At the university where my wife and I work for central IT, we are coming to grips with the fact the old username and password method of protecting online services no longer provides a level of security we are comfortable with. As more and more services become available online, the need for a system that is more robust becomes increasingly urgent. When I first joined the Higher-Ed world almost ten years ago, only a handful of services were accessible over the network and each of those services used and maintained its own users and credentials. The only saving grace was the fact that these services were specialized enough that any one service was only used by a small percentage of the university population. The security picture was also bolstered by the fact that dial-up was still “new” and, while many of the faculty and staff had PCs, not all of them were on the network.

Fast forward to 2006. All the residence halls are wired; nearly every faculty and staff member has a networked PC and possibly a laptop; wireless access points are scattered across campus (and the requisite college-town coffee shops); and to top it all off, everything from class registration and course materials to email and job postings are accessible online. Now that simple username and password that allowed you to save your Word documents on the departmental file server lets you into a hundred applications spread across many servers. To deal with the increased risk, almost everyone in Higher-Ed and the corporate world has moved to central directory service that leverages Kerberos or a similar protocol for authentication. Additionally, users are being asked to remember longer passwords and change them more often. But is that enough?

Passwords can’t get much longer, or folks will start writing them on their palms. (The flesh and blood kind, not their PDAs… stick with me here.) For many, the next step up is Two Factor Authentication which combines “something you know” with “something you have” to further secure your identity. The “something you know” is usually in the form of a password or PIN number. “Something you have” can refer to smart cards, RFID tags, and USB keys or even biometric identifiers like fingerprints, iris scans, and even facial recognition. Nearly all of these systems require specialized hardware on the workstation you are using to access the network. (RSA’s SecurID and similar systems are the notable exception in that the hardware they require stays with the user, not at the point of access. These systems use a handheld device which generates a time-based random token that you enter in combination with your PIN or password.) This need for specialized hardware and the infrastructure required to support it means that the move to two factor authentication while providing an increase in security is neither simple nor cheap. Looks like the students aren’t the only ones with homework to do.

[tags]password,rfid,kerberos,username,two factor authentication[/tags]