Reaching the Tipping Point for Two-Factor Authentication



Similar documents
4.0. Offline Folder Wizard. User Guide

Gain Control of Space with Quest Capacity Manager for SQL Server. written by Thomas LaRock

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

10 Simple Steps for Boosting Database Performance in a Virtualized Environment

Quest ChangeAuditor 4.8

8.3. Competitive Comparison vs. Microsoft ADMT 3.1

How To Send E Mail From An Exchange 2007 To A Domain Name Address Book On A Domain Address Book (For A Domain) On A Pc Or Mac Xp (For An Ipod) On An Ipo (For Windows 2007) On Your Ip

2.0. Quick Start Guide

Storage Capacity Management for Oracle Databases Technical Brief

Quest InTrust for Active Directory. Product Overview Version 2.5

Implementing Database Development Best Practices for Oracle

FOR WINDOWS FILE SERVERS

Defender Delegated Administration. User Guide

Legal Considerations for Archiving Why implementing an effective archiving solution can help reduce legal risk

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

formerly Help Desk Authority Quest Free Network Tools User Manual

Quest Management Pack for AS400. Written by Quest Software, Inc.

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Pragmatic Business Service Management

Defender 5.7. Remote Access User Guide

STRONGER AUTHENTICATION for CA SiteMinder

How the Quest One Identity Solution Products Enhance Each Other

Foglight Cartridge for Active Directory Installation Guide

Quest Collaboration Services 3.5. How it Works Guide

Technical Brief. Unify Your Backup and Recovery Strategy with LiteSpeed for SQL Server and LiteSpeed Engine for Oracle

Web Portal Installation Guide 5.0

Top 10 Most Popular Reports in Enterprise Reporter

ADDING STRONGER AUTHENTICATION for VPN Access Control

Understanding Enterprise Cloud Governance

10.2. Auditing Cisco PIX Firewall with Quest InTrust

Quest Collaboration Services How it Works Guide

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Quick Connect Express for Active Directory

BlackShield Authentication Service

Quest Management Agent for Forefront Identity Manager

An Oracle White Paper December Integrating Oracle Enterprise Single Sign-On Suite Plus with Strong Authentication

Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions

A brief on Two-Factor Authentication

DigitalPersona Pro Enterprise

Security Guide for ActiveRoles Server 6.1

formerly Help Desk Authority HDAccess Administrator Guide

Enterprise Single Sign-On 8.0.3

formerly Help Desk Authority Upgrade Guide

Guide to Evaluating Multi-Factor Authentication Solutions

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Simplifying Security with Datakey Axis Single Sign-On. White Paper

An Introduction to Toad Extension for Visual Studio. Written By Thomas Klughardt Systems Consultant Quest Software, Inc.

Big Brother Professional Edition Windows Client Getting Started Guide. Version 4.60

Microsoft Active Directory Backup and Recovery in Windows Server written by Shawn Barker Product Manager, Quest Software, Inc.

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Entrust IdentityGuard

Organized, Hybridized Network Monitoring

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Security Analytics Engine 1.0. Help Desk User Guide

Strong Authentication for Secure VPN Access

Enterprise Single Sign-On Installation and Configuration Guide

SharePlex for SQL Server

Foglight Experience Monitor and Foglight Experience Viewer

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Dell InTrust Preparing for Auditing Microsoft SQL Server

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Account Access Management - A Primer

Spotlight on Messaging. Evaluator s Guide

Compliance and Security Challenges with Remote Administration

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

DATA GOVERNANCE EDITION

Solving the Security Puzzle

8.7. Resource Kit User Guide

4.0. Attribute Mapping Rules

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Getting the Most From. Your Help Desk

Foglight Managing Microsoft Active Directory Installation Guide

Quest Privilege Manager Console Installation and Configuration Guide

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

6.7. Quick Start Guide

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

About Recovery Manager for Active

Dell One Identity Quick Connect for Cloud Services 3.6.1

Aegis Padlock for business

Adding Stronger Authentication to your Portal and Cloud Apps

WHITE PAPER. Let s do BI (Biometric Identification)

