u u h n n


Feb 22, 2014 (3 years and 5 months ago)


Enhancing network security through the
authentication process
Multi-Factor Authentication
Passwords, Smart Cards, and Biometrics
P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n
Corporations today are investing more
time and resources on the security of
data residing on their enterprise
networks and systems. Companies
instituting business processes and
models are required to store critical
corporate data and intellectual assets on
interconnected corporate networks. As
the rate of network break-ins, data
thefts, and malicious attacks has
escalated, network and data security
issues have become leading priorities
for businesses. Executives and
investors have joined IT and security
managers in their concerns about
enterprise security processes and
Companies face significant challenges
in the development and management of
comprehensive corporate security
solutions. Users have become
increasingly complacent with
information that could be used to obtain
passwords or access codes, proof of
which is provided by the number of
sticky notes containing passwords stuck
to the side of monitors for all to see
(and use). As the number of mission-
critical systems and networks has
expanded within businesses, so have the
number of user passwords, system entry
points, and credential management
requirements. Managing access to
these systems and the large password
base has created significant
administrative demands on IT.
Multi-factor authentication, also termed
strong authentication, is one key
approach corporations can employ to
safeguard their data, prevent
unauthorized access, and manage
security for users. Authentication is the
process by which individuals prove
their identities, which are verified
against information already established.
Based upon authentication, the system
allows access and use of resources, be it
data, information, or systems. Although
password-only systems can be secure, they
can be compromised by careless users or
through brute force attacks. Multi-factor
solutions increase the security of the
authentication process by utilizing a
combination of methods to authenticate the
identity of users. By using a combination of
methods, such as a biometric plus smart
card, security and control over access to
resources in significantly increased.
Multi-factor authentication uses a
combination of methods to authenticate
users. These methods can be broadly
defined into three categories: through
something they know (such as a PIN or
password), something they have (such as a
smart card, token, or a certificate), or
something they are (biometric identification
such as fingerprint or voice). Utilizing a
combination of the above three methods
increases security and reduces the risk of
unauthorized individuals gaining access to
corporate data or resources.
Multi-factor authentication is better than
single-factor authentication and provides
several benefits. These include:
• The ability to secure your network
with password, token, smart card, and
biometric authentication methods
• Use of multiple authentication
methods for individual login
• Reducing the ability of anyone to
breach security, thereby increasing
management comfort in network
• Stopping unauthorized users from
performing unauthorized acts
• and Reducing authorized users from
unintentionally gaining access to
others resources.
P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n
The ways in which users can
authenticate themselves to the corporate
network can be broken down into three
broad categories of information and
objects: something they know (such as a
password), something they have (such
as a smart card, token, or a certificate),
or something they are (biometric
identification). Utilizing a combination
of methods enhances security and
reduces unauthorized access. Each
method has advantages and
disadvantages. The decision on the best
combination of authentication methods
to use for network access depends on
the security and convenience
requirements for authenticating users.
Passwords are the most common
method of authentication. Password
systems provide a minimal level of
security, relying on the integrity of the
password in the authentication process.
Maintaining the integrity of passwords,
meaning that only authorized users
know their passwords, is critical to
preserving security in password-
protected environments. Unauthorized
individuals can gain access to an
authorized user password using a
variety of methods. Some of these
methods include keystroke monitoring,
manipulating people for information
that can be used to guess a password,
‘shoulder surfing’, brute force attacks,
and network monitoring. Another
weakness of password systems emerges
from the reusability of passwords.
Users rarely change passwords, using
the same password to authenticate to a
system over long periods of time and
sometimes using the same password
across multiple systems. To prevent
such use, many companies enforce
minimum character size password
requirements and force users to change
passwords frequently. This increases the
instances of forgotten passwords and
increases calls to the help desk. Many times
passwords are recycled on networks that
require password changes at a set interval.
As a result, a compromised password can
potentially provide access to multiple
systems for an extended period of time
without the user’s knowledge. Additionally,
determining if a password has been
compromised is extremely difficult.
Passwords, when used in combination with
other authentication methods, can increase
security, but when used alone, even the best
password only system offers only minimal
authentication security.
Smart Cards and SecurID
Smart Cards and RSA SecurID
both fall
under the category of “something users
have” as a method of authentication in a
multi-factor authentication process. Used in
combination with another method of
authentication, such as a password or
biometric, these items greatly increase
security of the authentication process. By
depending upon possession of an item in
addition to a password, the opportunity for
unauthorized access is decreased.
Smart Cards are plastic cards about the size
of a credit card that contain a computer chip.
