In the August column, we established that passwords, for all their widespread use, have two fundamental problems: They can be shared, and they can be stolen. Most important, perhaps, is that when a password is compromised, the password holder is generally unaware. Industry has given us two solutions to these password problems. The first is token-based authentication; the second is biometrics. Both strong authentication methods have profound problems and clear advantages, depending on your needs.
As CSOs know, the fundamental motivation behind using both tokens and biometrics is to replace easily compromised passwords. Because neither system uses the same password every time you log in, they are not susceptible to keyboard sniffers, shoulder surfing or many socially engineered attacks. But what CSOs need to remember is that both of these so-called strong authentication systems are far from perfect.
Our recommendation to CSOs is to deploy token-based systems for knowledge-based employees, especially those who need remote access. Use biometrics in workplaces requiring physical access control and in environments, such as retail, that experience high employee turnover and where employees have an incentive to cheat the system (for example, with time cards).
For authenticating to remote systems and servers, token-based authentication is the clear winner today. It can be used with the widest variety of systems and is the easiest to deploy. Costs increase with the number of users, rather than the number of locations where users need to authenticate. Token-based systems require the least amount of training. And it is readily obvious to users when their tokens are lost or stolen.
The salient feature of most token-based systems is the token itself. These are typically small, handheld devices that either have a little screen with numbers or a plug you can insert into the USB port of a typical computer. Each token has a unique serial number and some kind of hidden secret. When the user tries to log in, the token uses that secret to prove that itand presumably the useris legitimate. Once this proof is performed, the system lets the user log in.
Probably the best-known token is RSA Security's SecurID. This token has a small LCD screen displaying eight digits, which change every minute. To log in to a remote computer, you type your user name, a password, and the digits that the token displays. The remote computer takes this information and sends it to the authentication server, which looks up your name and verifies the password, then performs some tricky math to see if the number you typed is the number your token should have displayed. If this calculated number matches the number you typed, permission is granted.
Although SecurID has been on the market for more than a decade, it has recently come into public view as phishing, pharming and Trojan horses have become a widespread problem. Last year, for instance, both AOL and E-Trade Securities announced they would make the SecurID token available to any users who requested it. More and more, I'm seeing the ubiquitous SecurID token at conferences when attendees want to access their corporate e-mail. Of course, there's a downside: Leave your token at home and you can't log in. Also, if you have five websites that all use token-based authentication, you'll need to carry around five tokens. This isn't a major inconvenience for people who do Web banking at home once a week, but it is a hassle for people who need to routinely use a variety of token-protected services.
Note that the SecurID doesn't eliminate passwords: It just gives every user a second passwordone that changes every minute. This means that users can still forget their passwords, which can create headaches for help desks.
Cryptographic tokens are based on public-key cryptography. The token creates a key pair consisting of a public and a private key. The public key is then certifiedthat is, it is signed with the organization's private keyand the certificate is also stored on the token. To prove your identity to a remote service, you plug the token into a USB port. Your token then engages in a challenge-response protocol with the remote service that proves the token has the private key. The certificate proves that the key is authorized.
The security of this approach comes from the fact that the private key never leaves the token: Unplug the token from the USB port and there is little chance that somebody can pretend to be you. Most cryptographic tokens further lock the private key with a PIN or password. In theory, this prevents unauthorized use in the event that the token is lost or stolen. Alas, research by Ross Anderson at the University of Cambridge in England has shown that it is remarkably hard to build a token that can really make good on these guarantees when it's being tested by a determined and reasonably well-funded adversary. Nevertheless, cryptographic tokens still provide dramatically more security than passwords alone.
But despite their added security, tokens are not foolproof. A person in the office can borrow or steal your token, just as he might borrow or steal your password.
Biometric-based systems work best in environments that require physical access control. This is because the cost is at the authentication point, rather than with the individual being authenticated. Although biometrics generally require more training, most employees will find them easier to use. But there is a big caveat here: Some employees will not be able to enroll in a biometric system and will need to have a backup system.
Biometric authentication systems, such as fingerprint or iris readers, are becoming increasingly popular in applications that are especially vulnerable to fraud or abuse; after all, there's no way to share your fingerprint.
But biometrics are not foolproof. They don't offer the mathematical precision that comes with cryptographic keys or passwords. Just as each photograph you take of my face might be a little different, so is every scan of my fingerprint. As a result, biometric systems have complicated algorithms that take two measurements, and then try to determine whether the match is close enough. Unfortunately, there's no right answer.
Biometric systems are plagued by errors. Make the system accepting of fuzzy matches so that it can tolerate people who have dirty hands from time to time, and you increase the chance of an accidental mismatch, something called the false acceptance rate (FAR). Make the system more picky, and you decrease the FAR, but simultaneously increase the false rejection rate (FRR).
Biometrics are undemocratic: Some people can use them with ease, while others use them only with great difficulty, or sometimes not at all. Children, Asian women, and the elderly sometimes have problems with fingerprint readers because their fingerprints are too small or too fine. Some people lack hands altogether. These kinds of incidents contribute to the system's failure to enroll (FTE) rate. Other people can enroll in the system, but for whatever reason cannot get the system to verify their identity once it is on file. This is known as a failure to verify (FTV).
Biometrics is a young field with a profound lack of standardizationnew and sometimes better biometrics are being developed every year. As a result, a CSO must evaluate the FAR, FRR and FTE and FTV rates of any proposed biometric system to see if the reliability of the system is adequate for the proposed application. A system that has an FTE rate of 1 percent might be fine in an office with 500 people: The five individuals who can't enroll with the system could be given USB security tokens. But the same system would be inappropriate as the basis of a national identification system designed to certify the identities of 100 million people.
Biometrics Aren't Foolproof
Biometrics are also susceptible to replay attacks. The simplest is to replay the biometric itself: A friend of mine once fooled a voiceprint lock into opening because he and his brother, the lock's authorized user, sounded so much alike. Researchers in Japan demonstrated how to use gelatin to make a gummy finger with a lifted print: In tests both there and at MIT, the lifted print could fool commercial fingerprint readers. Face recognition systems have been fooled by a photograph of the person to be identified being held up to the camera.
But while these attacks are fun to perpetrate, they aren't practical if you are sick in bed and need to let your assistant log in to your desktop so that you can get a printout of your e-mail. Although it is possible to set up some kind of delegation with biometrics, in practice such systems are rarely set up before they are needed. Thus, biometrics can create problems for authorized users because the people who install them usually don't anticipate the messiness of day-to-day operations.
Although we're likely to see more and more biometrics in the coming years, to date these systems have been most successful when they are deployed to limited user communities that can afford the installation costs, training and inevitable hand-holding. For applications where the users themselves have an incentive to bypass the authentication technology, biometrics are a good alternative to passwords. But for many applications, tokens can be both simpler and more democratic.