Article posted: Oct 08, 2015
By Paul Foley, Professional Services Director and Co-Founder
In part one of this blog, I highlighted the pitfalls of single-factor authentication, using the example of a company being attacked by a disgruntled employee. In that scenario, unhappy Mallory uses the Windows Recovery Tool to find the network credentials of co-workers with whom she shares a workstation. Her intentions are not good.
The easiest means of alleviating threats from the Mallorys of the world is by using strong network authentication that goes beyond the standard user name and password. For most enterprises and even smaller companies, two-factor authentication using smart cards is a great choice.
So why aren't all companies already using smart cards? Common misconceptions, particularly among smaller organizations, is that the complexity and cost of implementing strong two-factor authentication would outweigh the benefits. And some companies just don't know they need it... yet.
Implementing two-factor authentication requires public key infrastructure (PKI) certificates. PKIs facilitate the secure electronic transfer of information across networks and are used when basic passwords are not adequate. Implementing PKIs, once considered cumbersome, is easier than ever. Companies that use Microsoft as their server base, for instance, receive the certificate authority (CA), the "trust center" of the PKI, for free. Smart cards plug into the CA, allowing certificates to be issued to the smart card tokens. That step can be handled easily through a card management system (CMS), such as Versasec's vSEC:CMS.
Having two-factor authentication also raises fears that the added level of security will require dedicated, in-house staff, additional overhead costs and training expenses. It doesn't.
If the back-end is in place, including the PKI certificate authority, a product such as vSEC:CMS can be deployed and up and running in just hours with no expensive consultants needed. Good CMS systems are scalable -handling from tens to hundreds of thousands of cards. They also make it easy to manage cards from issuance to retirement, determining user access levels and preventing "Malicious Mallory" from stealing someone else's credentials. Implementing two-factor authentication won't bust the IT budget and, once implemented, the company has the security benefits it provides.
Companies that have never been hacked aren't sure they need more sophisticated authentication protocols. We call this ostrich behavior. Two-factor authentication is like insurance: everyone should have it, but not everyone does.
The market has many options for strong authentication devices, including smart cards and one-time password (OTP) tokens. By its very nature, OTP is good for just one login session and therefore is not vulnerable to replay attacks, like that used by Malicious Mallory. OTPs are safer than static passwords because they also can be used for two-factor authentication with a fob and PIN system, for instance.
While we prefer smart cards because they offer greater flexibility, OTP tokens are a good option for companies that will only ever need one use case. For companies that want more flexibility around options, smart cards are a good bet, as they can serve a variety of functions from ID and building entry pass to network logon, secure VPN access, email signature and encryption, file and disk encryption and more.
What about Mallory?
Two-factor authentication shuts down Mallory in her tracks. Even if she were to steal Bob's smart card, she'd also need the second authentication level –typically a PIN code -to enter the system. Without the PIN, the card is useless. Without the card, the pin is useless. If Bob notices his card is missing, he would contact IT and have the credential for the missing card revoked, rendering it completely valueless to Mallory and anyone else.