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Privilege Gone Wild: The State of Privileged Account Management in 2015

RSA SecurID Two-factor Authentication

System Requirements and Platform Support Guide

White Paper. Better Together: Auditing with Microsoft Audit Collection Services (ACS) and Quest Software

Steps to Migrating to a Private Cloud

Transcription:

Reaching the Tipping Point for Two-Factor Authentication Written by Don Jones Quest Software, Inc. White Paper

2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information, protected by copyright. No part of this document may be reproduced or transmitted for any purpose other than the reader's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS Quest, Quest Software, Quest Defender and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Other trademarks and registered trademarks used in this document are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 e-mail: info@quest.com Please refer to our Web site (www.quest.com) for regional and international office information. Updated October, 2009

CONTENTS INTRODUCTION...1 WHAT IS TWO-FACTOR AUTHENTICATION?...2 COMMON CHOICES FOR TWO-FACTOR AUTHENTICATION... 2 BUSINESS DRIVERS FOR TWO-FACTOR AUTHENTICATION... 3 INCREASING TWO-FACTOR AUTHENTICATION ADOPTION... 4 HURDLES TO TWO-FACTOR ADOPTION... 5 ACTIVE DIRECTORY INTEGRATION: THE TIPPING POINT... 6 ABOUT THE AUTHOR...7 ABOUT QUEST SOFTWARE, INC...8 CONTACTING QUEST SOFTWARE... 8 CONTACTING QUEST SUPPORT... 8

INTRODUCTION Two-factor authentication is becoming more common in the world s largest organizations, and many medium-size and smaller organizations are also looking hard at it. What is the appeal of this form of authentication? When organizations adopt it, what are their driving reasons? And, perhaps most importantly, which organizations are not adopting two-factor authentication, and why? When will the industry reach a tipping point, where two-factor authentication will become the norm? This paper examines these questions and their answers. 1

WHAT IS TWO-FACTOR AUTHENTICATION? The first multi-user computers used single-factor authentication, which almost every computer user is familiar with: a username and password. But wait don t a user name and a password represent two factors? No. Both of those items are something you know information stored in your brain that also might be recorded on paper or elsewhere and therefore they represent only a single factor for authentication. True two-factor authentication consists of two items from different categories: Something you know, such as a user name, password, or PIN Something you have, such as a hardware token Something you are, such as a fingerprint Examples of two-factor authentication, therefore, would include: A hardware token (something you have) plus a PIN (something you know) A user name (something you know) and a fingerprint scan (something you are) Extremely secure systems may require more than two factors (multi-factor authentication), but most business systems can be adequately secured by two-factor authentication. Common Choices for Two-Factor Authentication In most current two-factor authentication systems, the something you know factor is almost always a user name a PIN, or both. The second factor is commonly some form of hardware, software or biometric, such as a: Hardware token Software token Pattern-based, one-time password Smart card Single-use PIN hardware token Finger print or retinal scan Hardware and software tokens are the most popular second factor options because they re portable, simple to manage, easy to use and more reliable than biometrics. 2

