Security in numbers

The results are in, and it's unanimous: 'I think everybody hates passwords,' said Vance Bjorn.As chief technology officer of Digital Persona Inc. in Redwood City, Calif., Bjorn's statement comes with a disclosure: 'It's our mission to promote the notion of a fingerprint-centric world.'But Bjorn is not alone in his assessment.'Passwords are a flawed technology,' said Tom Gilbert, CTO of Blue Ridge Networks Inc. of Chantilly, Va. They aggravate the users who have to remember them and the administrators who rely on them to secure their systems.'Passwords don't scale,' said Mary Dixon, director of the Common Access Card Office in the Defense Manpower Data Center.The problem is twofold. Passwords are becoming more complex in order to increase their strength, and we need more of them to password-protect more resources.'The more we try to protect things with them, the harder it becomes to keep them in our heads,' Dixon said. This makes them expensive, because they generate help desk calls when they're forgotten, and less secure when they're written down.Increases in computing power also make brute-force cracking easier. And by using rainbow tables of password hash values, you don't even have to crack a password. If you intercept the hash, you can just look it up.But despite its flaws, no one believes the password will disappear any time soon.'People value convenience over security,' said Gilbert. For both developers and end users, 'it's often the easiest form of authentication for people to use.'The solution, then, is to use two-factor authentication, in which some type of hardware or software token, or biometric, is used, usually in conjunction with a password.'In a multifactor system where they are not being relied upon exclusively, they are helpful,' said Paul Henry, vice president for strategic accounts at Secure Computing Corp. of San Jose, Calif.And this is where the consensus ends. It appears no one can agree on what the second factor should be.Does it really matter?Bjorn's vision is of a world in which fingerprints are the primary factor for authentication. Gilbert describes himself as a smart-card zealot. But in the end, it might not matter which an agency chooses.'Either one is better than nothing,' Gilbert said. 'We are light years ahead either way.'Government is a major driver in the use of multifactor authentication, both in its regulations for the health care and banking industries and in its own applications. The focus in government so far has been on the use of smart cards. Civilian agencies are scheduled to begin issuing Personal Identity Verification smart cards in October, and the Defense Department has already issued 10 million Common Access Cards containing digital certificates that can be used in public-key infrastructures for authentication and encryption.CAC card applications so far are a mixed bag, Dixon said.'There are some areas where the CAC and PKI are used extensively, and some places where they avoid it like the plague, because it's different,' she said.One of the goals for the card was to combine physical and logical access controls in a single ID. So far they have been used primarily for physical access, but that might be changing soon, Dixon said.'By the end of July, everyone must be doing cryptographic log-on using the CAC,' she said.In some situations, using CAC is more difficult than using a user name and password to sign on. Because the card is required to be present to operate, computers with multiple users, or a single user with multiple computers, can present problems.'These are ones we're working on,' Dixon said. 'I'd say that 90 percent of the time, there really are no issues.'CAC is already being used to sign digital travel documents, and future plans call for PKI-enabling all Web sites that now require passwords.By the end of the year, Dixon expects the cards will be used in issuing departmental credit cards.'Today, we don't do a good job of tracking who has the credit cards,' she said, but using CAC verification in issuing should improve the process.A pilot program is now under way to include an electronic purse in the CAC for Marine recruits during basic training.'We won't have to issue them cash, which will be a huge return on our investment,' Dixon said. 'In a closed environment, an electronic purse works very well.'The flexibility of the Common Access Card is one of the key factors in its success, said Ed MacBeth, senior vice president for business development at ActivIdentity Inc. of Fremont, Calif.'We have [been] working closely with DOD since the very beginning of the CAC project,' MacBeth said. 'There has been a lot of evolution in the past six years. The fact that DMDC was able to get the Army, Navy, Air Force and Marines to agree to a common card was pretty miraculous.'What enabled this agreement is the ability of each service to include its own applications on the card.'The initial design point was different services would want different things,' MacBeth said.The card has moved from a 32K to a 64K chip and now is in its second generation. The next big step in CAC is interoperability with the PIV card, which will include the use of biometrics on the cards.'Biometrics were always captured as part of the enrollment process for CAC,' MacBeth said. 'But one of the successes of CAC was that they did not try to overcomplicate it.'[IMGCAP(2)]PIV interoperability is a first step toward broader federation of authentication technologies, because DOD long ago determined that it could and should not issue cards and certificates to everyone it deals with.'We have to find a way to federate credentials with our coalition and industry partners, so we don't have to card everyone,' Dixon said.As part of PIV interoperability, DMDC will run a pilot program this summer using contactless chips for use in physical access, Dixon said.She said that this incremental approach has been a foundation of DOD's plans for CAC. 