Safe and Sure

An information system protected by passwords isn't really all that safe. Simple passwords can't ward off invaders who employ sophisticated hacking tools. And longer, complex passwords might actually make a network less secure, not more.

The problem arises when complex passwords become so hard to remember, users have to write them down. "They're sitting there with a sticky note on their monitor containing their password," said Steve Eaton, information security architect for Oklahoma City. The supposedly secret key that unlocks access to sensitive information systems goes on display for all to see.

Anticipating security gaps of that kind, Oklahoma City's IT officials decided passwords were no longer up to the job of controlling access to the city's information systems. Those systems include a 620-square-mile Wi-Fi mesh network that serves more than 900 police officers, firefighters and other city employees. So the IT department started to investigate two-factor authentication.

In two-factor authentication, a user who wants to access an information system must present two distinct forms of identification. The first is something the user knows - often a personal identification number (PIN). The second is something the user has - such as a smart card or electronic token - to prove that he really is the person he claims to be.

Oklahoma City already had some experience with this technology. A small number of city employees used hardware tokens for remote access through a virtual private network (VPN). Those tokens were expensive, though. "They weren't cost-effective to deploy throughout the entire organization," Eaton said.

Smart cards would be less costly, but they raised another challenge. The city would have to connect a card reader to each computer. That second piece of hardware would be cumbersome to deploy, especially on mobile computers.

City officials then focused on token-based systems. In their evaluations, they considered several criteria.

AD Integration

First, the technology had to integrate well into the city's IT environment. "Primarily we wanted to integrate with Active Directory, so we could leverage our current infrastructure," Eaton said. Oklahoma City already used Microsoft's Active Directory to manage systems and users throughout the enterprise; IT officials wanted to use that same service to manage authentication.

Not every authentication system on the market offers that option. "A lot of systems have their own internal user identification systems," Eaton said. Administrators must populate those systems with data that already resides in Active Directory. If they can't replicate the data automatically, they have to enter it by hand. "That provides a lot of management overhead," he said.

The city needed an inexpensive system, and one that was compatible with the encryption software it planned to deploy on the wireless network. Also, since 5,000 people would be using the new solution, it had to be easy to implement.

And users had to be able to register their tokens themselves. "That was one part of the deployment strategy that was critical, and there weren't too many systems that had that," Eaton said.

During the registration process, a user chooses a PIN and receives a token. IT administrators didn't want to know users' PINs, so if users couldn't self-register from their desktops, they would need to visit the IT department to do the transaction in person. Administrators wanted to avoid that cumbersome process.

After evaluating five candidates, Oklahoma City's IT department chose Quest Software's Defender two-factor authentication solution. "It met all of our criteria and more," Eaton said.

One of the extra benefits Defender provides is the ability to use software-based tokens. Instead of carrying a hardware token that generates a random number for the user to enter as a second form of identification, a user can receive random numbers on a wireless phone or other mobile device. "They have BlackBerry tokens that