Hardware tokens have traditionally been the least expensive second factor option. These tokens display a single-use password, which is created by a predetermined mathematical algorithm. Authentication servers on the network use the same algorithm, so with a user name or PIN, the server can determine the password that the user s token is displaying at that moment and require the user to enter it for authentication. The most popular hardware tokens utilize an industry-standard algorithm known as OATH; these tokens are cross compatible with each other as well as with a variety of server-based authentication systems. USB hardware tokens can be carried on a key ring and plugged into nearly any modern computer. Today, software tokens are slowly overtaking hardware tokens in popularity and may surpass them in a year or two. Mobile computing is driving this increased use. For example, some systems are able to issue single-use passwords in response to an SMS text message sent from an employee s cell phone. This is an ideal zero-hardware solution for mobile employees, since nearly all of today s cell phones and carriers support SMS messaging. PDAbased software tokens replicate the functionality of hardware token by generating single-use passwords on a smart phone or personal digital assistant. All of these solutions are typically low-cost, easily portable, and easy to use. Active Directory also offers basic built-in support for smart cards, which are used internally by Microsoft and other organizations. A downside of smart cards is that they tend to be expensive; they require the installation of a reader and software. Also, users cannot rely on them when authenticating from a computer that lacks a compatible reader, such as an Internet kiosk. Business Drivers for Two-Factor Authentication The main reason organizations adopt two-factor authentication is to reduce risk associated with unauthorized access and regulatory compliance. Any broken authentication scheme will give unauthorized individuals access to organization information, risking significant damage to the business. And failing to comply with legal requirements and industry standards that mandate security procedures carries significant fines and penalties. These compliance initiatives include HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, the Payment Card Industry s Data Security Standard, as well as various rules for federal agencies and contractors. How does using single-factor authentication allow security risks and fall short in meeting compliance requirements? Single-factor authentication systems are simply too easy to break. For example, Microsoft Active Directory does not store user passwords in clear text, or even in an encrypted form; it stores the result of a one-way cryptographic hash, meaning the stored password cannot be reverse-engineered to reveal the original password. However, the hash algorithm is well known, so it s possible for an attacker to create a dictionary of possible passwords, hash them, and then compare 3

those values to the stored values in Active Directory. A match between two hashes will reveal the clear-text password from the dictionary, which is why this type of attack is commonly called a dictionary attack. While generating the dictionary takes some time, the actual attack can be performed very rapidly. Pre-generated dictionaries are available that can quickly crack passwords of up to 10 characters in length, using any combination of characters including supposedly secure passwords that use a combination of letters, numbers, and symbols. This threat requires increasingly complex passwords, which simply drives attackers to create ever-larger dictionaries. In the arms race between attackers and complex passwords, the attackers will always win. Any system secured only by passwords can be easily cracked by a moderately-skilled attacker with access to the stored passwords and a few minutes of time. Even if more complex passwords could stop attackers, they are not a good solution. That s because End users will constantly forget their passwords, lock themselves out of their accounts, and call the help desk to resolve the problem. This significantly increases support costs. Today many businesses have chosen to abandon passwords in favor of twofactor authentication systems that let users remember less information and offer greater security. For example, you cannot lose a fingerprint, and a lost smart card or hardware token can be easily invalidated and rendered useless to attackers. Increasing Two-Factor Authentication Adoption Two-factor authentication is increasing in both large organizations and technology-centric organizations. Large organizations are also more likely to be regulated by one or more legislative or industry security requirements, making stronger authentication compelling. However, because they also tend to manage their IT overhead more closely, they recognize the cost savings of reduced help desk calls for password resets and account lockouts. Technology organizations, even smaller ones, tend to be quicker to recognize the value of two-factor authentication for reducing help desk overhead and improving security. Because their main product is often easy-to-steal intellectual property, they tend to suffer more from industrial espionage. This makes the security offered by two-factor authentication appealing. Technology-focused organizations that are subject to industry or legislative security requirements (such as online retailers) are especially quick to adopt two-factor authentication for the same reasons large organizations do. Banks and other financial organizations use two-factor authentication to secure organizational and customer information. In fact, the rush to 4