This embedded microprocessor allows smart
cards to store data, software, or encryption
keys. By requiring possession of a smart
card, the likelihood of an unauthorized user
being authenticated to the network is
significantly reduced, enhancing security.
Smart cards are also able to store
information used by other authentication
processes, such as a biometric template.
Use of smart cards to store this type of
information reduces the opportunity for such
information to be compromised, thereby
increasing the security of the overall
authentication process. Cryptographic keys
can also be stored on the smart card, and
P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n
smart cards can be used in digital
certificate encryption/decryption
RSA’s SecurID authenticator can also
be used in a multi-factor authentication
scheme. Through the use of a password
(something a user knows) and a RSA
SecurID authenticator (something a user
has), network managers can be more
confident in their authentication
process. The RSA SecurID security
system is based upon the use of SecurID
authenticators and the RSA
ACE/Server. These authenticators
generate a one-time passcode every
sixty seconds. The combination of a
user PIN and the current authenticator
code is valid only for that particular
user at that moment in time. RSA
ACE/Server is then able to verify the
code and grant access in mere seconds.
RSA SecurID authenticators are now
available in various types of hardware
and software tokens.
The International Biometric Industry
Association defines biometric
technologies as “an automated method
of identifying or authenticating the
identity of a person based upon
physiological or behavioral
characteristics.” Use of biometrics is an
effective way to protect against
unauthorized access to network
resources because biometric
information is based upon unique
personal characteristics of a user (or
something the user is). Biometric
devices are devices that create
electronic digital templates of physical
characteristics that are stored and
compared to ‘live’ images when there is
a need to verify the identity of an
individual. These templates are images
that are highly compressed and
represent a fingerprint, iris, or other
physical characteristic. These templates
use proprietary and carefully guarded
algorithms to secure the templates and
protect them from disclosure. A
combination of one or more of the above
token and knowledge methods of
authentication and biometric technology
provide a high level of security and
reliability in the authentication of users.
Passage 3.0 was conceived to bring strong,
multi-factor authentication to the enterprise
information security market. Passage
supports user authentication via one or a
combination of password, smart card,
biometric, or SecurID token. Competing
products typically focus on a limited number
of authentication technologies and are tied to
a specific piece of hardware. Most often,
these products focus on only one
authentication methodology. Typically,
companies that manufacture their own
hardware devices provide solution tied to
their device. Biometric companies typically
provide biometric-only solutions and smart
card manufactures provide smart card-only
solutions. In contrast, Passage instead
combines biometric and smart card
authentication in a proven product and even
incorporates password-only and SecurID
authentication, thereby creating a true multi-
factor authentication solution that can
greatly increase the security of your
Passsage also makes it easier to manage
compelx security. Single Sign-on
capabilities are integrated in Passage,
providing a way for end-user credentials to
be managed and eliminating the need for
multiple passwords to be maintained. Some
of the platforms supplied with credentials
after a user has been authenticated to
Passage include operating systems such as
Windows 95/98/NT/2000 and Novell, PKIs
including Entrust and applications such as
Lotus Notes. Using Passage Assist, a
P a s s a g e 3 0 a n d M u l t i F a c t o r A u t h e n t i c a t i o n
feature of Passage 3.0, the list of
supported applications can be expanded
to include virtually any Windows-based
dialogue or Web form. Platform
credentials are stored in the Credential
Bank, which can be located either
remotely on the Passage Authentication
Server or locally on the user’s smart
card. By storing credentials locally and
remotely, Passage provides unparalleled
security to both networked and mobile
Another hallmark of Passage 3.0 is its
unparalleled flexibility. Passage allows
administrators to choose the method of
authentication for each user and offers a
choice between storing the credentials
locally, remotely, or both. By allowing
administrators to choose the method and
combination of authentication schemes,
Passage gives administrators
tremendous flexibly to determine how
and when they will deploy Passage.
Corporate Headquarters:
6564 Loisdale Court, Suite 100, Springfield, VA, 22150, USA
Tel +1 703 922 4600 Fax +1 703 922 4603
Sales Headquarters:
40 Wall Street, 46th Floor, New York, NY, 10005, USA
Tel +1 212 514 8300 Fax +1 212 514-5676
Technical Headquarters:
3909 Midlands Road, Williamsburg, VA, 23185, USA
Tel +1 757 941 2500 Fax +1 757 941 2539
www.3gi.com info@3gi.com
© 2000 3-G International, Inc. (3GI) All rights reserved.
and SecurID
are registered trademarks of RSA Security Inc. All other trademarks are the property
of their respective owners