Reaching the Tipping Point for Two-Factor Authentication

Transcription

1 Reaching the Tipping Point for Two-Factor Authentication Written by Don Jones Quest Software, Inc. White Paper

2 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information, protected by copyright. No part of this document may be reproduced or transmitted for any purpose other than the reader's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS Quest, Quest Software, Quest Defender and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Other trademarks and registered trademarks used in this document are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA info@quest.com Please refer to our Web site ( for regional and international office information. Updated October, 2009

3 CONTENTS INTRODUCTION...1 WHAT IS TWO-FACTOR AUTHENTICATION?...2 COMMON CHOICES FOR TWO-FACTOR AUTHENTICATION... 2 BUSINESS DRIVERS FOR TWO-FACTOR AUTHENTICATION... 3 INCREASING TWO-FACTOR AUTHENTICATION ADOPTION... 4 HURDLES TO TWO-FACTOR ADOPTION... 5 ACTIVE DIRECTORY INTEGRATION: THE TIPPING POINT... 6 ABOUT THE AUTHOR...7 ABOUT QUEST SOFTWARE, INC...8 CONTACTING QUEST SOFTWARE... 8 CONTACTING QUEST SUPPORT... 8

4 INTRODUCTION Two-factor authentication is becoming more common in the world s largest organizations, and many medium-size and smaller organizations are also looking hard at it. What is the appeal of this form of authentication? When organizations adopt it, what are their driving reasons? And, perhaps most importantly, which organizations are not adopting two-factor authentication, and why? When will the industry reach a tipping point, where two-factor authentication will become the norm? This paper examines these questions and their answers. 1

5 WHAT IS TWO-FACTOR AUTHENTICATION? The first multi-user computers used single-factor authentication, which almost every computer user is familiar with: a username and password. But wait don t a user name and a password represent two factors? No. Both of those items are something you know information stored in your brain that also might be recorded on paper or elsewhere and therefore they represent only a single factor for authentication. True two-factor authentication consists of two items from different categories: Something you know, such as a user name, password, or PIN Something you have, such as a hardware token Something you are, such as a fingerprint Examples of two-factor authentication, therefore, would include: A hardware token (something you have) plus a PIN (something you know) A user name (something you know) and a fingerprint scan (something you are) Extremely secure systems may require more than two factors (multi-factor authentication), but most business systems can be adequately secured by two-factor authentication. Common Choices for Two-Factor Authentication In most current two-factor authentication systems, the something you know factor is almost always a user name a PIN, or both. The second factor is commonly some form of hardware, software or biometric, such as a: Hardware token Software token Pattern-based, one-time password Smart card Single-use PIN hardware token Finger print or retinal scan Hardware and software tokens are the most popular second factor options because they re portable, simple to manage, easy to use and more reliable than biometrics. 2

6 Hardware tokens have traditionally been the least expensive second factor option. These tokens display a single-use password, which is created by a predetermined mathematical algorithm. Authentication servers on the network use the same algorithm, so with a user name or PIN, the server can determine the password that the user s token is displaying at that moment and require the user to enter it for authentication. The most popular hardware tokens utilize an industry-standard algorithm known as OATH; these tokens are cross compatible with each other as well as with a variety of server-based authentication systems. USB hardware tokens can be carried on a key ring and plugged into nearly any modern computer. Today, software tokens are slowly overtaking hardware tokens in popularity and may surpass them in a year or two. Mobile computing is driving this increased use. For example, some systems are able to issue single-use passwords in response to an SMS text message sent from an employee s cell phone. This is an ideal zero-hardware solution for mobile employees, since nearly all of today s cell phones and carriers support SMS messaging. PDAbased software tokens replicate the functionality of hardware token by generating single-use passwords on a smart phone or personal digital assistant. All of these solutions are typically low-cost, easily portable, and easy to use. Active Directory also offers basic built-in support for smart cards, which are used internally by Microsoft and other organizations. A downside of smart cards is that they tend to be expensive; they require the installation of a reader and software. Also, users cannot rely on them when authenticating from a computer that lacks a compatible reader, such as an Internet kiosk. Business Drivers for Two-Factor Authentication The main reason organizations adopt two-factor authentication is to reduce risk associated with unauthorized access and regulatory compliance. Any broken authentication scheme will give unauthorized individuals access to organization information, risking significant damage to the business. And failing to comply with legal requirements and industry standards that mandate security procedures carries significant fines and penalties. These compliance initiatives include HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, the Payment Card Industry s Data Security Standard, as well as various rules for federal agencies and contractors. How does using single-factor authentication allow security risks and fall short in meeting compliance requirements? Single-factor authentication systems are simply too easy to break. For example, Microsoft Active Directory does not store user passwords in clear text, or even in an encrypted form; it stores the result of a one-way cryptographic hash, meaning the stored password cannot be reverse-engineered to reveal the original password. However, the hash algorithm is well known, so it s possible for an attacker to create a dictionary of possible passwords, hash them, and then compare 3

