• No results found

Multi-Factor Authentication

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Multi-Factor Authentication"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Enhancing network security through the

authentication process

Multi-Factor Au

thentication

P

a

sswo

rds,

S

m

a

rt C

a

rd

s

, an

d B

iom

et

ri

cs

(2)

INTRODUCTION

Corporations today are investing more time and resources on the security of data residing on their enterprise networks and systems. Companies instituting business processes and models are required to store critical corporate data and intellectual assets on interconnected corporate networks. As the rate of network break-ins, data thefts, and malicious attacks has escalated, network and data security issues have become leading priorities for businesses. Executives and investors have joined IT and security managers in their concerns about enterprise security processes and policies.

Companies face significant challenges in the development and management of comprehensive corporate security solutions. Users have become increasingly complacent with

information that could be used to obtain passwords or access codes, proof of which is provided by the number of sticky notes containing passwords stuck to the side of monitors for all to see (and use). As the number of mission-critical systems and networks has expanded within businesses, so have the number of user passwords, system entry points, and credential management requirements. Managing access to these systems and the large password base has created significant

administrative demands on IT.

Multi-factor authentication, also termed strong authentication, is one key approach corporations can employ to safeguard their data, prevent

unauthorized access, and manage security for users. Authentication is the process by which individuals prove their identities, which are verified against information already established. Based upon authentication, the system

allows access and use of resources, be it data, information, or systems. Although password-only systems can be secure, they can be compromised by careless users or through brute force attacks. Multi-factor solutions increase the security of the authentication process by utilizing a combination of methods to authenticate the identity of users. By using a combination of methods, such as a biometric plus smart card, security and control over access to resources in significantly increased. Multi-factor authentication uses a combination of methods to authenticate users. These methods can be broadly defined into three categories: through something they know (such as a PIN or password), something they have (such as a smart card, token, or a certificate), or something they are (biometric identification such as fingerprint or voice). Utilizing a combination of the above three methods increases security and reduces the risk of unauthorized individuals gaining access to corporate data or resources.

Multi-factor authentication is better than single-factor authentication and provides several benefits. These include:

• The ability to secure your network

with password, token, smart card, and biometric authentication methods

• Use of multiple authentication

methods for individual login

• Reducing the ability of anyone to

breach security, thereby increasing management comfort in network security

• Stopping unauthorized users from

performing unauthorized acts

• and Reducing authorized users from

unintentionally gaining access to others resources.

(3)

METHODS OF

AUTHENTICATION

The ways in which users can

authenticate themselves to the corporate network can be broken down into three broad categories of information and objects: something they know (such as a password), something they have (such as a smart card, token, or a certificate), or something they are (biometric identification). Utilizing a combination of methods enhances security and reduces unauthorized access. Each method has advantages and

disadvantages. The decision on the best combination of authentication methods to use for network access depends on the security and convenience

requirements for authenticating users. Passwords

Passwords are the most common method of authentication. Password systems provide a minimal level of security, relying on the integrity of the password in the authentication process. Maintaining the integrity of passwords, meaning that only authorized users know their passwords, is critical to preserving security in password-protected environments. Unauthorized individuals can gain access to an authorized user password using a variety of methods. Some of these methods include keystroke monitoring, manipulating people for information that can be used to guess a password, ‘shoulder surfing’, brute force attacks, and network monitoring. Another weakness of password systems emerges from the reusability of passwords. Users rarely change passwords, using the same password to authenticate to a system over long periods of time and sometimes using the same password across multiple systems. To prevent such use, many companies enforce

minimum character size password requirements and force users to change passwords frequently. This increases the instances of forgotten passwords and increases calls to the help desk. Many times passwords are recycled on networks that require password changes at a set interval. As a result, a compromised password can potentially provide access to multiple systems for an extended period of time without the user’s knowledge. Additionally, determining if a password has been

compromised is extremely difficult. Passwords, when used in combination with other authentication methods, can increase security, but when used alone, even the best password only system offers only minimal authentication security.

Smart Cards and SecurIDTM

Smart Cards and RSA SecurIDTM both fall

under the category of “something users have” as a method of authentication in a multi-factor authentication process. Used in combination with another method of authentication, such as a password or biometric, these items greatly increase security of the authentication process. By depending upon possession of an item in addition to a password, the opportunity for unauthorized access is decreased.

Smart Cards are plastic cards about the size of a credit card that contain a computer chip. This embedded microprocessor allows smart cards to store data, software, or encryption keys. By requiring possession of a smart card, the likelihood of an unauthorized user being authenticated to the network is significantly reduced, enhancing security. Smart cards are also able to store

information used by other authentication processes, such as a biometric template. Use of smart cards to store this type of information reduces the opportunity for such information to be compromised, thereby increasing the security of the overall authentication process. Cryptographic keys can also be stored on the smart card, and

(4)

smart cards can be used in digital certificate encryption/decryption processes.

