Regarding multi-factor authentication schemes

Security Fundamentals - Gary Rollinson
Locked
noahscales
Posts: 48
Joined: Tue Feb 09, 2010 5:51 pm

Regarding multi-factor authentication schemes

Post by noahscales » Wed Sep 08, 2010 8:38 pm

From what I remember learning in cis193, linux security, authentication schemes can rely on information about:

* what you have (e.g., a security card)
* what you know (e.g., a password)
* what you are (e.g., your thumbprint)

I guess I'm wondering whether multi-factor authentication is in common use yet. I've seen a few laptop models that come with integrated fingerprint readers, and companies sell token devices, either plug-in tokens, or number generators whose output is specific to the token. All that's left is passwords.

I would like more security, at least where I work, to prevent access. Of the two alternatives to passwords, I dislike biometrics because, if the biometric data is compromised, now someone else can potentially fake being something you are (for example, a person with a particular set of fingerprints). Highly illegal of course, but that's just second-nature for those nasty Russian hackers...

Here's an example of a hardware token: http://www.rsa.com/node.aspx?id=1156

Does anyone else have a take on all this?

-Noah

Kyle Rudnick
Posts: 3
Joined: Tue Aug 31, 2010 5:38 pm

Re: Regarding multi-factor authentication schemes

Post by Kyle Rudnick » Thu Sep 16, 2010 3:58 pm

noahscales wrote:I guess I'm wondering whether multi-factor authentication is in common use yet. I've seen a few laptop models that come with integrated fingerprint readers, and companies sell token devices, either plug-in tokens, or number generators whose output is specific to the token. All that's left is passwords.
It wouldn't surprise me if multi-factor authentication is in common use in a corporate environment. At least ones with good security ideals. As for laptops with fingerprint readers, I've seen them before and more than anything they seem like a flashy toy. Duplicating someone's fingerprints from any smooth surface someone has touched, takes but some spare time, a few materials, and a good 'how-to' guide.

When it comes to plug-in tokens, the only problem I might possibly see is malware that could snoop on the USB traffic, recording challenge/response and the like.

As for the link to the RSA authenticator you gave, it seems like an easily implemented and effective security measure.

noahscales
Posts: 48
Joined: Tue Feb 09, 2010 5:51 pm

Re: Regarding multi-factor authentication schemes

Post by noahscales » Thu Sep 16, 2010 5:29 pm

Well, yeah, protecting sensitive information becomes more important when the hard stuff becomes easier.

Scientific American ran an article last year about advances in side-channel hacking. Once that stuff becomes common-place, (as in, download this freshmeat.net software, go to Radio Shack and buy a decent microphone - I'm thinking of keyboard emanation interpretation) password authentication basically won't work, unless the password is a one-time password (and now we're talking security tokens).

Meanwhile, basic security precautions are what usually get missed, or some configuration error, or a user doing something outside security policy, so the far-out things don't matter, but for strong security in really sensitive environments where everyone does their best (and it HAS to be a team effort, one paranoid person is not enough), I think the idea would be to use multi-factor authentication so that the users have to be meet multiple criteria to login or access data, rather than just switching from passwords to tokens to biometrics.

Also, I get lazy, so I want more cushion when I fall... :)

Locked

Return to “CIS 175 - Fall 2010”