As malicious hackers and identity thieves become more sophisticated, a password is no longer a foolproof way to control remote access to a government network. Increasingly IT managers turn to two-factor authentication to add a second electronic lock to the door that guards their organization's information systems.
The keys used to unlock authentication systems come in three varieties: something you know, such as a memorized password or personal identification number (PIN); something you have, perhaps a swipe card or an access badge; or who you are, established by a fingerprint or retinal scan, for example.
A two-factor authentication system requires a user to present two keys, chosen from two of the three categories, to get into a network. If you've ever inserted a debit card in an automated teller machine and then entered your PIN, you're familiar with the concept.
Two Are Better Than One
Two-factor authentication is becoming more popular in government.
"Post-9/11, there's a definite need to secure local government agencies," said Martin Naughton, IT director of Roselle, N.J.
In 2005, Roselle implemented the ProtectID authentication system from StrikeForce Technologies to protect confidential information on the network used by all municipal employees, including personnel who access applications from their desktops, and department heads and others who sometimes use a virtual private network (VPN) to log on remotely.
Before 2005, Roselle used Microsoft Windows Authentication, which required a user name and password to access the network. That didn't offer enough protection, Naughton said, because when an employee used the network to access the Internet, he or she sometimes encountered Web sites that installed spyware or other invasive code.
"People in the outside world would be able to access local passwords, possibly gain access to our network, and then go into the police department network," he explained.
To increase security, the IT department required users to change their passwords on a regular basis, but many refused, according to Naughton.
"If they did change it, they would forget what they changed it to over the weekend," he said. "That would require my time to reinitialize the password for them."
When Naughton researched two-factor authentication, he was especially interested in solutions that use tokens. A token is a "what you have" form of authentication that displays an identification code, and is usually small enough to fit on a key chain. Some tokens can be programmed to generate and display a series of pseudo-random numbers that change at regular intervals, for example, every 60 seconds.
To access the network, the token user enters the code currently displayed by the token at the given time. A token may also plug directly into a computer via the USB port, providing the current code automatically.
Naughton said he was drawn to the two-factor system because StrikeForce offered software-based tokens along with the hardware tokens with electronic displays -- something Roselle might consider in the future. Software-based tokens can run on desktop or notebook computers, BlackBerries, personal digital assistants or cell phones enabled with Java or BREW software.
With the network protected with two-factor authentication, a user is still required to enter a password to log on. He or she enters the current code from the token. Each token is registered on an authentication server, which runs the same algorithm as the token. The token and server are synchronized so that when the token code changes, the authentication server makes the same change.
"Every 60 seconds, the software that's running on the server also changes its six-digit number to correspond with the number on the key ring," said George Waller, executive vice president of StrikeForce.
In case a user misplaces or damages a token, Roselle has also chosen a backup authentication method from the company. When the user logs on, the display screen asks if he or she wants to use the token or a second method, based on a cell phone.
If the second method chosen is the cell phone, the user receives a call within a few seconds. The user then enters a memorized PIN on the telephone keypad. This is called "out-of-band" authentication, because the system receives the PIN over a telephone network rather than the Internet or local area network.
Using a PIN alone isn't considered very secure -- a hacker can steal it if it's written down, or may figure it out via social engineering -- however, the company's method adds an extra safety measure by relying on "what you have," Waller said.
The system places a call only to the phone that's registered with the server. So if a hacker were to break into a protected network with a stolen PIN, he would also have to steal the employee's cell phone.
If Roselle implements software-based tokens in the future to supplement the hardware devices, its network will gain yet a third layer of protection.
When an end-user downloads the token software, ProtectID takes a "hash" of that person's device and stores it on the authentication server. A hash, Waller explained, is a snapshot of the identification numbers -- such as serial numbers and IP addresses -- of several components within the device. The hash uniquely identifies that computer, PDA or cell phone.
"Think of it as a digital fingerprint," he said.
When someone uses the device to remotely log on to the system, the software compares the device with the hash to verify that it's a particular person's machine and no one else's. A nontrusted device cannot access the network.
Along with hardware and software tokens, and cell phone authentication, StrikeForce offers several other ways to control remote access to a network. They include fingerprint readers, iris scanners and smart cards, Waller said.
Because employees use the software to access the municipal network from their desks and remote computers, Naughton asked the company to customize the system to give him a sort of skeleton key to those machines.
"Say a user puts in a request for me to do some work on their computer, they're not in the office that day, and I decide I have time that day to do it," he explained. "For me to log on to that user account, I would need that token."
Now that Roselle employees must present two kinds of authentication, it's considered safe to keep using the same password, so it's no longer mandatory for users to change passwords every 30 days -- a big plus, Naughton said.
Tokens are generally advantageous as a second authentication key, said Naughton. For example, if a vendor's representative needed remote access to Roselle's network to provide upgrades or perform maintenance, Naughton would give the representative a temporary VPN password and read off the ID displayed on the token over the phone. This allows Naughton to monitor the network and give the vendor access only as needed.
"They're not coming [into the network] off-hours without my knowledge," he said, adding that along with those benefits comes the most essential one. "The knowledge that I'm operating a secure network now takes a lot off my mind."