Doing Your Part to Kill Passwords

Oct. 27, 2008
A One-Card Solution Can Be the Answer

No, you didn't pick up a magazine from the IT department by mistake. Physical security has an opportunity to help solve the problems caused by using passwords to log into computers. Not your job? Well, in this new converged world, I beg to differ.

For years, we have been talking about one-card solutions, the use of a single card to not only control access to buildings but also to log onto computers. It is one of the first examples of convergence that most people talk about. In fact, the federal government's FIPS-201 program is the world's largest convergence project and focuses on the benefits of such a one-card solution. “In the IT industry, there has been a growing awareness that security is really around people; knowing who that user is, what he is allowed to do, verifying his identity, granting access to physical or logical assets, and then auditing that access,” says David Ting, CTO of Imprivata Inc., a provider of logon solutions. In the commercial sector, however, passwords are still king – with most companies relying on them exclusively for computer access. To understand why, let's take a deeper dive into the problem itself, and why the solution could impact the access control cards you have today.

The problem with passwords

Passwords are a simple means of authenticating computer users, but they have two evil sides. First, they are not very secure. The average person today has several user name/password combinations to remember; many people have dozens. In that environment, most reasonable people either write the passwords down, use simple, easy-to-remember passwords, use the same password for all systems, or all three. None of this is good news from a security point of view. In fact, in many offices, password security is not taken seriously at all. A study by Infosecurity Europe in 2004 reveals that 40 percent of surveyed office workers knew the log-in passwords of a colleague. Because of the ever-increasing tendency to use laptops offsite over unsecured links such as in hotels, the increasing availability of “keystroke loggers” to capture passwords without your knowledge, as well as allowing partner companies to log in to your business systems, passwords are just not enough anymore.

Second, if passwords are bad for security, they are even worse in terms of cost. Passwords are generally thought of as “free,” since there is no initial cost. In fact, the cost is in the ongoing maintenance. Market research firm Gartner estimates that on average, a computer user forgets a password and needs to reset it almost four times a year. That translates into 30 percent of all help desk calls. Now consider the wasted time of both the help desk operator and the computer user, and we start to see some real costs. “Password administration costs between $200 and $300 per user per year” says Debra Spitler, HID Global's executive vice president of HID Connect.

If Passwords Are So Bad, Why Do We Still Use Them?

To answer that, let's break the problem down a bit and look at the alternatives. Part of the reason the password problem has gotten worse is the issue of multiple systems, each having its own password requirement. That can be fixed using a technology called single sign-on (SSO), which enables a user to sign on once at the beginning of a “session,” rather than repeatedly for each application. The technology used to be difficult for IT to implement and required significant changes to older applications. It now, however, is available in much easier-to-implement forms. While having to remember multiple passwords is a key piece of the problem, you are still left having to remember one. Therein lies a new problem: the so called “keys to the kingdom” issue. Once a bad guy knows that one password, he can go anywhere in the system that the password owner was allowed to go. That leads you to want to toughen the requirements for passwords by requiring them to be longer, to use letters and numbers, and to change them more often. Bottom line, just implementing SSO still leaves you with one password, and often one which is easier to forget. “There is a trend toward giving the user single sign-on to eliminate all of the extra passwords, but trading that requirement for a second factor, such as a logon badge,” Ting says.

An alternate approach is to introduce a “token” into the logon process. While the token could be a variety of hardware devices, there is a lot to like about using the same ID card that is used for building access. By adding the “something you have” card into the process along with the “something you know” password, you have significantly tightened logon security without placing the entire burden on an overly complex and changing password. “There are certainly some cost savings in the card lifecycle management by using a one-card solution” says Jason Wimp, president of TX Systems, a reseller of computer logon systems.

