The Strong Authentication Battle

Tokens and biometrics are often used to replace insecure passwords. But these strong authentication systems are far from perfect.

In the August column, we established that passwords, for all their widespread use, have two fundamental problems: They can be shared, and they can be stolen. Most important, perhaps, is that when a password is compromised, the password holder is generally unaware. Industry has given us two solutions to these password problems. The first is token-based authentication; the second is biometrics. Both strong authentication methods have profound problems and clear advantages, depending on your needs.

As CSOs know, the fundamental motivation behind using both tokens and biometrics is to replace easily compromised passwords. Because neither system uses the same password every time you log in, they are not susceptible to keyboard sniffers, shoulder surfing or many socially engineered attacks. But what CSOs need to remember is that both of these so-called strong authentication systems are far from perfect.

Our recommendation to CSOs is to deploy token-based systems for knowledge-based employees, especially those who need remote access. Use biometrics in workplaces requiring physical access control and in environments, such as retail, that experience high employee turnover and where employees have an incentive to cheat the system (for example, with time cards).

Token-based Authentication

For authenticating to remote systems and servers, token-based authentication is the clear winner today. It can be used with the widest variety of systems and is the easiest to deploy. Costs increase with the number of users, rather than the number of locations where users need to authenticate. Token-based systems require the least amount of training. And it is readily obvious to users when their tokens are lost or stolen.

The salient feature of most token-based systems is the token itself. These are typically small, handheld devices that either have a little screen with numbers or a plug you can insert into the USB port of a typical computer. Each token has a unique serial number and some kind of hidden secret. When the user tries to log in, the token uses that secret to prove that itâ¬and presumably the userâ¬is legitimate. Once this proof is performed, the system lets the user log in.

Probably the best-known token is RSA Security's SecurID. This token has a small LCD screen displaying eight digits, which change every minute. To log in to a remote computer, you type your user name, a password, and the digits that the token displays. The remote computer takes this information and sends it to the authentication server, which looks up your name and verifies the password, then performs some tricky math to see if the number you typed is the number your token should have displayed. If this calculated number matches the number you typed, permission is granted.