Multi-Factor Authentication

Transcription

1 Enhancing network security through the authentication process Multi-Factor Authentication Passwords, Smart Cards, and Biometrics

2 INTRODUCTION Corporations today are investing more time and resources on the security of data residing on their enterprise networks and systems. Companies instituting business processes and models are required to store critical corporate data and intellectual assets on interconnected corporate networks. As the rate of network break-ins, data thefts, and malicious attacks has escalated, network and data security issues have become leading priorities for businesses. Executives and investors have joined IT and security managers in their concerns about enterprise security processes and policies. Companies face significant challenges in the development and management of comprehensive corporate security solutions. Users have become increasingly complacent with information that could be used to obtain passwords or access codes, proof of which is provided by the number of sticky notes containing passwords stuck to the side of monitors for all to see (and use). As the number of missioncritical systems and networks has expanded within businesses, so have the number of user passwords, system entry points, and credential management requirements. Managing access to these systems and the large password base has created significant administrative demands on IT. Multi-factor authentication, also termed strong authentication, is one key approach corporations can employ to safeguard their data, prevent unauthorized access, and manage security for users. Authentication is the process by which individuals prove their identities, which are verified against information already established. Based upon authentication, the system allows access and use of resources, be it data, information, or systems. Although password-only systems can be secure, they can be compromised by careless users or through brute force attacks. Multi-factor solutions increase the security of the authentication process by utilizing a combination of methods to authenticate the identity of users. By using a combination of methods, such as a biometric plus smart card, security and control over access to resources in significantly increased. Multi-factor authentication uses a combination of methods to authenticate users. These methods can be broadly defined into three categories: through something they know (such as a PIN or password), something they have (such as a smart card, token, or a certificate), or something they are (biometric identification such as fingerprint or voice). Utilizing a combination of the above three methods increases security and reduces the risk of unauthorized individuals gaining access to corporate data or resources. Multi-factor authentication is better than single-factor authentication and provides several benefits. These include: The ability to secure your network with password, token, smart card, and biometric authentication methods Use of multiple authentication methods for individual login Reducing the ability of anyone to breach security, thereby increasing management comfort in network security Stopping unauthorized users from performing unauthorized acts and Reducing authorized users from unintentionally gaining access to others resources. P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n 1

3 METHODS OF AUTHENTICATION The ways in which users can authenticate themselves to the corporate network can be broken down into three broad categories of information and objects: something they know (such as a password), something they have (such as a smart card, token, or a certificate), or something they are (biometric identification). Utilizing a combination of methods enhances security and reduces unauthorized access. Each method has advantages and disadvantages. The decision on the best combination of authentication methods to use for network access depends on the security and convenience requirements for authenticating users. Passwords Passwords are the most common method of authentication. Password systems provide a minimal level of security, relying on the integrity of the password in the authentication process. Maintaining the integrity of passwords, meaning that only authorized users know their passwords, is critical to preserving security in passwordprotected environments. Unauthorized individuals can gain access to an authorized user password using a variety of methods. Some of these methods include keystroke monitoring, manipulating people for information that can be used to guess a password, shoulder surfing, brute force attacks, and network monitoring. Another weakness of password systems emerges from the reusability of passwords. Users rarely change passwords, using the same password to authenticate to a system over long periods of time and sometimes using the same password across multiple systems. To prevent such use, many companies enforce minimum character size password requirements and force users to change passwords frequently. This increases the instances of forgotten passwords and increases calls to the help desk. Many times passwords are recycled on networks that require password changes at a set interval. As a result, a compromised password can potentially provide access to multiple systems for an extended period of time without the user s knowledge. Additionally, determining if a password has been compromised is extremely difficult. Passwords, when used in combination with other authentication methods, can increase security, but when used alone, even the best password only system offers only minimal authentication security. Smart Cards and SecurID TM Smart Cards and RSA SecurID TM both fall under the category of something users have as a method of authentication in a multi-factor authentication process. Used in combination with another method of authentication, such as a password or biometric, these items greatly increase security of the authentication process. By depending upon possession of an item in addition to a password, the opportunity for unauthorized access is decreased. Smart Cards are plastic cards about the size of a credit card that contain a computer chip. This embedded microprocessor allows smart cards to store data, software, or encryption keys. By requiring possession of a smart card, the likelihood of an unauthorized user being authenticated to the network is significantly reduced, enhancing security. Smart cards are also able to store information used by other authentication processes, such as a biometric template. Use of smart cards to store this type of information reduces the opportunity for such information to be compromised, thereby increasing the security of the overall authentication process. Cryptographic keys can also be stored on the smart card, and P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n 2

