Joel Dubin answers questions about new authentication technologies.
What are picture passwords and how can they improve authentication?
What should I look for in a one-time password system?
What features does access control software need to make HID cards sing?
Q: What kinds of new "picture password" technologies are available for mobile devices, and as an authentication method is it any more convenient (and secure)?
A: The idea of a picture as a password isn't new. The technology works by replacing passwords with pictures stored on a system. The principle is that pictures are easier to recall than passwords and harder to lose, since the picture the user selects when registering is stored on the system and displayed on login.
But the technology for mobile devices is a bit different. First introduced by SoftAva as PicturePassword for Treo in 2005, it worked through a two-step process. The user selected a picture from the software's built-in archive (the system couldn't accept a custom photo or picture), then selected a grid overlay and the number and location of taps on the picture with a stylus. If the user tapped the picture the right number of times in the right location, they were granted access. If they failed, they would be prompted for their regular password.
PicturePassword was eventually discontinued, but a similar technology was developed in 2007 by researchers at Newcastle University in the UK. In that system, the user chose a picture, but then had to draw a simple design on top of the background image. Since most people aren't artists, simple stick drawings were sufficient. The principle is the same as PicturePassword in that users have to remember their picture and then superimpose something with a stylus on top of the background picture.
The latest such technology is Origami Experience 2.0 from the Origami Project. It was released earlier this year at the Consumer Electronics Show. Origami Experience 2.0 is software for ultra-mobile PCs (UMPCs), which are about the size of a paperback book and run on Windows Vista. Like the PicturePassword software, the user taps on a background picture to gain access. So far, Origami Experience is limited to UMPCs.
The market for picture passwords on mobile devices is still quite limited. Another thing to consider is that, despite the ease of use, it's basically single-factor authentication. A picture password is basically a glorified password, which, with a bit more effort, could be shoulder surfed.
Since the technology isn't widespread yet, it's not on the radar screens of hackers, so it's too early to say how secure it really is.
What should I look for in a one-time password system?
Q: Our company is looking into using password tokens. What should we look for in a product, and in a vendor?
A: One-time password (OTP) tokens are known as two-factor authentication. They're meant to augment existing user IDs and passwords with an extra layer of authentication. The idea is that if a password is compromised, the OTP device would still have to be broken as well to gain system access.
OTP tokens are usually small pocket-size fobs with a small screen that displays a number. The number changes every 30 or 60 seconds, depending on how the token is configured. The user then enters his or her user ID and PIN number, plus the number displayed on the token in the password field for access to the system.
The choice of a password token should be based on the company's needs. Why do you need tokens, and who will be using them? Are they for employees to access internal systems, or for customers to access externally facing systems, like websites? Are they for compliance with regulations or for beefing up existing authentication to systems hosting high-risk data?
Those questions aside, the choice of password tokens should be based on how well they mesh with existing network and authentication architecture and their ease-of-use and acceptance by employees. Other considerations are maintenance, support and scalability -- how easy are they to support and will they grow as authentication needs expand?
First, OTP tokens should be compatible with existing authentication infrastructure. They should be managed from a central location so users can be provisioned or deleted as required, at will. Authentication credentials from the device should be able to be stored easily in the current directory service, whether Active Directory or LDAP.
Second, the device should be easy for employees or customers to use. If it's difficult, or employees aren't given proper training, they'll figure out ways around the device, which defeats its purpose. Also, as with user IDs and passwords, tokens should never be shared.
Lastly, tokens should be easy for system administrators to install, deploy and maintain. A token-based system should be scalable to handle additional users as a network grows, and the devices should be configurable because the length of the number, or the time it's displayed on the screen, may need to be shorter or longer, based on the business and security requirements. Tokens also need to be purchased, stored and distributed, adding to the cost of maintenance and overhead.
There are a lot of vendors in this space, including RSA, Aladdin Knowledge Systems, Entrust, VASCO Data Security International and VeriSign. They offer a range of token types from small key chain fobs to mini-calculators.
What should we look for in access control software?
Q: I can no longer get tech support for the software that runs our control access program. In an environment where we also use HID card readers and proxy cards, what are qualities that we should look for when searching for new software?
A: Using HID card readers and proximity cards sounds like the cards control both logical and physical security access: the physical controls for access to the facilities themselves, and the logical controls for access to computer systems and networks.
These card readers are contactless, meaning the card is brushed by the reader, rather than inserted or swiped.
Merging logical and physical security is becoming increasingly common because it provides a single point of control for all types of access. An employee's access can be changed globally by making one change to his or her profile in the system. It can also save an enterprise money, since one badge or card is used for all purposes, rather than having separate systems for access to computer networks and facilities.
With that in mind, the software should be compatible with both physical and logical infrastructure. It should mesh with existing identity and authentication management systems, but especially with directory stores, such as Active Directory and LDAP. With an Active Directory shop, for example, it's important not to rip out the plumbing for a system more compatible with LDAP.
The software should also provide for encryption of the authentication data on the cards, both at rest in data stores and during transmission from the HID card readers back to the IAM systems. Depending on the type of system used, make sure the software is compatible with ISO 14443A, the leading standard for contactless cards. This standard defines common protocols for transmitting the data between the card and readers, making it easier to integrate with existing IAM systems. .
The software should also come with a development kit, so it can be customized to meet specific needs and be compatible with the different type of readers.