ZDNet UK / News and Analysis / Business of IT / IT Strategy

One, two, three factor security?

By , ZDNet.co.uk, 7 August, 2002 12:24

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Password, smart card, Biometric, Fingerprint, Retina, Security, factor security, secure ID, PIN

ANALYSIS
Getting security right is a balancing act. Too much, and the system that's protected becomes too difficult to use. Too little, and the repercussions can be enormous -- not only can fraud impoverish a company, but there are significant legal and practical implications if sensitive company data has been revealed or modified. Security systems can be categorised by factors, the number of different ways that a user is authenticated before being allowed access. One factor security is by far the most common -- if you know your username and password, you're in. Two factor security relies on something you alone have and something you alone know. You already use it when you get cash from a hole in the wall, where the combination of the bank card and your PIN identifies you in two ways. Security companies are also keen to promote yet more secure system: three-factor security, which includes biometric identification to check something you are alongside what you have and know. However, even two factor security is a massive improvement on systems that just use a password -- no security consultant will fail to recommend it as a minimum acceptable level of safety. But most companies choose to ignore this. It's not that single factor security is safe. While it's true that a well-chosen password can be effectively impossible to crack, few people take that much trouble. If a 2GHz Pentium 4 computer tried to guess an eight-character password by working its way through all the combinations, it'll take more than a decade, on average. Yet nearly every survey of people's preferences shows thirty percent or more choose single words, family names or other short, easy to remember passwords. Even when a company has -- and enforces -- a password policy that excludes these, it takes little work to get people to divulge their passwords over the phone. One survey, by security consultants PentaSafe, found that two-thirds of commuters at Victoria Station in London would give their password to a pollster in exchange for a promotional pen. In any case, forcing people to use hard-to-guess, frequently changed passwords merely increases the incidence of people writing the passwords down and sticking them to the front of their monitors. Some people recommend teaching users a way of mentally converting a passphrase to a password -- so "Time for bed, said Zebedee" becomes T4bsZ -- but this is rarely popular. Two factor security is much safer. The most common system uses an authenticator, a small device -- SecureID is the best known -- that constantly generates a long and constantly changing sequence of numbers which the user has to type in alongside their normal password. While this will certainly deter the ad hoc intruder, it's not safe against the skilled hacker, for example, phoning up an IT centre and successfully posing as an authorised user on a tight deadline who's left their authenticator elsewhere. Another two factor scheme uses cellphones, where the person logging on has to answer an authentication challenge sent from the computer to their mobile phone by text message. This reduces the number of devices the user has to carry, but if they're out of range, have flat batteries or have left the phone elsewhere it disbars them from access. Three factor security typically uses fingerprint, retina, iris, voice or face recognition. These are all physiological features that can be easily digitised and are mathematically unlikely either to give a false negative -- when the authorised user isn't recognised -- or a false positive, when someone unauthorised passes. The downsides to these systems are that the readers are expensive, have to be physically installed, and all have weak points that can be exploited. Most recently, fingerprint scanners were shown to be unable to differentiate between a real finger and one made from gelatin. All security systems can be circumvented if the intruder gains access to the system, even temporarily, at a high enough level. Biometric tests are no safeguard if the intruder has the freedom to either create a new account keyed to themselves, or can tamper with existing accounts to the same effect. You should have two factor security. Even if you don't, you should educate users on selecting sensible passwords, warn them never to disclose their passwords to anyone -- no matter what the excuse -- and make sure the reasons behind this are well understood. People with access to their work systems are the equivalent of people who hold the keys to the company premises, and this incurs responsibility. If that is widely known and respected, half the battle will have been won.
Have your say instantly in the Tech Update forum. Find out what's where in the new Tech Update with our Guided Tour. Let the editors know what you think in the Mailroom.

Related stories

Remote users are the weakest VPN link

Lowdown on latest MS security bulletin

PDA encryption options

New security exam and test retirements

Citrix to deliver Windows desktops from the cloud

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

UnderINK

I agree with the previous commenter wholeheartedly. I couldn't say it better myself. This is very 'Big Brother'. And while I agree with protecting...

44 minutes ago by UnderINK on European e-identity plan to be unveiled this month
Simon Bisson and Mary Branscombe

Nice to see that Turing's idea of a general purpose computer doing once-hardware-powered tasks in software is now universal ;-) Mary

6 hours ago by Simon Bisson and Mary Branscombe on Software with everything
Jason Burchell

seriously now. I've only bothered to read a small bit of the comments. do me and the rest of the world a favour. stop saying it does not work or...

10 hours ago by Jason Burchell via Facebook on Music industry negotiating over 24-bit downloads
Philip Charles Cohen

Read about it and weep, John Donahoe ... In addition to Visa’s V.me, there is now MasterCard’s PayPass digital wallet soon to arrive; another...