7 those values to the stored values in Active Directory. A match between two hashes will reveal the clear-text password from the dictionary, which is why this type of attack is commonly called a dictionary attack. While generating the dictionary takes some time, the actual attack can be performed very rapidly. Pre-generated dictionaries are available that can quickly crack passwords of up to 10 characters in length, using any combination of characters including supposedly secure passwords that use a combination of letters, numbers, and symbols. This threat requires increasingly complex passwords, which simply drives attackers to create ever-larger dictionaries. In the arms race between attackers and complex passwords, the attackers will always win. Any system secured only by passwords can be easily cracked by a moderately-skilled attacker with access to the stored passwords and a few minutes of time. Even if more complex passwords could stop attackers, they are not a good solution. That s because End users will constantly forget their passwords, lock themselves out of their accounts, and call the help desk to resolve the problem. This significantly increases support costs. Today many businesses have chosen to abandon passwords in favor of twofactor authentication systems that let users remember less information and offer greater security. For example, you cannot lose a fingerprint, and a lost smart card or hardware token can be easily invalidated and rendered useless to attackers. Increasing Two-Factor Authentication Adoption Two-factor authentication is increasing in both large organizations and technology-centric organizations. Large organizations are also more likely to be regulated by one or more legislative or industry security requirements, making stronger authentication compelling. However, because they also tend to manage their IT overhead more closely, they recognize the cost savings of reduced help desk calls for password resets and account lockouts. Technology organizations, even smaller ones, tend to be quicker to recognize the value of two-factor authentication for reducing help desk overhead and improving security. Because their main product is often easy-to-steal intellectual property, they tend to suffer more from industrial espionage. This makes the security offered by two-factor authentication appealing. Technology-focused organizations that are subject to industry or legislative security requirements (such as online retailers) are especially quick to adopt two-factor authentication for the same reasons large organizations do. Banks and other financial organizations use two-factor authentication to secure organizational and customer information. In fact, the rush to 4

8 implement two-factor authentication by major banks and major online retailers is bringing us closer to the tipping point where two-factor authentication becomes a baseline requirement Hurdles to Two-Factor Adoption What stands in the way of even more widespread adoption of two-factor authentication? One alleged hurdle to two-factor authentication is end-user acceptance. There s a general sense that end users will have difficulty understanding and using two-factor authentication. In fact, even though end users are often too resistant to technology changes, industry experience reveals that they are able to quickly adopt to two-factor authentication. Most users find two-factor authentication easier and more convenient than user names and passwords. For example, smart cards only require users to remember a four- to six-digit PIN, and inserting a card into a reader slot is similar to using an automated teller machine (ATM). Another hurdle is that many organizations fear that the cost of two-factor authentication will be high and never investigate it. However, hardware tokens actually have a very small per-unit cost, and deployment costs, including the cost of the back-end software, are rarely as high as organizations anticipate. And help desk calls for password resets or account unlocks can cost as much as $33 per call, so even the most expensive twofactor authentication will quickly repay its purchase cost. An additional barrier is the organization s mistaken belief that it is unlikely to encounter a security problem. Organizations that have never experienced a breach may feel there s no need to spend time and money implementing better security. These organizations are fooling themselves: a glance at any technology news site often reveals a monthly litany of victims of the it will never happen to us mentality. The same organizations that willingly (and intelligently) spend thousands on property or liability insurance even though they ve never been the victim of a flood or fire should recognize that twofactor authentication is also an insurance policy. However, unlike most policies, two-factor authentication requires only a one-time investment, rather than ongoing premium payments. Compared to the cost of other insurance policies, two-factor authentication is extremely cost-effective. If neither necessity, acceptance nor cost is a valid deterrent to adopting single-factor authentication, what is? In most instances, the main hurdle to adoption of two-factor authentication is integration: making two-factor authentication work with the organization s existing systems and resources. Microsoft Active Directory is one of the most common identity systems in use today, and integrating a two-factor authentication system with it is critical to a successful adoption and deployment. 5

9 Active Directory Integration: The Tipping Point Quest Defender ( is specifically designed to extend Active Directory to support a variety of two-factor authentication schemes, including hardware tokens. It allows any system that relies on, or integrates with, Active Directory to participate in two-factor authentication. In fact, adding Defender can often immediately enable two-factor authentication across the entire enterprise. Defender permits phased deployments, enabling some users to continue using passwords while small groups are migrated to two-factor authentication. This helps to reduce the impact of a major deployment as well as lower attendant overhead and support costs. Defender is centrally administered through Active Directory; Active Directory is even used to store each user s individual hardware token assignment; additional databases are not required. In addition to supporting any OATH-compliant hardware tokens, Defender supports smart cards as well as mobile (sent via SMS text messaging), software, PDA-based, pattern-based, and USB hardware-based tokens. This gives organizations a wide range of choices. Defender also supports the use of mixed token types, enabling organizations to determine the right type of token on a per-user basis. Defender s detailed auditing capabilities help organizations that are subject to industry or legislative security requirements maintain and prove compliance. Defender is capable of using several encryption algorithms to secure communications, ensuring compliance and a high level of security. Defender helps bring the industry to the tipping point by integrating two-factor authentication with Active Directory, and offering flexible security token choices. Organizations can now properly justify the cost of a two-factor authentication deployment, and significant barriers to its adoption are removed. 6

10 ABOUT THE AUTHOR Don Jones has more than a decade of professional experience in the IT industry. He is the author of more than 30 IT books, including Windows PowerShell: TFM, VBScript, WMI, and ADSI Unleashed and Managing Windows with VBScript and WMI. He s a top-rated speaker who is in demand at conferences such as Microsoft TechEd and TechMentor. He also writes the monthly Windows PowerShell column for Microsoft TechNet Magazine. Don is a multiple-year recipient of Microsoft s Most Valuable Professional (MVP) Award with a specialization in Windows PowerShell. Don s broad IT experience includes work in the financial, telecommunications, software, manufacturing, consulting, training, and retail industries and he s one of the rare IT professionals who can not only cross the line between administration and software development, but also between IT workers and IT management. Don maintains a high degree of awareness in multiple facets of the IT industry, enabling him to perform both high-level and detailed analyses of new technologies and techniques. 7

11 ABOUT QUEST SOFTWARE, INC. Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products helping our customers solve everyday IT challenges faster and easier. Visit for more information. Contacting Quest Software Phone: Mail: Web site: (United States and Canada) Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: Support Guide.pdf 8