Two Factor Authentication: Enterprise Security Architecture
January 6, 2011 2 Comments
For many years now its been a standard practice to have a username and a password to access an enterprise service, internally in the organization or access resources over the internet via a VPN or web service. Today, the chances are most systems are still being accessed using this simple authentication model. Its like in the 70s, you had one key to unlock your car and start your vehicle. Before the car manufacturers installed immobilizers and anti-theft electronics with encrypted 2/3 way remote keys, anyone could get into your vehicle, without the deadlocks (and without breaking glass), and hotwire your car and be away down the road in less than 25 seconds. I like to think of this example as a one factor authenticated user on a enterprise network. I have a username and a password (my key to unlock the car) and get going.
Two Factor Authentication (TFA,2FA) has been around for many years. It is the basics of something you know (a password or a pin) and something you have, a token. Now we are moving onto the realm of immobilizer with a key fob. That sounds great, but as always there is a cost associated with the value of having one time passwords provided by tokens, providing the ultimate security architecture for authenticaton. One time passwords (OTP) are the best method as a security measure. Thats said, I’m not discussing Multi-Factor Authenciation (MFA) in this post which offers additional security.
Over the years the cost of TFA has come down considerably and should be considered as a inherent part of the security architecture in any organization. For example, if your still not convinced, lets look at the very basics of how someone might try to hack into your system:
1) Well known passwords: A dictionary attack tends to try most common dictionary words. A dictionary database is used as part of the hacking program to attempt to crack the password. As the power of computers increase, any number of passwords in a dictionary can be exhaustively tried within a matter of minutes. Companies usually include security controls to lockout accounts within a number of failed attempts within a set period of time to protect against this type of attack. Controls and policies are also put into place to force complex passwords (passwords with upper case and lower case characters, numbers and other non alphabetic characters) and require them to be changed after a set number of days.
2) Key logger/Malware: Lets put the above control in place, and any malware (Malicious Software) can record and send back screen shots and key strokes you have typed on your keyboard without your knowlege on a regular basis to a server over the internet. This is a basic example of how the basic enterprise security policies can fail.
3) Try common usernames and passwords: How often do you create test accounts, which may not have policies applied for account expiration and for password changes?
In the past I have found the following username/password combinations during basic security checks:
Whilst this might seem like a simple approach to trying to hack test accounts, how many of you may have used the above combinations in the past? Even though this post discusses usernames and passwords, the same applied to well known usernames and passwords for network devices.
4) Shoulder surfing/internal threat: Someone walks by your desk and watches you login to your account and sees the keystrokes.
5) Can you remember where you wrote down your passwords, because you have so many to remember to access all the corporate systems?
As well as two factor authenication, it would be ideal to integrate all the corporate systems with a common security directory e.g. Microsoft Active Directory Domain Services (ADDS). The TFA model can then be integrated with ADDS and ensure access to applications is secured using the same model, thus providing an extra factor of security within the enteprise.
Which vendor should you choose?
I have listed the most commonly know vendors below:
Don’t forget to ensure the security architecture should apply internally as well as externally. Any externaly accessible IP address which provides access to the corporate systems should follow the same standards. Now a question comes to mind for a future post? How does this affect Cloud Computing – another post for a later date. I will be discussing the security standards an enterprise should consider when moving to the cloud.