Now is the time for two-factor security

[InfoSec News <isn () c4i org>]

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2819968,00.html

By David Berlind
October 24, 2001   

Whether you're a consumer, or a manager who shares the responsibility
for protecting your company's digital assets and the privacy of your
customers, it's time to get ready for two-factor security. In fact,
it's time to start insisting on it.

For decades, computer users have been practicing single-factor
security (also known as one-factor security). Single-factor security,
most often exemplified by user IDs and passwords, is based on a very
simple premise: what you know. Single-factor security is like no
security at all. If you think that user IDs and passwords can't be
discovered by someone determined to discover them, you're gravely
mistaken.

In contrast, two-factor security isn't limited to what you know. It's
also "what you have." As we head into the 21st century, two-factor
security will become a way of life for all of us. In some ways, it
already has. It's just not very well implemented (except in the case
of ATM cards).

For example, try getting on an airplane, buying alcohol, or opening a
bank account without presenting some form of identification issued by
a widely acknowledged "authority." The physical document you present
is the "what you have" part of two-factor security. Over the coming
years, a lot of attention will be paid to the "what you have" part's
two biggest challenges: its authenticity and verification of that
authenticity.

Ask any security expert. A two-factor security system that depends on
easily forged documents such as driver's licenses, passports, or birth
certificates is a joke. Those same security experts will tell you that
the problem is compounded exponentially when human beings are
responsible for the verification process. After all, we're only human.
The system is only as good as its weakest link. As links go, there
isn't much out there that's weaker than paper credentials and people.

How many of you have gained entrance to a bar, or know someone who
has, with fake ID? A few years ago, I needed a replacement driver' s
license. I watched in horror as the Department of Motor Vehicles
printed the license for me on regular paper--using the same model
printer I had at home. For kicks, I went home and reproduced the
document with my word processor and scanner. Then I changed the name,
address, and photo. Mickey Mouse had a driver's license.

To strengthen the system, the authenticity of the "what you have" part
will need to be guaranteed, immune to forgery or tampering. Human
verification of those credentials will have to be eliminated.
Accomplishing these objectives will challenge the technology sector,
governments, businesses, and people--we will have live with certain
inconveniences if we want certain protections.

The technology sector in particular has its work cut out for it.
Tamper-proof and forgery-proof credentials and verification of these
credentials' authenticity (in the context of any transaction) are
solutions that only technology can provide. Technological solutions
involving authentic and theoretically tamper-proof digital credentials
exist today. But, for the most part, they're not 100 percent
compatible with each other. Because of the way most solutions use
different methods, technologies and form factors, it would be
impossible to move seamlessly from one two-factor-secured transaction
to the next (for example, from making a cell phone call to sending an
e-mail to placing a bid on eBay) without tremendous inconvenience.
Heck, we can barely do it today with single-factor security. Therein
lies the technology sector's biggest challenge: to minimize the
inconvenience without compromising the security.

Microsoft and the Liberty Alliance are mounting separate efforts to
provide that seamless experience from one membership-based Web site to
the next. But what consumers do on the Internet hardly makes up the
bulk of the transactions that will need to be secured. The final
solution, whatever it is, will have to bridge our virtual and physical
worlds. And there isn't a solution that comes close to solving that
problem today.

In the physical world and in the wake of the Sept. 11 tragedies, Sun
CEO Scott McNealy and Oracle CEO Larry Ellison have been advocating
national ID cards. I would argue that we have those already. They're
called passports. They're not mandatory, but even if they were, I'm
not sure what problem would be solved. In a recent story, McNealy was
quoted as saying "I have not spoken to one person who hasn't flipped a
switch to say, 'You're darn right, I want to know who's getting on a
plane with me.' "

While I'm not convinced that a national ID would protect us from harm,
in order for it to really work, the card would have to be a
tamper-proof, forgery-proof digital credential. That credential would
be required for all transactions, including credit card purchases,
boarding planes, and sending e-mail from a library workstation.
(E-mail providers could prompt users to insert their digital
credentials into the computer before granting account access.)

Forgetting for a moment that someone (I'm not sure who) would have to
agree on a global standard for the data schema, the form factor of
such a digital credential is another big problem. To minimize
inconvenience, we will need something that is compatible with every
transaction-enabled terminal we might encounter. Today, digital
credentials come in the form of software and hardware. On the hardware
side, the credentials can be PC Card-based (such as ActivCard),
USB-based (such Rainbow's iKey solution that fits on your key ring),
credit card-based, compact flash-based, or even biometric-based
(requiring a fingerprint or retina scan).

Imagine opting for the iKey solution, only to find out that there's no
USB port in the public kiosk where you want to check your mail or in
the machine that takes your boarding pass as you get on the plane. Can
we really be expected to carry 19 versions of our digital credentials?
And if you're the kiosk vendor, or the airline, what form factor will
you support? Maybe the answer lies in an extremely secure version of
Bluetooth.

If it sounds to you like standards will be big part of the problem,
you're right. That's why emerging schemes that barely scratch the
surface of the bigger problem, like Passport and the Liberty Alliance,
need to put their differences aside now. Yes, now.

Finally, even if standards pave the way for interconnected,
interoperable, and international digital security systems, democratic
governments will still have to wrestle with the civil libertarians who
oppose anything that smacks of Big Brother-like capability. Today, we
leave all sorts of breadcrumbs behind us as we go about our daily
lives. But, in such a tightly interconnected digital utopia, many of
the legal and technological barriers to following those breadcrumb
trails would be dramatically lowered because there would be only one
trail. Personally, I am willing to give up some of that anonymity if
it means future generations of my family don't have to live in fear.
But then again, I guess it depends on whom you fear.


What do you think? Share your thoughts with your fellow readers at
ZDNet TechUpdate's Talkback, or write directly to
david.berlind () cnet com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.