With today’s network environments, perhaps the greatest vulnerability is the loosely defined perimeter of an organization. In times past, an organization’s computing took place inside of a brick-and-mortar computer room. This model evolved into distributed computing where processing took place anywhere inside the physical building. Once the laptop was introduced, the perimeter was extended again. This introduces several new security holes as the perimeter continues to get extended. They are:
Wireless networks — This allows the connection from the core network to be extended to areas nearby, but outside of the physical building, including roads, parking lots and adjacent areas. With wireless insecurities well established, this can create a jumping-on point for unauthorized users.
Webification — This is a common development where legacy applications, which were originally restricted to the physical access to the building, are now available over the internet. These applications were never designed to function in this way, but today it is a critical part of an organization’s access to the infrastructure.
Remote access and VPNs — Users with laptops are now using these remote connections as a common way to access the network, and often these connections are common targets for attackers to use.
The network — As networks increase in size and complexity, it becomes harder to determine where the network begins and ends. Because of this, it is easier to end up with rogue devices on the network, which can violate the security policy of an organization.
What is the easiest solution to all of these problems, as well as the most efficient path to compliance with the latest legislation? Two-factor authentication often is the best answer. Regardless if the authentication is inside a VPN connection, to a wireless network, to a web-enabled application, or to a critical device like a router or a firewall, two-factor authentication provides greater assurance that the user on the connection is authorized.
Two-factor authentication often uses one-time passwords. These are passwords which are used for a single logon to the device, application or network. This protects the network resource from a reply of the password, where an unauthorized user captures the password and uses the same password for authentication.
Two-factor authentication combines at least two of the following three elements:
Something the user is. Most often these are either biometric or behavior-based methods for authentication. These are unique to the user — for example, fingerprint recognition.
Something the user knows is the most common one-factor authentication. Examples include passwords, passphrases and PINs.
Something the user has, for example, a hardware device. The most common method for two-factor authentication is to provide the user with a token, which adds something the user has to something the user knows (most often a password or a PIN). These tokens can be a USB device, a key fob (which gives a one-time password), a card with a one-time password chart or other type of card, or a biometric device.
In our testing, most products supported all or most of these options. In some cases, the cost of these devices or the requirement to carry the device made it necessary for the manufacturer to also offer a software client, which would also provide the one-time password needed for two-factor authentication.
We noticed that most products fell into one of two major categories: enterprise two-factor authentication, that provides a large implementation for a large user community, and standalone two-factor authentication, that provides secure access to a laptop by modifying the existing login to the device. Most implementations used a software component installed on a server (most often Windows Server 2000 or 2003).
The standalone devices often include a secure USB flash drive, which also provides secure storage in addition to the one-time password component. This is an interesting feature since authentication is required to access the flash drive storage. This made for an ideal place to store digital certificate files, a password list or other sensitive pieces of information.
How we tested
We installed each of the products and in most cases activated the two-factor authentication device. Once the device was active, we used the interface for the product to attempt to authenticate.
- Mike Stephenson contributed to this Group Test.