[ISN] Now is the time for two-factor security

From: InfoSec News (isnat_private)
Date: Fri Oct 26 2001 - 02:30:45 PDT

  • Next message: InfoSec News: "[ISN] House's anti-terror bill requires judge to monitor FBI's use of e-mail surveillance system"

    By David Berlind
    October 24, 2001   
    Whether you're a consumer, or a manager who shares the responsibility
    for protecting your company's digital assets and the privacy of your
    customers, it's time to get ready for two-factor security. In fact,
    it's time to start insisting on it.
    For decades, computer users have been practicing single-factor
    security (also known as one-factor security). Single-factor security,
    most often exemplified by user IDs and passwords, is based on a very
    simple premise: what you know. Single-factor security is like no
    security at all. If you think that user IDs and passwords can't be
    discovered by someone determined to discover them, you're gravely
    In contrast, two-factor security isn't limited to what you know. It's
    also "what you have." As we head into the 21st century, two-factor
    security will become a way of life for all of us. In some ways, it
    already has. It's just not very well implemented (except in the case
    of ATM cards).
    For example, try getting on an airplane, buying alcohol, or opening a
    bank account without presenting some form of identification issued by
    a widely acknowledged "authority." The physical document you present
    is the "what you have" part of two-factor security. Over the coming
    years, a lot of attention will be paid to the "what you have" part's
    two biggest challenges: its authenticity and verification of that
    Ask any security expert. A two-factor security system that depends on
    easily forged documents such as driver's licenses, passports, or birth
    certificates is a joke. Those same security experts will tell you that
    the problem is compounded exponentially when human beings are
    responsible for the verification process. After all, we're only human.
    The system is only as good as its weakest link. As links go, there
    isn't much out there that's weaker than paper credentials and people.
    How many of you have gained entrance to a bar, or know someone who
    has, with fake ID? A few years ago, I needed a replacement driver' s
    license. I watched in horror as the Department of Motor Vehicles
    printed the license for me on regular paper--using the same model
    printer I had at home. For kicks, I went home and reproduced the
    document with my word processor and scanner. Then I changed the name,
    address, and photo. Mickey Mouse had a driver's license.
    To strengthen the system, the authenticity of the "what you have" part
    will need to be guaranteed, immune to forgery or tampering. Human
    verification of those credentials will have to be eliminated.
    Accomplishing these objectives will challenge the technology sector,
    governments, businesses, and people--we will have live with certain
    inconveniences if we want certain protections.
    The technology sector in particular has its work cut out for it.
    Tamper-proof and forgery-proof credentials and verification of these
    credentials' authenticity (in the context of any transaction) are
    solutions that only technology can provide. Technological solutions
    involving authentic and theoretically tamper-proof digital credentials
    exist today. But, for the most part, they're not 100 percent
    compatible with each other. Because of the way most solutions use
    different methods, technologies and form factors, it would be
    impossible to move seamlessly from one two-factor-secured transaction
    to the next (for example, from making a cell phone call to sending an
    e-mail to placing a bid on eBay) without tremendous inconvenience.
    Heck, we can barely do it today with single-factor security. Therein
    lies the technology sector's biggest challenge: to minimize the
    inconvenience without compromising the security.
    Microsoft and the Liberty Alliance are mounting separate efforts to
    provide that seamless experience from one membership-based Web site to
    the next. But what consumers do on the Internet hardly makes up the
    bulk of the transactions that will need to be secured. The final
    solution, whatever it is, will have to bridge our virtual and physical
    worlds. And there isn't a solution that comes close to solving that
    problem today.
    In the physical world and in the wake of the Sept. 11 tragedies, Sun
    CEO Scott McNealy and Oracle CEO Larry Ellison have been advocating
    national ID cards. I would argue that we have those already. They're
    called passports. They're not mandatory, but even if they were, I'm
    not sure what problem would be solved. In a recent story, McNealy was
    quoted as saying "I have not spoken to one person who hasn't flipped a
    switch to say, 'You're darn right, I want to know who's getting on a
    plane with me.' "
    While I'm not convinced that a national ID would protect us from harm,
    in order for it to really work, the card would have to be a
    tamper-proof, forgery-proof digital credential. That credential would
    be required for all transactions, including credit card purchases,
    boarding planes, and sending e-mail from a library workstation.
    (E-mail providers could prompt users to insert their digital
    credentials into the computer before granting account access.)
    Forgetting for a moment that someone (I'm not sure who) would have to
    agree on a global standard for the data schema, the form factor of
    such a digital credential is another big problem. To minimize
    inconvenience, we will need something that is compatible with every
    transaction-enabled terminal we might encounter. Today, digital
    credentials come in the form of software and hardware. On the hardware
    side, the credentials can be PC Card-based (such as ActivCard),
    USB-based (such Rainbow's iKey solution that fits on your key ring),
    credit card-based, compact flash-based, or even biometric-based
    (requiring a fingerprint or retina scan).
    Imagine opting for the iKey solution, only to find out that there's no
    USB port in the public kiosk where you want to check your mail or in
    the machine that takes your boarding pass as you get on the plane. Can
    we really be expected to carry 19 versions of our digital credentials?
    And if you're the kiosk vendor, or the airline, what form factor will
    you support? Maybe the answer lies in an extremely secure version of
    If it sounds to you like standards will be big part of the problem,
    you're right. That's why emerging schemes that barely scratch the
    surface of the bigger problem, like Passport and the Liberty Alliance,
    need to put their differences aside now. Yes, now.
    Finally, even if standards pave the way for interconnected,
    interoperable, and international digital security systems, democratic
    governments will still have to wrestle with the civil libertarians who
    oppose anything that smacks of Big Brother-like capability. Today, we
    leave all sorts of breadcrumbs behind us as we go about our daily
    lives. But, in such a tightly interconnected digital utopia, many of
    the legal and technological barriers to following those breadcrumb
    trails would be dramatically lowered because there would be only one
    trail. Personally, I am willing to give up some of that anonymity if
    it means future generations of my family don't have to live in fear.
    But then again, I guess it depends on whom you fear.
    What do you think? Share your thoughts with your fellow readers at
    ZDNet TechUpdate's Talkback, or write directly to
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 04:22:55 PDT