Still, there are issues. Until recently, the only accepted way to introduce a card into the process was to use a technology called Public Key Infrastructure (PKI). This is a great piece of engineering and enhances security by locking all of your private identifying information safely away on the card. To access any of that information, the card requires you to enter a PIN number, like your ATM pin. Biometrics can be added to further ensure the card contents are only unlocked for the owner. Inside the card are a set of unique encryption keys that are used for identification, as well as a “certificate,” which is a file that the system has generated that links those keys to your user name. All of this information is used in a complex, multi-step process where the computer servers in your IT system talk to the card and verify your identity.

There are, however, a number of downsides to this process. Because the card carries such private information, it has to be highly secure and that means using a high-end and expensive smart card to do the work. That means a complete re-badge of the population. “Cards that only have a contactless interface can not typically be used with PKI,” says Dietrich Wecker, vice president of Open Domain Sphinx Solutions, a developer of logon systems. Second, the rest of the PKI servers and software are quite complex and add a significant workload to the IT department to install and maintain. Thirdly, the system adds a great deal of computing overhead to the logon process and that often translates into very slow logons. Finally, the cards themselves add a significant burden.

Consider for a moment the typical “it's Monday morning and I forgot my badge” problem. If all of your private information is on a lost or forgotten badge, it is no longer as simple as just reaching into a drawer of temporary badges and sending the worker on their way. That information has to be recreated on a new badge, and that often takes significant time and effort. “You not only have to manage the lifecycle of the badge, but of the certificate it contains as well,” Ting says. Even without the forgotten badge issue, most IT departments do not want to take on badge administration, a task which they feel is well outside of their expertise and inclinations. In short, many commercial sector companies that have looked at PKI have decided that the complexity, maintenance issues and cost were simply too great to justify.

Emerging Alternatives

So, here's the good news. We are finally starting to see enterprise-class logon applications enter the marketplace using contactless smart cards. “There are more HID Connect partners who see the value in providing the convenience of contactless technology for secure authentication at the desktop,” Spitler says. “Desktop reader manufacturers such as OMNIKEY and RF IDeas are also bringing iCLASS-enabled contactless desktop readers to the marketplace.” This has led to a set of solutions becoming available that takes the latest SSO technology and adds to it the ability to use a common access card as a second credential. Since these solutions use the card as just one more piece of identification and do not require the storage of the private information on the card, they are dramatically simpler and less expensive to install and maintain. Best of all, they can work with any of the new smart cards commonly used for access control, and often with the proximity cards that you have now. Rather than storing the identity information as hard-to-create keys and certificates, these systems store it as an encrypted file of the actual login name and password required by the application. This file can be stored on a central server, on the computer workstation, or on the card itself if so desired. The user experience is simply presenting the card and a PIN, and the login occurs automatically. “Just by making the decision to add two-factor authentication and secure storage of strong, complex passwords, you are making a huge leap in improving your logon security,” Wecker says.

An additional new feature found in some of these solutions is the concept of location-based authentication. Another benefit of convergence, this feature simply means that the SSO system and your access control system are linked together. If a user has not badged into the building or high-security area today, they can not login. “You are tying the user authentication to the computer to an event that says the user has come into the building or work zone and has a valid badge, something that is pretty straightforward,” Ting says. This simple concept adds another layer of security based on not only what you have and what you know, but now where you are.

Why you should care

When I talk to my clients about convergence, I often have to remind them that physical security has just as unique of a knowledge set as the IT department. The management of ID badges is one of those areas where most security directors see a bigger picture of managing identities. There needs to be a “Czar of Identity” for the corporation; one policy and process from background checks to badges to all forms of access. Here is an opportunity – not only to show real value for your department, but also to further a relationship with the IT organization where they need help. Besides, we all hate passwords, right?

Rich Anderson is the president of Phare Consulting, a firm providing technology and growth strategies for the security industry. A 25-year veteran of high tech electronics, Mr. Anderson previously served as the vice president of marketing for GE Security and the vice president of engineering for CASI-RUSCO. He can be reached at [email protected].