implement two-factor authentication by major banks and major online retailers is bringing us closer to the tipping point where two-factor authentication becomes a baseline requirement Hurdles to Two-Factor Adoption What stands in the way of even more widespread adoption of two-factor authentication? One alleged hurdle to two-factor authentication is end-user acceptance. There s a general sense that end users will have difficulty understanding and using two-factor authentication. In fact, even though end users are often too resistant to technology changes, industry experience reveals that they are able to quickly adopt to two-factor authentication. Most users find two-factor authentication easier and more convenient than user names and passwords. For example, smart cards only require users to remember a four- to six-digit PIN, and inserting a card into a reader slot is similar to using an automated teller machine (ATM). Another hurdle is that many organizations fear that the cost of two-factor authentication will be high and never investigate it. However, hardware tokens actually have a very small per-unit cost, and deployment costs, including the cost of the back-end software, are rarely as high as organizations anticipate. And help desk calls for password resets or account unlocks can cost as much as $33 per call, so even the most expensive twofactor authentication will quickly repay its purchase cost. An additional barrier is the organization s mistaken belief that it is unlikely to encounter a security problem. Organizations that have never experienced a breach may feel there s no need to spend time and money implementing better security. These organizations are fooling themselves: a glance at any technology news site often reveals a monthly litany of victims of the it will never happen to us mentality. The same organizations that willingly (and intelligently) spend thousands on property or liability insurance even though they ve never been the victim of a flood or fire should recognize that twofactor authentication is also an insurance policy. However, unlike most policies, two-factor authentication requires only a one-time investment, rather than ongoing premium payments. Compared to the cost of other insurance policies, two-factor authentication is extremely cost-effective. If neither necessity, acceptance nor cost is a valid deterrent to adopting single-factor authentication, what is? In most instances, the main hurdle to adoption of two-factor authentication is integration: making two-factor authentication work with the organization s existing systems and resources. Microsoft Active Directory is one of the most common identity systems in use today, and integrating a two-factor authentication system with it is critical to a successful adoption and deployment. 5

Active Directory Integration: The Tipping Point Quest Defender (www.quest.com/defender) is specifically designed to extend Active Directory to support a variety of two-factor authentication schemes, including hardware tokens. It allows any system that relies on, or integrates with, Active Directory to participate in two-factor authentication. In fact, adding Defender can often immediately enable two-factor authentication across the entire enterprise. Defender permits phased deployments, enabling some users to continue using passwords while small groups are migrated to two-factor authentication. This helps to reduce the impact of a major deployment as well as lower attendant overhead and support costs. Defender is centrally administered through Active Directory; Active Directory is even used to store each user s individual hardware token assignment; additional databases are not required. In addition to supporting any OATH-compliant hardware tokens, Defender supports smart cards as well as mobile (sent via SMS text messaging), software, PDA-based, pattern-based, and USB hardware-based tokens. This gives organizations a wide range of choices. Defender also supports the use of mixed token types, enabling organizations to determine the right type of token on a per-user basis. Defender s detailed auditing capabilities help organizations that are subject to industry or legislative security requirements maintain and prove compliance. Defender is capable of using several encryption algorithms to secure communications, ensuring compliance and a high level of security. Defender helps bring the industry to the tipping point by integrating two-factor authentication with Active Directory, and offering flexible security token choices. Organizations can now properly justify the cost of a two-factor authentication deployment, and significant barriers to its adoption are removed. 6

ABOUT THE AUTHOR Don Jones has more than a decade of professional experience in the IT industry. He is the author of more than 30 IT books, including Windows PowerShell: TFM, VBScript, WMI, and ADSI Unleashed and Managing Windows with VBScript and WMI. He s a top-rated speaker who is in demand at conferences such as Microsoft TechEd and TechMentor. He also writes the monthly Windows PowerShell column for Microsoft TechNet Magazine. Don is a multiple-year recipient of Microsoft s Most Valuable Professional (MVP) Award with a specialization in Windows PowerShell. Don s broad IT experience includes work in the financial, telecommunications, software, manufacturing, consulting, training, and retail industries and he s one of the rare IT professionals who can not only cross the line between administration and software development, but also between IT workers and IT management. Don maintains a high degree of awareness in multiple facets of the IT industry, enabling him to perform both high-level and detailed analyses of new technologies and techniques. 7

ABOUT QUEST SOFTWARE, INC. Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products helping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information. Contacting Quest Software Phone: Email: Mail: Web site: 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/global Support Guide.pdf 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information