Authentication - a market update (part 2)

Three factor authentication

This is far superior and involves something you know (e.g. password), something you have (e.g. authentication token) and something you are (e.g. fingerprint, retinal scan, facial recognition). While biometric authentication is obviously more costly, it is appropriate for high security applications/departments such as pharmaceutical R&D, finance, etc.

Biometric authentication

Biometric authentication is a more recent and still developing technology. It can be either two factor or three factor. Examples of physical, physiological or biometric characteristics include fingerprints, eye retinas and irises, facial patterns, and hand measurements; examples of behavioural characteristics used for authentication include signature, gait and typing patterns. Biometric authentication is more appropriate than tokens for certain applications, such as some manufacturing environments; or where superior security is required.

Remote, mobile and wireless security

Static passwords, as mentioned above, are still the main way of authenticating users onto a network, but are woefully inadequate for remote and mobile computer users, with huge identity theft risks (particularly for wireless). The answer is to deploy strong two factor authentication, but other measures are also advisable.

The recent, almost £1 million fine of Nationwide by the FSA for security lapses. following the theft of an unsecured laptop from an employee’s home, shows how important it is to provide proper security for laptops. Low cost encryption from companies such as Utimaco or PGP, can protect key mobile devices for less than £70 per device. Or, if cost is an issue and performance isn’t a problem, there are free solutions available.

It is essential to ensure that network connections from remote users is via encrypted VPNs, which create a secure tunnel over the Internet from the user to the network and are authenticated through the network gateway. Either Secure Socket Layer (SSL) or IPsec VPNs are suitable.

SSL VPNs are more appropriate where you have large numbers of remote users as they are low cost and provide easier to manage connections than IPsec. SSL VPNs are a growing area and there is a wide range of solutions available from vendors such as WatchGuard, Array, Check Point and NETASQ.

Wireless is a particular security issue and it is best to ensure that, together with strong authentication, all wireless traffic is over VPNs and is encrypted. Don’t use Wired Equivalent Privacy (WEP) for encryption because it is poor, insecure and weak. Use WPA or WPA2 (also known as 802.11i) and ensure that users always operate with it switched on - the default is with it switched off.

If you have remote wireless LANs, ensure that the service set ID (SSID) is changed from the default and is secured to prevent unauthorised wireless users connecting. Don’t change it to something blindingly obvious like your company name (or “control tower”, as seen by startled laptop users at a US airport).

Another authentication option is to implement media access control (MAC) filtering. A MAC address is a physical address, so if you restrict access to devices whose address you have authorised, you can eliminate many ID theft issues. Another variation of this is device authentication, where the device authenticates itself to the network.

The DTI Survey 2006 found that roughly 36% of UK businesses allow some staff to access their systems from a remote location (e.g. from home or via wireless hotspots). Four-fifths of large businesses allow this. Interestingly, respondents who allow remote access are twice as likely to have had an unauthorised outsider try to break into their network as those who do not; they are also more likely to have experienced an actual penetration incident.

Conclusion

The growth of the Internet, the increase in users requiring access to networks and the move to remote working has fundamentally changed the requirements for authentication over the last few years. However, users are still lagging behind developments and relying on single static passwords, which are wholly inadequate.

The need for strong authentication is greater than ever, the cost of solutions such as single sign on and strong two factor authentication has come down, and such solutions are now easier to use. It is time for companies to look at improving their authentication procedures, if they want to remain secure and avoid potential business disruption, financial loss and damage to reputation.

This article has been submitted by Mr. Ian Kilpatrick, chairman Wick Hill Group, specialists in secure infrastructure solutions.