NW_20010322_en_CeBIT News, March 22, 2001_ “Solving Security's Weakest Link”

March 22, 2001

Security can be defined very simply as: "WHO can be granted access to WHAT?" There is very little doubt about the content or accuracy of the "WHAT" portion, because this is usually determined by the organization itself (and thus by the security system in place).

The "WHO," however, lies at the heart of the effectiveness of any security system. The only means to validate the WHO is through user authentication.

The most popular way of performing user authentication is through a static piece of information shared between the user and the security system: the password. Static passwords are known as an extremely "weak" form of authentication. Strong user authentication also naturally strengthens authorization, because access rights will be granted to the right person and not to someone getting illegal benefit of a weak authentication system. Strong user authentication also eliminates the false sense of security that a sophisticated but password-protected authorization system may provide.

The proof of identity that a user will give will be based on one of the following factors:

Knowledge: a piece of information shared between the user and the system, typically a PIN or a static password.

Ownership: a physical object, like a badge or a key, specifically assigned to the user and that a system peripheral will recognize.

Biometrics: a measurable biological characteristic of the user, previously recorded on the system, that the user will present to a specific "biometric" device, such as voice, fingerprint, retina scan, etc.

Knowledge is difficult to control, easy to replicate, often easy to guess or to illegally obtain. Users may forget their password, creating help-desk costs. Ownership of the object may be easy to duplicate or can be stolen and implementation of ownership-based authentication very often leads to static data sent over the network. In addition, maintenance and renewal of the object can be expensive. Biometrics is very expensive to implement and deploy and compatibility with existing systems is extremely low.

Authentication means verifying that people are who they say they are, before you can trust them with your sensitive data and before they can do harm to that data. Strong means preventing people from simulating other users’ identities.

You can see that authentication is significantly strengthened by combining at least two of the previously defined authentication factors. This is the system used by banks for their e-wallet smart card or ATM bank card system. By combining a PIN that must be remembered with a card that the authorized user has in his or her possession, the barrier to unauthorized access is much higher, while ease of use is maintained.

For remote access security to a corporate network or Internet banking application, for example, token devices or smart cards combine the two factors of Knowledge and Ownership. A user must therefore own a unique token or smart card, and this "intelligent" object requires the knowledge of a PIN to be activated. In addition, these objects contain cryptographic processors that will perform complex functions while communicating with the security system. These functions ensure that an authentication exchange cannot be reused or replayed on the same or another system.

Digital Certificates, as they are used in PKI-based authentication systems, are logical objects that will bring to the security system the proof that a Certificate Authority has already authenticated the user. The strength of PKI-based authentication relies essentially on the quality and safety of Certificate storage and protection.

Tokens are the most portable solution for strong user authentication. They work unconnected and may be used across any media. Smart cards have a quite good portability for the smart card itself, but they are limited by the need for a smart card reader and client software residing on a PC. PKI offers poor portability for pure software implementations. It's improved when the certificate is hosted in a removable device like a smart card, but then you get the other limitations associated with smart cards. PKI also requires the use of applications that have been programmed for PKI, while the two others may be used as a replacement of static passwords.

The cost of ownership for tokens depends mostly on hardware reliability, purchase options, and PIN management features. These factors can vary dramatically from one manufacturer to another. Smart cards suffer from the cost of smart card readers, as well as their relative fragility when used intensively for login. PKI costs vary depending on the type of certificates used: using a company's own CA to build certificates has no comparison to buying certificates from a public CA.

A real challenge for any authentication method is user acceptance. This is the key to a successful security implementation because if the authentication method creates too many constraints, or prevent users from working because of a lack of reliability, then it will be rejected.

The best authentication method should make use of a property that a user considers as an extension of him/herself, and would never share or give away.

VASCO has found that having tokens personalized with user-chosen colors or logos reinforces the feeling of ownership a user may have compared to using a standard neutral model, and allowing users to choose their own PIN that no one else knows, as well as changing it whenever they like, gives users the feeling that the token is theirs and not the same as any other. This also helps to prevent the PIN from being written down, since users are free to use their own general PIN, which people protect much more strongly than passwords.