'We always said you can't wait until you had worked out every possible issue,' she said. 'You have to go ahead with the 80 percent solution and work out the rest when you can. If we can get 90 percent of the people using a more secure way of doing business, we've significantly increased our security.'Despite the government's use of smart cards, they haven't caught on across the country. And when one solution doesn't catch on, there's room for innovation across many solutions.'I'm the guy who has been enthusiastic about smart cards and PKI for 10 years and I have been eternally disappointed,' Gilbert said.Other types of hardware tokens, which come in a variety of forms for carrying digital certificates or generating a one-time personal identification number, have achieved little penetration in the U.S. market.'A lot of alternatives have popped up because of banking requirements for using two-factor authentication,' said Secure Computing's Henry. 'The market is going to have to shake them out and determine what direction it will take.'That shakeout process has started, he said. 'There are a lot of pilots out there, and they are being abandoned' as organizations decide what works well and what doesn't.Regardless of the technologies that emerge, Gilbert predicts we will be carrying several of them.'It's like credit cards,' he said. 'The number will depend on how separate we keep our identities and our roles.'Biometrics is the most high-profile alternative to a key chain full of tokens and a wallet full of cards. Biometrics matches some physical feature'fingerprints, iris scans and hand geometry are the most commonly used'against a stored template to validate identity. But because of the infrastructure needed to gather and match data, biometrics so far has had relatively narrow implementation.Fingerprints, with 44 percent of the market, are the most dominant technology and readers now are beginning to appear as standard or optional features on notebook PCs and other digital devices.'They have really come a long way in the last year,' said Bjorn, of Digital Persona. 'A fingerprint is a nice combination of security and convenience.'Fingerprints are not perfect, but when used to verify identity rather than discover the identity of an unknown person, they can be both accurate enough and quick enough to be practical. ActivIdentity claims a false acceptance rate of one in 100,000 for its technology and a false rejection rate of about 1 percent.Digital Persona's vision is to have fingerprints replace passwords as the primary factor for authentication.'Realistically, it hasn't graduated to that point yet,' Bjorn said. And he does not think that passwords will disappear. 'I think passwords will always have a place. As a single factor, they may be radically reduced in the future.'Improving authentication security helps with half the problem, but there remains the headache of having to authenticate a user over and over again as they move from one application to another. Digital Persona Pro is a tool that creates a centralized sign-on service.'We consolidate all of your identities and passwords around your fingerprint,' Bjorn said. Once the fingerprint is scanned in, the appropriate passwords are automatically submitted for access to the system or applications. It can automatically change or assign new passwords as needed.This automatic process effectively eliminates passwords as a factor of authentication, replacing it with a fingerprint. If a second factor is needed, it could be a PIN, Bjorn said. Although it is less secure than a password, a PIN is easier to remember and manage and is good enough as a second factor.'You can find a nice compromise,' with adequate security at a reasonable cost and level of complexity, Bjorn said.The Postal Service adopted a consolidated sign-on tool from Passlogix Inc. of New York two years ago after a study found that it was spending millions of dollars a year on password resets. CTO Bob Otto found that although getting rid of passwords completely is impossible, any simplification helps.'We're receiving fewer help desk calls now,' he said, and at $18 per call for 325,000 users that adds up fast. 'And I think that the physical side of security is better. When you go to people's cubes, you don't see the sticky notes with passwords written on them.'USPS chose v-Go Single Sign-On as its solution. Once a user signs in, a v-Go client agent handles the primary log-in and reauthentication for subsequent access to applications or other resources. The agent automatically answers a password request in about a second, faster than the user could type it, so there is no net delay. But despite the advantages, so-called single sign-on is not a panacea, Otto said.'There is no quick and cheap way to take a business and move it to single sign-on,' he said. 'You have to do it over time.'V-Go integrates into Microsoft Active Directory, and new applications can be designed to use v-Go from the start. But legacy applications likely require reworking, which means time and money. Sometimes an agency has to just wait for the old apps to go away.'Over time, you replace some of these things, but it takes time,' he said. 'They'll be with me for another five years.'There also are some employees who do not want to use the tool. When the v-Go sign-in box first appears on a user's screen, there is an option for blocking it.'In 2004 I had 150,000 users,' Otto said. 'Approximately 40,000 opted out. Two years later I now have 325,000 users and about 80,000 have opted out.'The reasons vary, he said. 'Some people just don't like anything different.Sometimes it's just annoying to them the first time.'Part of the reason could be that USPS did precious little outreach to let users know about the new tool and its advantages. But the results so far have been good enough that Otto is not worried about going back and picking up those opt-outs now.'If we did a little PR on this, we could probably get a lot of those people,' he said. 'But it hasn't been a high priority.'