{note|TechTarget}} [http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss426_art864,00.html  Token Effort], ''"USB tokens aren't as strong as you think."'' (TechTarget, Jul 2004)
-==External links==
-* [http://www.wikidsystems.com/Problem/WhyYouNeedStrongAuthentication/ Why you need strong authentication]
-* [http://www.rsasecurity.com/node.asp?id=1156 RSA SecurID]
-* [http://www.securecomputing.com/ SecureComputing]
-* [http://www.vnunet.com/news/1161914 Microsoft to abandon passwords], Microsoft preparing to dump passwords in favour of two-factor authentication in forthcoming versions of Windows (vnunet.com, 14 Mar 2005)
-[[Category:Cryptography]]
-[[Category:Authentication methods]]
-[[Category:Computer security]]
-[[fr:Authentification forte]]