4 smart cards can be used in digital certificate encryption/decryption processes. RSA s SecurID authenticator can also be used in a multi-factor authentication scheme. Through the use of a password (something a user knows) and a RSA SecurID authenticator (something a user has), network managers can be more confident in their authentication process. The RSA SecurID security system is based upon the use of SecurID authenticators and the RSA ACE/Server. These authenticators generate a one-time passcode every sixty seconds. The combination of a user PIN and the current authenticator code is valid only for that particular user at that moment in time. RSA ACE/Server is then able to verify the code and grant access in mere seconds. RSA SecurID authenticators are now available in various types of hardware and software tokens. Biometrics The International Biometric Industry Association defines biometric technologies as an automated method of identifying or authenticating the identity of a person based upon physiological or behavioral characteristics. Use of biometrics is an effective way to protect against unauthorized access to network resources because biometric information is based upon unique personal characteristics of a user (or something the user is). Biometric devices are devices that create electronic digital templates of physical characteristics that are stored and compared to live images when there is a need to verify the identity of an individual. These templates are images that are highly compressed and represent a fingerprint, iris, or other physical characteristic. These templates use proprietary and carefully guarded algorithms to secure the templates and protect them from disclosure. A combination of one or more of the above token and knowledge methods of authentication and biometric technology provide a high level of security and reliability in the authentication of users. PASSAGE 3.0 Passage 3.0 was conceived to bring strong, multi-factor authentication to the enterprise information security market. Passage supports user authentication via one or a combination of password, smart card, biometric, or SecurID token. Competing products typically focus on a limited number of authentication technologies and are tied to a specific piece of hardware. Most often, these products focus on only one authentication methodology. Typically, companies that manufacture their own hardware devices provide solution tied to their device. Biometric companies typically provide biometric-only solutions and smart card manufactures provide smart card-only solutions. In contrast, Passage instead combines biometric and smart card authentication in a proven product and even incorporates password-only and SecurID authentication, thereby creating a true multifactor authentication solution that can greatly increase the security of your network. Passsage also makes it easier to manage compelx security. Single Sign-on capabilities are integrated in Passage, providing a way for end-user credentials to be managed and eliminating the need for multiple passwords to be maintained. Some of the platforms supplied with credentials after a user has been authenticated to Passage include operating systems such as Windows 95/98/NT/2000 and Novell, PKIs including Entrust and applications such as Lotus Notes. Using Passage Assist, a P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n 3

5 feature of Passage 3.0, the list of supported applications can be expanded to include virtually any Windows-based dialogue or Web form. Platform credentials are stored in the Credential Bank, which can be located either remotely on the Passage Authentication Server or locally on the user s smart card. By storing credentials locally and remotely, Passage provides unparalleled security to both networked and mobile users. Another hallmark of Passage 3.0 is its unparalleled flexibility. Passage allows administrators to choose the method of authentication for each user and offers a choice between storing the credentials locally, remotely, or both. By allowing administrators to choose the method and combination of authentication schemes, Passage gives administrators tremendous flexibly to determine how and when they will deploy Passage. Corporate Headquarters: 6564 Loisdale Court, Suite 100, Springfield, VA, 22150, USA Tel Fax Sales Headquarters: 40 Wall Street, 46th Floor, New York, NY, 10005, USA Tel Fax Technical Headquarters: 3909 Midlands Road, Williamsburg, VA, 23185, USA Tel Fax [email protected] G International, Inc. (3GI) All rights reserved. ACE/Server TM and SecurID TM are registered trademarks of RSA Security Inc. All other trademarks are the property of their respective owners P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n 4