[vpn] Re: Two Factor Authentication

[Rick Smith at Secure Computing]

My apologies for dredging up a discussion after it's been dead for a couple of weeks, but I was otherwise occupied. I've been looking at the concept of "authentication" and "factors" over the past few years. The results are in my book "Authentication" that appeared last fall. Anyway, here's my take on it.

In practice, "single-factor" and "multi-factor" authentication talk about what a *user* must provide in order to be authenticated to a system. Strictly speaking, the device at the other end that's making the authentication decision can't really tell how many factors were provided, since it only sees sequences of bits. Regardless of how you handle the factors, there's probably a way to generate appropriate bits *without* having the right factors present.

I've always considered "something you have" to refer to a unique, hard to duplicate device like a token, smart card, or even an ATM card (though mag stripes are relatively easy to duplicate these days). The benefit of a true "something you have" token is that it prevents delegation: others can log in as you only if they take possession of your token. Good tokens are generally hard to duplicate because they contain a unique, embedded secret that is hard to extract. Extracted secrets become "something you know" since they can be duplicated easily, like any piece of knowledge.

It's generally accepted that one time password tokens like Secure Computing's SafeWord or RSA's SecurID provide "two-factor" authentication regardless of whether the PIN is entered on a keypad built into the token or whether it's a "soft" PIN that's typed in along with the displayed one time password. Obviously, the authentication server can detect the presence of the PIN in one case but not the other. Still, we want to refer to the keypad case as "two-factor" even though there's no way to verify that the token incorporates a keypad or not (except through procedural controls).

More examples: An ATM card represents two-factor authentication (card plus PIN) even though the cards are arguably easy to duplicate. A PIN-protected public-key smart card is two-factor, since the embedded private key can't be used unless the PIN is provided. There are also fingerprint-controlled cards like that (the Sony Puppy comes to mind); such cards become three-factor if the card also requires a PIN.

An odd case is the "soft token" like SafeWord's e.id, which is palmtop or laptop software that holds an embedded secret and generates one time passwords. I believe SecurID offers a "soft token" too. Vendors market these as a cheap version of two-factor authentication since you need your palmtop (with its copy of the software plus secret) and you need the right PIN. In practice, however, this approach doesn't prevent delegation, so it's at best a weak two-factor solution.

Someone posted an observation attributed to Bruce Schneier that deprecates multi-factor authentication mechanisms in cases where technical or procedural weaknesses allow one or more factors to be undermined. I disagree with Schneier on this point of terminology, since such weaknesses exist in just about every authentication technique. It's better to call it "weak" or "poorly implemented" two-factor authentication than try to spin new terminology to capture the distinctions in Schneier's example.


Rick.
smith at securecomputing.com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/


VPN is sponsored by SecurityFocus.com