Authentication Rollout Turns Into Control Issue

Computerworld - One-time passwords, tokens, smart cards and public-key infrastructure are all excellent methods for creating access- control architectures. My company is in the process of implementing a token-based infrastructure for access to our critical servers and network devices and for remote virtual private network (VPN) access into specific areas of our corporate network. The tokens are time-based, one-time password-generating products and are good at providing the two-factor authentication necessary for allowing access to critical devices.

Implementing security usually carries a cost. I'm referring not to the acquisition cost, but to the planning required. Take something as simple as changing the Windows NT domain password policy. The technical procedures are straightforward: It's often a simple matter of installing a product such as San Ramon, Calif.-based Master Design & Development Inc.'s Password Bouncer or Passfilt.dll, which comes with Microsoft Corp.'s Windows NT and 2000.

Hidden Costs

However, the consequence of that policy may be an increase in help desk support calls from thousands of users who can't remember even simple passwords. Changing policy or introducing security technology often requires a considerable amount of planning. And the projects inevitably raise concerns about usability vs. productivity, convenience vs. security and risk vs. reward. The security department has to make decisions that may be perceived as impeding the company's business and operations. That's what happened in my organization, and I'm still struggling to find a solution.

We selected tokens that are time-based and that can be used only once. The system generates a number that's algorithmically matched to a central server. A user must enter a valid passcode, which is his personal identification number (PIN) plus the number displayed on the token. Then he must wait for the system to generate a new token number before he can authenticate again.

THISWEEK'SGLOSSARY Two-factor authentication: This authentication method requires users to provide something that they have (a token) and something that they know (a PIN). The user creates the PIN when the token is first used. Subsequent uses require the combination of the PIN and the generated number on the token. SECURITYBOOKSHELF: Authentication: From Passwords to Public Keys, by Richard E. Smith (Addison-Wesley Publishing Co., 2001): Few books are available on authentication, but even if there were more, I would still highly recommend this title. Smith takes complicated areas of access control and presents them in an easily understood format. Along the way, he covers not only the benefits of specific technologies, but also the drawbacks. LINKS: Visit Master Design & Development Inc.’s Web site for information on Password Bouncer, a great tool for automating password security on Windows servers. Microsoft’s Passfilt.dll is supplied with Windows NT Service Pack 2. It allows administrators to implement a strong password policy without having to write their own filters.