Authenticating
a user on the network or over the Internet is one of the cornerstones of all
security systems. Traditionally, authentication has been accomplished by asking
for a username and password. In spite of the fact that this simplistic approach
has been repeatedly compromised, it remains to be the predominant approach in
use today. There are many weaknesses that have been exploited to compromise the
username/password authentication model, including using the same password for
multiple sites, using passwords which are easy to remember and therefore easy
to guess, finding the place a user has written down the password, or a
complexity of man-in-the-middle attacks where a user’s password is obtained and
therefore compromised.
A superior
method of authenticating a user involves the utilization of two factors or, as
it is often called, two-factor authentication. In these types of systems, a
user is given some kind of a security token or device, which is used along with
a password to authenticate, resulting in the common adage “something you have
and something you know.” In the realm of two-factor authentication, there are
three basic strategies that represent the majority of the market. Each of these
has its advantage and disadvantages and should be considered when choosing a
two factor authentication system for deployment.
RSA SecurID
Although SecurID is by far the
most popular two-factor authentication system in use today, it is an old
technology with serious weaknesses.
Earlier this
year, the entire RSA system was compromised by a security breach which
compromised sensitive data and forced RSA to reissue millions of one-time
password security tokens. The security industry is now exploring other options
to replace this aging technology. The most popular two factor authentication
system today is SecurID marketed by RSA. The SecurID method of two factor
authentication involves issuing a card or a token to each user of the system.
These pocket
sized tokens each contain a small battery powered electronic system that has
been programmed with the algorithm of the one-time password strategy being
utilized. Each time a user logs onto a securID system, a unique password is
read from the device and keyed into the login computer by the user.
Smart Cards
Another increasingly popular
strategy for two-factor authentication utilizes a smart card issued to each
user. The smart card, which could be a credit card shaped device or a
smart card installed into a USB device, operates essentially the same in that
they store security certificates, which can be read from the smart card when
inserted into a computer at the time of log-in. The concept of using a security
certificate to securely sign into a system is based on the notion or concept
that certificates, which are a block of digital information, can be signed by a
trusted authority at the time they are created.
Many systems
utilize smart card technology. One of the most popular is the PIV System
deployed by the United States government. Other enterprise organizations
utilize smart cards issued to their users as a two-factor authentication method
of log-in to Active Directory. The Achilles’ heel in smart card certificate
authentication is the vulnerability of the trusted authority protecting the
chain of creating signed certificates. This vulnerability has been underscored
by a series of recent breaches, including the major breach of the Comodo signed
certificates in 2011.
Gold ID
The third method of providing two
factor authentication is Gold ID. This technology is based on a hierarchical
hardware key management system developed by GoldKey Security Corporation.
Rather than relying upon a one-time password algorithm or a reliable chain of
signed certificates, the Gold ID system utilizes a process of registering
hardware tokens to hardware management and grand management tokens. This
approach has significant advantages as compared to the earlier technologies.
Gold ID
greatly reduces the cost of initial deployment. The security function can be
managed by non-computer personnel, bringing the matter of security back to the
security department and out of the hands of programmers that already have
access to the system. Since the process is managed entirely in hardware, it is
much more flexible, giving the organization the ability to lock out disgruntled
employees, recover lost credentials, and to control access of critical
information assets by multiple users, even when the assets are stored encrypted
at-rest.
To date,
Gold ID is the only two-factor authentication system that has not been
compromised. Gold ID is thoroughly implemented in the GoldKey offering by
GoldKey Security Corporation. GoldKeys are not powered by internal batteries
and therefore do not have end-of-life failures as batteries wear out. There is
not an annual licensing fee for each user, and the initial cost of deployment
is substantially less than other options. Most importantly, GoldKey Security
tokens also contain a full deployment of the PIV Smart Card system, allowing
users to continue utilization of their current Smart Card system while building
the capability of transitioning all or part of the system over to Gold ID at
some future date.
Additional
information on Gold ID can be found at GoldKey.com.
No comments:
Post a Comment