|
publications |
|
ON BALANCE • FREQUENCY • THE BRIDGE • CPA2B • ACCOUNTING FOR THE FUTURE |
(taken from the Mar/Apr 2006 issue of On Balance magazine)
GRRR! What's the password?
By Jeffrey T. Lemmermann, CPA, CITP, CISA
Imagine, for a second that you are a dog. A guard dog, at that, and you have just landed your first job, guarding the entrance to the county zoo. Not bad, considering that a number of your other guard dog school classmates are stuck with junkyard or car lot gigs.
Your job: to let only authorized people through the maintenance gate. Sounds easy, but this is your first day—and you are a dog. You’ve only been able to smell the person that hired you so far, and have a somewhat limited vocabulary. How can you tell who to let in and who to chase away?
A dog will be able to identify someone in a number of ways: scent, appearance, voice, or possibly from a treat given to you, the dog. These are methods of authentication for the dog in knowing who to let through the gate.
Information systems have to deal with the same issue of determining who is authorized and who isn’t. While a computer doesn’t smell a user to see if the scent is approved (yet) there are other methods of authentication used in the IT world. As the need for security continues to increase, the methods for authenticating users have evolved.
Authentication methods generally fall into three categories: something you know, something you have, something you are.
The most common authentication today falls under the “something you know” category—passwords. The dog example: In your first day on the job you are trained to let people into the zoo when they say “Rumplestiltskin.” Personal identification numbers and pass phrases are other real life examples. They are simple to implement and don’t require additional equipment or high levels of technology. They are, however, easy to compromise. In addition, once compromised, it can be difficult to detect intrusions, since a user name and password look the same no matter who is at the keyboard.
In the “something you have” category are ID cards, USB keys, key fobs, or, in our K-9 example, dog treats. An example today with IT systems involves USB keys. Instead of typing a user name and password, the computer operator inserts a USB device with authentication information on it into a USB port, or swipes an ID card’s magnetic stripe across a card-reader attached to the computer. If the authentication information on the device matches an entry in the system’s database, entry is allowed. If the key or card is one of our guardian’s “approved” treats, the visitor is allowed to enter the gate.
Benefits of these systems are the relative ease of implementation and the fact that a user knows when the device is missing. Drawbacks are the need for a physical object to gain access and the need to install reading equipment for the device.
The “something you are” category has seen the most activity in recent years, due to increases in computer power and the ability to miniaturize equipment. Biometric readers like fingerprint, signature or retinal scanners now can be installed on laptop computers. In general, they consist of a device to read or scan the identifying trait, software that converts the scan into digital form, a database of approved formats of the identifying trait, and software to perform a comparison of the read data with the database.
Our dog could use his sense of smell or sight to approve users based on those characteristics, which are very difficult to imitate or change. Therein lies the biggest benefit of biometric systems.
These systems are, however, not foolproof. Fingerprints can be intentionally faked using items as simple as clear tape, or could wrongfully deny access to a user who had an unfortunate incident with a hammer (causing the identification finger/thumb to become twice its normal size.)
An innovative use of biometric systems includes new signature readers which not only record the signature outline but also take into account the speed and pressure points of the individual performing the signature. Other biological traits are hand geometry, earlobe geometry, iris patterns, voice waves or DNA.
An international standard that would let biometric readers communicate with systems of other manufacturers is a major stumbling block preventing biometric use. This hurdle is being addressed by a consortium of organizations working on a standard called BioAPI. Currently in version 1.1, BioAPI 2.0 is due for release later in 2006. See www.bioapi.org for details.
More and more common today is the use of multi-factor authentication systems, which combine two or more authentication methods. Banks, which will soon be required to have two-factor authentication for on-line banking, have been among the first implementers of two-factor systems.
Normally, a user logs into the banking Web site with a user name and pin. The system then asks for a code, which must be generated by a credit-card size device. That code is normally good for 30 seconds. If the user does not enter the code within that time frame, the process must be repeated. Our dog could require a pre-approved treat only accepted from scent-identified users in his implementation of two-factor authentication.
Any authentication system needs to balance the ease of entry by authorized users with the difficulty for unauthorized individuals to gain access. A system that denies all access at all times is very secure but ultimately useless.
Jeffrey T. Lemmermann, CPA, CITP, CISA is the Wisconsin security practice manager for Clifton Gunderson Technology Solutions. He can be reached at jeff.lemmermann@cliftoncpa.com.