Click here to receive your FREE subscription to Campus Technology
Security
Two-Factor Authentication
11/1/2007
Strengthening Authentication
Why proving a user's identity is more complicated than it seems, but 'pretty good' methods might be just right.
"CLICK-CLICK." During the invasion of Normandy,
paratroopers used toy "clickers" to
identify friends from foes in the dark. One click-click
was a query. An allied soldier would reply
with two click-clicks. Although simple and generally
effective, there was one problem: The
bolt action of a German Mauser rifle sounded
very much like a double click-click. Authentication—
the process of proving we are who we
claim to be— is much harder than it seems at
first glance.
The Problem With Passwords
The basics of authentication are straightforward. You can prove your identity in three ways: something you have (for example, a key or a birth certificate), something you know (such as a password), or something you are (such as your fingerprints, used in biometric technologies). (See "It's Not All About Hackers," CT September 2005)
In the world of computers and networks, the most common form of authentication is a password. To reduce the vulnerabilities associated with password authentications, we generally require strong passwords (those that are difficult for a hacker to guess or gain by a brute-force attack), and change passwords on a regular basis. Changing passwords reduces the window of time in which damage can be done with a compromised password. Guidelines for selecting strong passwords are well known, and password management systems are widely available to ensure that passwords are changed regularly.
But wait: In order to remember a plethora of strong, frequently changing passwords, many of us write them down. Or worse, we often use the same password for everything. And in the process, we create a new, glaring vulnerability. Passwords can also be lost, or stolen via a multitude of techniques. Changing a password every three months— or even every three days— doesn't eliminate our vulnerability; it doesn't take a crook three days to empty out a bank account. Passwords will remain popular, however, because they are highly portable, easy to implement, relatively cheap, and convenient to use. And despite the potential for disaster, password security can be effective if we use strong passwords; if we keep our passwords secret; if we learn to recognize a phishing attack; if we only store our password list using an encryption scheme such as Apple's Keychain or GNU's Keyring; and if we have a bit of luck.
Recommended Reading
- Get Users on Board
- Greening IT
- It's a Zinch
- Meeting up Virtually
- Online Tutorials to the Rescue
Now's the time to use online tutorials to streamline professional development and help desk management.
- Retention Rx
