Authenticating a user on the network or over the Internet is one of the cornerstones of all security systems. Traditionally, authentication has been accomplished by asking for a username and password. In spite of the fact that this simplistic approach has been repeatedly compromised, it remains to be the predominant approach in use today. There are many weaknesses that have been exploited to compromise the username/password authentication model, including using the same password for multiple sites, using passwords which are easy to remember and therefore easy to guess, finding the place a user has written down the password, or a complexity of man-in-the-middle attacks where a user’s password is obtained and therefore compromised.
A superior method of authenticating a user involves the utilization of two factors or, as it is often called, two-factor authentication. In these types of systems, a user is given some kind of a security token or device, which is used along with a password to authenticate, resulting in the common adage “something you have and something you know.” In the realm of two-factor authentication, there are three basic strategies that represent the majority of the market. Each of these has its advantage and disadvantages and should be considered when choosing a two factor authentication system for deployment.
RSA SecurID
Although SecurID is by far the most popular two-factor authentication system in use today, it is an old technology with serious weaknesses.
Earlier this year, the entire RSA system was compromised by a security breach which compromised sensitive data and forced RSA to reissue millions of one-time password security tokens. The security industry is now exploring other options to replace this aging technology. The most popular two factor authentication system today is SecurID marketed by RSA. The SecurID method of two factor authentication involves issuing a card or a token to each user of the system.
These pocket sized tokens each contain a small battery powered electronic system that has been programmed with the algorithm of the one-time password strategy being utilized. Each time a user logs onto a securID system, a unique password is read from the device and keyed into the login computer by the user.
Smart Cards
Another increasingly popular strategy for two-factor authentication utilizes a smart card issued to each user. The smart card, which could be a credit card shaped device or a smart card installed into a USB device, operates essentially the same in that they store security certificates, which can be read from the smart card when inserted into a computer at the time of log-in. The concept of using a security certificate to securely sign into a system is based on the notion or concept that certificates, which are a block of digital information, can be signed by a trusted authority at the time they are created.
Many systems utilize smart card technology. One of the most popular is the PIV System deployed by the United States government. Other enterprise organizations utilize smart cards issued to their users as a two-factor authentication method of log-in to Active Directory. The Achilles’ heel in smart card certificate authentication is the vulnerability of the trusted authority protecting the chain of creating signed certificates. This vulnerability has been underscored by a series of recent breaches, including the major breach of the Comodo signed certificates in 2011.
Gold ID
The third method of providing two factor authentication is Gold ID. This technology is based on a hierarchical hardware key management system developed by GoldKey Security Corporation. Rather than relying upon a one-time password algorithm or a reliable chain of signed certificates, the Gold ID system utilizes a process of registering hardware tokens to hardware management and grand management tokens. This approach has significant advantages as compared to the earlier technologies.
Gold ID greatly reduces the cost of initial deployment. The security function can be managed by non-computer personnel, bringing the matter of security back to the security department and out of the hands of programmers that already have access to the system. Since the process is managed entirely in hardware, it is much more flexible, giving the organization the ability to lock out disgruntled employees, recover lost credentials, and to control access of critical information assets by multiple users, even when the assets are stored encrypted at-rest.
To date, Gold ID is the only two-factor authentication system that has not been compromised. Gold ID is thoroughly implemented in the GoldKey offering by GoldKey Security Corporation. GoldKeys are not powered by internal batteries and therefore do not have end-of-life failures as batteries wear out. There is not an annual licensing fee for each user, and the initial cost of deployment is substantially less than other options. Most importantly, GoldKey Security tokens also contain a full deployment of the PIV Smart Card system, allowing users to continue utilization of their current Smart Card system while building the capability of transitioning all or part of the system over to Gold ID at some future date.
Additional information on Gold ID can be found at GoldKey.com.