RSA’s SecurID authenticator can also be used in a multi-factor authentication scheme. Through the use of a password (something a user knows) and a RSA SecurID authenticator (something a user has), network managers can be more confident in their authentication process. The RSA SecurID security system is based upon the use of SecurID authenticators and the RSA

ACE/Server. These authenticators generate a one-time passcode every sixty seconds. The combination of a user PIN and the current authenticator code is valid only for that particular user at that moment in time. RSA ACE/Server is then able to verify the code and grant access in mere seconds. RSA SecurID authenticators are now available in various types of hardware and software tokens.

Biometrics

The International Biometric Industry Association defines biometric

technologies as “an automated method of identifying or authenticating the identity of a person based upon physiological or behavioral

characteristics.” Use of biometrics is an effective way to protect against

unauthorized access to network resources because biometric information is based upon unique personal characteristics of a user (or something the user is). Biometric devices are devices that create electronic digital templates of physical characteristics that are stored and compared to ‘live’ images when there is a need to verify the identity of an individual. These templates are images that are highly compressed and represent a fingerprint, iris, or other physical characteristic. These templates

use proprietary and carefully guarded algorithms to secure the templates and protect them from disclosure. A combination of one or more of the above token and knowledge methods of authentication and biometric technology provide a high level of security and reliability in the authentication of users.

PASSAGE 3.0

Passage 3.0 was conceived to bring strong, multi-factor authentication to the enterprise information security market. Passage supports user authentication via one or a combination of password, smart card, biometric, or SecurID token. Competing products typically focus on a limited number of authentication technologies and are tied to a specific piece of hardware. Most often, these products focus on only one

authentication methodology. Typically, companies that manufacture their own hardware devices provide solution tied to their device. Biometric companies typically provide biometric-only solutions and smart card manufactures provide smart card-only solutions. In contrast, Passage instead combines biometric and smart card

authentication in a proven product and even incorporates password-only and SecurID authentication, thereby creating a true multi-factor authentication solution that can greatly increase the security of your network.

Passsage also makes it easier to manage compelx security. Single Sign-on capabilities are integrated in Passage, providing a way for end-user credentials to be managed and eliminating the need for multiple passwords to be maintained. Some of the platforms supplied with credentials after a user has been authenticated to Passage include operating systems such as Windows 95/98/NT/2000 and Novell, PKIs including Entrust and applications such as Lotus Notes. Using Passage Assist, a

(5)

feature of Passage 3.0, the list of supported applications can be expanded to include virtually any Windows-based dialogue or Web form. Platform credentials are stored in the Credential Bank, which can be located either remotely on the Passage Authentication Server or locally on the user’s smart card. By storing credentials locally and remotely, Passage provides unparalleled security to both networked and mobile users.

Another hallmark of Passage 3.0 is its unparalleled flexibility. Passage allows administrators to choose the method of authentication for each user and offers a choice between storing the credentials locally, remotely, or both. By allowing administrators to choose the method and combination of authentication schemes, Passage gives administrators

tremendous flexibly to determine how and when they will deploy Passage.

Corporate Headquarters:

6564 Loisdale Court, Suite 100, Springfield, VA, 22150, USA Tel +1 703 922 4600 Fax +1 703 922 4603

Sales Headquarters:

40 Wall Street, 46th Floor, New York, NY, 10005, USA Tel +1 212 514 8300 Fax +1 212 514-5676

Technical Headquarters:

3909 Midlands Road, Williamsburg, VA, 23185, USA Tel +1 757 941 2500 Fax +1 757 941 2539

www.3gi.com [email protected]

© 2000 3-G International, Inc. (3GI) All rights reserved.

ACE/ServerTM and SecurIDTM are registered trademarks of RSA Security Inc. All other trademarks are the property of their respective owners

References

Download now ( PDF - 5 Page - 154.16 KB )

Related documents

in this web service Cambridge University Press

Collectively, relationship marketing and CRM – together with the appropriate use of social in fl uence marketing strategies – constitute the area of strategic customer management..

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Two‐factor authentication  High  Combination of X.509 Digital Signature with  a biometric (two‐factor authentication)       

EARLY HEARING DETECTION & INTERVENTION PROGRAM

CT has three EI centers that specialize in infants and children who are deaf or hard of hearing: American School for the Deaf, CREC/Soundbridge and New England Center for Hearing

An ALMA view of star formation efficiency suppression in early-type galaxies after gas-rich minor mergers

The gas and SFR estimates based on the undisturbed area as well as the one based on the disturbed area show that these dust lane ETGs have much lower star formation surface

Biofuel scenarios in a water perspective: the global blue and green water footprint of road transport in 2030

The study builds on earlier research on the relation between energy and water and uses the water footprint (WF) methodology to investigate the change in water demand related to

SAMPLE EXAMINATION. If you have any questions regarding this sample examination, please

(A) Software engineering process group (B) Quality assurance department (C) Upper management. (D)

Detectors for Quality Assurance in Hadrontherapy

Figure 2.17: The effect of a difference in tissue density on the deposited dose in ion therapy (left) and conventional radiotherapy using photons (right).. In each case, the

Benefits of Using a Demarcation Device When Integrating Legacy Voice, SIP Trunks and Microsoft OCS R2

Even though the mediation server can be directly connected to the SIP Trunking service provider network, a demarcation device is preferred in order to support advanced