14 hours ago by Philip Charles Cohen via Facebook on PayPal takes phone-based payments to the high street
apexwm

Leslie Satenstein : Where have you ever seen Mozilla even mention this? Firefox is the most popular browser in the GNU/Linux OS, so I don't see...

15 hours ago by apexwm on Firefox rapid release improves Fedora Linux
songmaster

SHleG: Do you remember building a clockwork scorpion kit (I'm pretty sure I have a photo of it somewhere) — I think it was called something like...

16 hours ago by songmaster on Software with everything
Chris Wortman

Good I love Yahoo! Their search engine is getting better than Google as of late. I find more of what I want on the first page, and usually within...

17 hours ago by Chris Wortman via Facebook on Linux Mint 13 ramps up for KDE release
PatrickG

openhgs has made the point for Windows 8 multiple monitors without realising it! With Windows 7 you have to switch the mouse and so your focus...

19 hours ago by PatrickG on Windows 8 could speed multi-monitor uptake
Leslie Satenstein

Mozilla has threatened to stop supporting Linux. I guess that UBUNTU is going with another browser. I indicated that if Mozilla stops supporting...

20 hours ago by Leslie Satenstein via Facebook on Firefox rapid release improves Fedora Linux
Andy Bolstridge

Much as I abhor Microsoft's licensing practices, this is almost certainly down to purchasing IT equipment via 3rd party consultants - you get the...

20 hours ago by Andy Bolstridge via Facebook on 6 million wasted licences and £1,200 PCs: welcome to government IT
Jack Schofield

@openhgs Windows users have had multiple desktops since Linus started writing Linux. They just haven't shipped as standard because not enough...

2 days ago by Jack Schofield on Windows 8 could speed multi-monitor uptake
Jack Schofield

@Phil at Cloud4 What, Microsoft gets £1,200 per PC and £1,622 per server? Gosh, I'm amazed....

2 days ago by Jack Schofield on 6 million wasted licences and £1,200 PCs: welcome to government IT
craigsc

You guys have no idea what is going on at Autonomy. Autonomy could have been a much more profitable organization. The sales operations at Autonomy...

2 days ago by craigsc on HP cuts 27,000 staff as Autonomy chief Lynch leaves
Moley

How does this impact on dual or multi booting? Seems to me to more or less prohibit this, from Windows 8 anyway. Will Grub 2 recognise Windows 8,...

2 days ago by Moley on Windows 8 start-up speed forces USB boot workaround
apexwm

I don't understand why there cannot be a slight pause during the boot process so the user can press a key. Many operating systems do this, even if...

2 days ago by apexwm on Windows 8 start-up speed forces USB boot workaround
Gavin Goodman

You can now buy the Xi3 modular computer in the UK at http://www.ocdistribution.com . This can be bought with the Tand3m software, pricing and...

2 days ago by Gavin Goodman on CES 2012: Xi3 microSERV3R
Phil at Cloud4

I agree: Mike Lynch can clearly build a business and manage strategy. I suspect the exit of Mike is more likely the end of a planned handover...

2 days ago by Phil at Cloud4 on HP cuts 27,000 staff as Autonomy chief Lynch leaves
Phil at Cloud4

This is unbeleivable government wastage with only one winner... Microsoft 1 - Tax payer Nil!

2 days ago by Phil at Cloud4 on 6 million wasted licences and £1,200 PCs: welcome to government IT
Mispam

So what do you do when you can't boot into windows? Why can't I just hold Shift while I power up instead of having to boot into windows and click a...

2 days ago by Mispam on Windows 8 start-up speed forces USB boot workaround
apexwm

I've also seen that Mac OS X for Intel machines is supposed to run in VirtualBox, which would also be a nice solution. I've never tried it though.

2 days ago by apexwm on xTreme Triple Booting: Linux, Mac & Windows

Latest in IT Strategy

Citrix to deliver Windows desktops from the cloud

Featured white papers

Email archiving: Should you choose SaaS?

Proofpoint

Email archiving: Should you choose SaaS?

This Proofpoint white paper looks at how using software-as-a-service offerings can be beneficial -- or not -- for archived... Read more

Six ways to make cloud work

Phoenix

Six ways to make cloud work

How can your business be sure that the cloud will give you the security and resilience your business needs? This six-point plan offers advice for growing... Read more

Using hybrid security to manage web threats

Blue Coat Systems

Using hybrid security to manage web threats

Should large organisations opt for on-premise security gateways or simply offload web threat management to the... Read more

Inside ZDNet UK

Indoor navigation coming to a mobile near you soon

Indoor navigation coming to a mobile near you soon

Software with everything

Software with everything

Asus Transformer Pad TF300T

Asus Transformer Pad TF300T

How IT is ganging up on organised cybercrime

How IT is ganging up on organised cybercrime

HTC One V: First take

HTC One V: First take

SharePoint deployment: The final chapter

SharePoint deployment: The final chapter

Ten IT jobs to save up for those rare lulls

Ten IT jobs to save up for those rare lulls