We kick off the new year with a look at authentication from two perspectives. First, Mike Lipinski puts multifactor authentication devices through their paces. He found that this category continues to grow since we looked at it last year. He also found that users need to balance security requirements and appetite for risk with this type of product.
SC Lab Manager Mike Stephenson brought a collection of biometric devices into the lab and was a bit surprised to find that most of the products were intended to manage physical rather than logical access. That is a distinct change from last year. However, as Lipinski points out, the level of data breaches over the past year has been high and appears to be getting higher. That means that access to sensitive data needs to be controlled, perhaps as never before.
Controlling access has three primary aspects: identification, authentication and authorization. Strong identification and authentication is critical to the third piece of the puzzle: authorization. Authorization assumes that the user is who they claim to be and can prove it. If an intruder can get into the system as an authorized user, that intruder, of course, is gifted with the legitimate user's access rights. That is, really, not a good thing, so the solution to the problem is strong authentication.
Sadly, strong authentication has its drawbacks. One is management. Management addresses deployment, provisioning and other tasks that require that multiple – sometimes thousands – of users be set up and be able to use the authentication device. Once deployment is complete, the next challenge is support. Multifactor and biometric authentication devices are notoriously difficult to support because they usually are physical devices that can be damaged or lost.
I carry a biometric authentication device and, while I find it very convenient to use and comforting to know that it is nearly impossible to get anything useful off my computer, I know that if it is lost or damaged all of that convenience is going to be paid for very quickly and, perhaps, dearly. No matter. For me, at least, as CISO for a university I am more comfortable with the potential inconvenience than I would be with the prospect of some of the things that I carry on my notebook becoming public. So it is a matter of balancing risk and convenience, as well as balancing security and risk.
After all, which is more inconvenient: explaining to your boss how your organization is likely to be the target of a class action lawsuit because your unprotected laptop was stolen in an airport, or wiping your finger across a biometric sensor or entering a pin and inserting a smart card? Like most security protections, though, these authentication tools only are part of defense-in-depth. In the case of the notebook, the depth comes from both the authentication and the disk encryption.
However, back at the desktop, there also are combinations of security functionality that give depth. In my case, my laptop spends almost all its life on my desk. But I leave it alone from time to time and all I need to do is lock it and anyone who wants to steal it is, as far as I am concerned, welcome to try.
The decision to use biometrics or multifactor authentication might not be as tough as it sounds. Adding a password or pin to a biometric device makes it multifactor. The question becomes: Is it necessary to have all that access control or is it overkill? That depends on what you are trying to protect. My rule of thumb is that if it is worth protecting it is worth some form of multifactor authentication. I have a button in my office that has a circle with a line through it and the word “passwords” inside: “No Passwords." I support that almost all of the time.
However, when you have that really sensitive stuff on a laptop that can be stolen easily and without you knowing it, the answer is biometrics and encrypted drives. If the fate of the nation is at stake and you are traveling in hostile territory, you might want to consider adding that pin to your biometrics.