As malicious hackers and identity thieves become more sophisticated, a password is no longer a foolproof way to control remote access to a government network. Increasingly IT managers turn to two-factor authentication to add a second electronic lock to the door that guards their organization's information systems.
The keys used to unlock authentication systems come in three varieties: something you know, such as a memorized password or personal identification number (PIN); something you have, perhaps a swipe card or an access badge; or who you are, established by a fingerprint or retinal scan, for example.
A two-factor authentication system requires a user to present two keys, chosen from two of the three categories, to get into a network. If you've ever inserted a debit card in an automated teller machine and then entered your PIN, you're familiar with the concept.
Two Are Better Than One
Two-factor authentication is becoming more popular in government.
"Post-9/11, there's a definite need to secure local government agencies," said Martin Naughton, IT director of Roselle, N.J.
In 2005, Roselle implemented the ProtectID authentication system from StrikeForce Technologies to protect confidential information on the network used by all municipal employees, including personnel who access applications from their desktops, and department heads and others who sometimes use a virtual private network (VPN) to log on remotely.
Before 2005, Roselle used Microsoft Windows Authentication, which required a user name and password to access the network. That didn't offer enough protection, Naughton said, because when an employee used the network to access the Internet, he or she sometimes encountered Web sites that installed spyware or other invasive code.
"People in the outside world would be able to access local passwords, possibly gain access to our network, and then go into the police department network," he explained.
To increase security, the IT department required users to change their passwords on a regular basis, but many refused, according to Naughton.
"If they did change it, they would forget what they changed it to over the weekend," he said. "That would require my time to reinitialize the password for them."
When Naughton researched two-factor authentication, he was especially interested in solutions that use tokens. A token is a "what you have" form of authentication that displays an identification code, and is usually small enough to fit on a key chain. Some tokens can be programmed to generate and display a series of pseudo-random numbers that change at regular intervals, for example, every 60 seconds.
To access the network, the token user enters the code currently displayed by the token at the given time. A token may also plug directly into a computer via the USB port, providing the current code automatically.
Naughton said he was drawn to the two-factor system because StrikeForce offered software-based tokens along with the hardware tokens with electronic displays -- something Roselle might consider in the future. Software-based tokens can run on desktop or notebook computers, BlackBerries, personal digital assistants or cell phones enabled with Java or BREW software.
With the network protected with two-factor authentication, a user is still required to enter a password to log on. He or she enters the current code from the token. Each token is registered on an authentication server, which runs the same algorithm as the token. The token and server are synchronized so that when the token code changes, the authentication server makes the same change.
"Every 60 seconds, the software that's running on the server also changes its six-digit number to correspond with the number on the key ring," said George Waller, executive vice president of StrikeForce.
In case a user misplaces or damages a token, Roselle has also chosen a backup