[vpn] RE: Two Factor Authentication, was PKI authentication with VPN

Kent Dallas kent at dalliesin.com
Fri Mar 22 08:22:04 EST 2002 

>Adam Safier wrote:
>Seems like an awfully fine distinction.

Not really.  As I mentioned, and you clarified, if your policy requires
face-to-face registration  for public key certification, if you use
top-of-the-line tokens, if you establish appropriate password/pass phrase
requirements, then the distinction becomes moot.  But that's alot of ifs.

>I think it all comes down to definition.

Agreed.  And I don't claim any "standard".

>It really
>does not matter that much in real life. The point is to get strong
>authentication that can be carried to many processes and applications.  For
>that, the PKI / local password to smart card  solution is OK.

If you really even need that, it all depends on what you are trying to
protect.

>I like PKI /
>local bio authentication to smart card better (finger print never leaves
the
>reader) but that is just coming around from the products I know.

Personally, I like passwords (or better, pass phrases).  They are cheap, and
properly implemented, they can be quite strong.  The expense of biometric
readers for remote access VPNs are normally prohibitive.  Even PKI can be
overkill for many enterprise VPN implementations.  Strong user passwords and
strong group pre-shared secrets are sufficient for many applications.

I walked into an enterprise customer using SecurID, as the security manager
brags about the strength of the two-factor authentication solution.  While
walking to the conference room, we passed a cube where the worker was away,
and their SecurID token was TAPED to the monitor.  I asked him about it, and
he talked about how someone would still need their PIN.  I asked him to lift
the keyboard, he did, and there was a post-it note with a four digit number.
I just smiled - he looked a bit frazzled.  Was it the SecurID PIN?  I don't
know.  But I would bet money.

In the meeting, he did describe some of the costs they faced with their
"strong authentication" solution.  Mostly, it was related to administration
and lost productivity, due to workers leaving or losing their tokens.

Bottom line:  Strong authentication is expensive.  Tokens are expensive.
Readers are expensive.  Administration is expensive.  PKI is expensive.  And
VPNs are supposed to save money.  The right solution must balance all of
these conflicting objectives based on actual needs, not just technology that
is cool.

Biometrics are cool.  And I've only run into one application in my many
years that could actually justify their cost (and in a very limited manner,
at that).

And that reminds me of another meeting, a number of years back, when the CEO
of this fast growing company excused himself to take a phone call.  He had
just explained how information security was critical to his enterprise, and
his interest in using encryption and strong authentication on his network.
He later explained that the phone call was regarding a potential
acquisition.  The kicker?  He took the call on his analog cellphone.

Regards,
Kent Dallas



VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list