Network Security

Let’s get authentic

Share

This has been trying month. There is a lesson in it for disaster recovery mavens. Our data center – the Center for Advanced Computing, not the university data center – is in a 114-year-old building. A steam pipe burst and the ceiling in the server room collapsed. Then the clean-up folks found toxic mold and finally, asbestos. Lesson: If you must be in a 114-year-old building, have a backup plan. Our student sys admins performed beautifully and there was almost no damage.

Reviews this month address authentication. It used to be that we knew exactly what we meant by authentication. It was part of the access control function: identify, authenticate, authorize. It's not quite so simple today. Today, the perimeter is porous and we sort of let strangers into parts of our systems – think online banking, for example. The notion of strong authentication used to mean multifactor and, to some extent, it still does. But now we have some special use cases that call for strong authentication, but do not necessarily require multifactor.

An example is that awful tool, CAPTCHA. This has to be the most user-unfriendly contrivance in the history of computing. However, it is just that which makes it useful. It is, in its own way, an authentication device. It authenticates the user as a human rather than a bot. There is no multifactor, but it changes with each use, so it is not predictable. In short, it is rather like a one-time pad in encryption.

At the other end of the spectrum we have biometrics. Now, if we combine with a PIN or password for multifactor, we have pretty much the strongest authentication around. Unless you are very clever. Fans of Sherlock Holmes may recall the “The Adventure of the Norwood Builder.” In that story, Holmes discovers that a fingerprint on the wall was fashioned by making a rubber mold of a fingerprint and using it rather like a stamp. Fantasy? Not really. At the annual scientific meetings of the American Academy of Forensic Sciences this year, a project was shown that demonstrated that the Holmes story works just fine and a latex facsimile can be used to unlock a mobile phone that requires biometrics. From Victorian fiction to the realities of today…

However, in this month's parade of products we tried no such subversion. Our testing was very straightforward. For each product, we created its own test bed and put it through its paces. Although our test team is very good at breaking things, they were unsuccessful this month. Everything they tested worked well and the result was a crop of first-rate products – some rather spectacular.

The name of the authentication game this year seems to be price/ease of use. This is a game-changer for strong authentication and it has been too long coming. Now, as you will see, the average person can use strong authentication easily, and the tools are inexpensive – in one case free for very small numbers of users. Hats off this month to the reviews team of Sal Picheria, Ben Jones and James Verderico. Now, on to the products.

Let’s get authentic

Reviews this month address authentication, perhaps one of the biggest challenges information security pros face.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.