The meat for this article goes all the way back to 1982 when I first started to consider this problem. This is more than a 20-year-old problem, and it remains a major concern for just about all of us today. Here's the question that our computers are faced with each and every time we log on to a workstation or network server. Was that really you who entered your login and password information? How can the smart (but dumb) computer know for sure?
While attending an advanced system administration class (UNIX) in Chicago in 1982, I began to think about this problem. I certainly wasn't the first one to wonder about it, but as I sat in the classroom with about 15 other students, I began to wonder how the computer really knew who was doing what. We each had a login ID and a password and we each logged out before going on break or to the cafeteria for lunch. I had read about spoofing programs and so I decided to have some fun and write a very simple one to emulate the login program and try to capture the other student's passwords. To my surprise, when I ran the program on each of their terminals (does anyone remember terminals?) I had a file in my root directory showing every student's login ID and password shortly after they returned from lunch. From that point on, I could become any one of them simply by entering their login ID and password instead of mine. There was no additional authentication forcing me to prove that it was really me using a login ID and password. Not good!
The 1983 War Games movie that I mentioned in a previous article showed a perfect example of the use of login IDs and passwords without authentication. During the 20 years that have passed since my Chicago class days, I have seen many changes in operating systems, applications and hardware. We have gone from kilobytes of information and memory to megabytes, gigabytes and soon to be terabytes. Unfortunately, I haven't seen major changes in how we ensure that the right people are getting access to that mountain of critical information. In my personal experience, the primary authentication for access to many systems remains the static (able to be used more than once) password.
Authentication Methods 2002
To keep this description very simple, there are three possible ways to identify yourself to a computer. To ensure that it is really you, you need to present at least two of them for confirmation. These are the standard What You Know, What You Have and What You Are. The what-you-are is the only one that could possibly stand alone, but it is usually associated with at least a what-you-know bit of information. The what-you-are identification is normally considered biometric information, and those types of solutions are just now finding their way into mainstream security applications. Things like retina scans, fingerprint recognition, hand recognition, etc. are examples of this type of security. As an example, our local YMCAs now require that we enter our password (what-I-know) and then place my hand in the hand reader (what-I-am) for the gate to click open. That's two-part authentication. Without one of the other, I don't get to sweat for an hour that day.
Is Two-Part Authentication New for Computers?
The answer to that is both yes and no. Some of the things that we are beginning to see on the biometric scene are quite new and exciting. Time will tell how well they are accepted as widespread solutions for addressing the authentication problem. For the remainder of this article, I want to discuss one of the first true authentication solutions that I ever used. I don't work for this company, and I don't ever plan to, so I'm not trying to sell you something. I do want to let you know about a solution that I first evaluated in 1988 (14 years ago) and it's just as effective today as it was then. I personally can't think of any other hardware/software product that was in use in 1988 and is still in use today. As fast as technology is changing I'm happy if the technology that I am currently using stays useful for even two years. A product remaining effective for close to two decades is absolutely incredible.
The product that I am talking about is the RSA SecurID card/server. During the past 14 years, I have seen many uses of this product for true authentication needs. The authentication device that you carry with you shows a six-digit number on its LCD screen. This number changes to a new six-digit number every 60 seconds. This small device, which randomly shows a single number from 000000 to 999999, is the what-you-have part of the two-part authentication. Anyone could pick it up and try to enter the six-digit number as the current passcode during a given one minute timeframe. This would be of no value to them because they wouldn't know the secret personal identification number (most of us use a PIN code with our bank ATM cards) which is used in conjunction with the current six-digit number. Now we have something that has been very effective for me for the past 14 years. This is a true two-part authenticator using a what-you-have (SecurID card/fob) and a what-you-know (secret pin that only I know) to help ensure that it is me logging in.
An unauthorized person would need both pieces to be able to login as you on the SecurID protected account. They would need to have your card/fob and know your secret PIN to do this. As long as you didn't give it to them, getting either of these pieces should be difficult for the unauthorized person.
More Info on SecurID
Obviously, I can only provide a very brief introduction to authentication and why I like SecurID as a very well proven product for me. Here's a way for you to see what I mean about it being so popular. Go to my favorite search engine Google (www.google.com) and enter the single word "SecurID" in the search engine. You can even use the double quotes if you like. You will find over 50,000 pages throughout the Internet where people and groups have described their use/reviews of this fine product.
It is becoming increasingly difficult for us old TRS80 Model III fans to find things that still exist from the early days of computer security. Well-done RSA/SecurID!
Until next month,
Stay safe out there.
Jack Wiles is president and co-founder of TheTrainingCo and is a 30+ year security veteran. He is also the MC of the annual International Techno-Security Conferences. You can email him at email@example.com or find out more about him by visiting www.thetrainingco.com/biojackwiles.html.