FRANKLIN – How many times have you walked by someone?s workstation and saw a Post-It Note laying next to the keyboard with a password written on it? Or logged on to a secure web site with your pet?s name as your password? Every day, we access data using simple user names or passwords.
The trouble is since we rely on our memory for most passwords, they can?t be very complex. Password policies that are hardened with cryptic passwords that change every month prompt people to write them down and leave them next to their keyboards, opening the door to intrusion.
Using single passwords to access data, sign-on to corporate resources or administer digital certificates is one-factor authentication. Using a second authentication method – like a unique smart card or token – is two-factor authentication. Strong two-factor authentication reduces the chance that password-protected applications can be compromised.
As the name implies, two-factor authentication is the combination of two authentication methods. An example is a traditional password and a USB token or smart card. There are three major functions that two-factor authentication provides: enhanced security and safe information access, improved password and ID management, and secure mobility of digital credentials, certificates and keys.
Most tokens make using complex passwords a snap by storing the username or password for any web site, Windows-based application or Windows-based network credentials directly on the smart card. IT personnel can add or modify passwords directly on the token, eliminating the need to remember them.
Obviously then, they can be complex or even randomly generated. Of course, the user must authenticate (the smart card is accessed with a PIN, making it two-factor authentication), but after that access to any approved resource is automatic. Another valuable aspect of password management is the ability for the company to manage a user?s rights by injecting or revoking access to resources directly to the token. If the smart card is damaged, lost or stolen, all rights can instantly be revoked and then re-applied to a new unique token from the token management system.
Tokens can also operate, generate and store public keys and digital certificates, allowing users to authenticate, encrypt, sign and decrypt electronic transactions with a portable and easy to use device.
Tokens are generally USB devices managed through a client application on the user?s desktop. When used with One-Time Password (OTP) technology, the token can be used in detached mode, becoming completely portable with access to resources from any internet-connected system. The OTP devices require authentication with a central server that grants access to resources based on provisioning rules.
Two-Factor authentication that uses some type of smart card or token is typically successful because it closes the security gap. Most IT personnel or management believe corporate information security is largely the responsibility of the users. Most users conversely believe the company is responsible for maintaining security. Tokens are easy to use for anyone who can remember one complex password and are a great tool for managing user access to corporate resources, satisfying both sides? security needs.
There are a few smart card vendors that enable two-factor authentication; some have more complete offerings than others. But most have cost-effective products and some even offer flexible subscription-based plans that make implementing two-factor authentication painless.
David Harnadek is President of Internet Security Corporation, a provider of security solutions and managed security services. He can be reached at (248) 757-2626 or on the web at InternetSecurityCorp.Com
