Much buzz has circulated lately about "two-factor authentication," the technology that allegedly provides better security than just relying on a single factor such as a password or an ID card alone. Two-factor authentication (2FA) uses multiple elements, physical and otherwise, to confirm someone's identity -- an ID card and a PIN number/password, for instance, or a PIN number and a retinal scan.
Two-factor authentication products already exist in quantity for Windows and are usually well-integrated into its existing security infrastructures; Active Directory itself is based on a security protocol (Kerberos) that 2FA can build on. While there's no shortage of two-factor security products out there, the problems that can arise from using them need to be looked into thoroughly before you or your organization drops the money on them.
Breaking the bank
Likewise, many two-factor authentication solutions have a regular maintenance cost. Example: The RSA SecurID system uses a keychain device that regularly generates one-time ciphers to be used by the owner. The devices are designed only to last a finite amount of time (a couple of years, usually), which helps keep them tamper-proof -- but they are also a convenient revenue generator for RSA, since you'll be shelling out cash on a fairly regular basis for replacement tags.
Pardon the inconvenience
A two-factor system also has to take into account the fact -- not the possibility, but the fact -- that the system will at some point break. People lose their keys and smart cards -- or accidentally ruin them in unprecedented ways: One of the people I discussed this piece with ran his smart card through the wash, which destroyed it about as thoroughly as a stint in the microwave.
The problem isn't just the costs incurred for replacing such things, although that's a given. There is also the problem of what security experts call "graceful failure." If you lose your smart card or key token, is there a way to get you safely into the building without simply trusting you and waving you through? This could be a pool of tags or smart cards set aside for such incidents (kept under lock and key, of course) or a similar system that minimizes the consequences of lost work time and security breaches.
The exact two-factor authentication system you use is going to be dictated by your budget and your needs, but try to go with a system that is as broadly documented and as non-proprietary as possible. RSA Security Inc. is the company that gets most of the attention, but another company, CRYPTOCard Inc., has a system that security workers themselves widely tout for its ease of use and openness.
CRYPTOCard is cross platform (Win/Lin/Mac) and sports tight integration with the directory technologies for all those platforms. It has a number of features that make it work in the real world: built-in redundancies, so there is no single point of failure, graceful migration from older RSA technologies, and a well-documented set of cryptography standards that are not likely to be attacked all that easily.
The company sells a five-user starter kit, in various implementations (USB token, smart card, etc.), for about U.S.$500, so it's relatively easy to figure out if CRYPTOCard's solution is a good fit for your company.
It's worthy to note the plans for two-factor authentication that will be natively available for Windows, but never take the plans as dogma. Microsoft originally proposed building native support for RSA's SecurID into Windows Vista but eventually shelved the idea when it decided to slim down and refocus Vista's feature set. It will be possible to add support for SecurID as an after-the-fact add-on, and native support may eventually be provided in the form of a service pack upgrade to Vista. One of the biggest new features in the 3.0 revision of the .NET Framework is a standard model for user identities -- Windows CardSpace -- that (among many other things) incorporates two-factor authentication, which programmers and third-party vendors are already gearing up to make use of.
Delusions of safety
The single biggest issue with two-factor authorization, or any security method, is whether it can be bypassed in ways that have nothing to do with the system itself. The biggest security hazards in any organization are people who can be "spoofed" -- i.e., the folks standing guard, who hold the keys to the kingdom, and turn them over all too willingly to con artists and criminals who use low-tech social-engineering tricks.
TFA can even aggravate these problems. If you use, for instance, an RSA one-time code system as part of your security measures, and the people in charge of the system aren't trained to deal properly with ruses (such as a harried worker who says, "My key's in the office, can you just let me in a sec?") -- then the two-factor system itself isn't broken -- it's negated entirely.
The same goes for whenever biometric tools -- fingerprint scanners, iris readers, etc. -- are added to the mix. Biometrics are not magic solutions. Only the people monitoring them or the infrastructure in which they're placed make them secure. Most of the benefits they provide are matters of convenience and not true security: It's easier to provide a thumbprint than a PIN number, but a person can fake a thumbprint without much difficulty, and someone with a hand in a cast who looks familiar will often be waved through without a second thought.
In short, if you use all these tools to defend a system that has unencrypted data ready for the taking or that can be accessed by nothing more than low-tech social-engineering skills, the security you gain will be illusory. The best way to think about two-factor authentication is to think of it as three-factor authentication -- the third factor being a trained, aware and not-easily-compromised base of personnel.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!