Two-Factor Authentication in Windows
- Oct 6, 2005
The Need for Better Security
Simple passwords, the backbone of modern computer security, are notoriously insecure. One result is that something like 10 million Americans have been victims of identity theft to the tune of about $50 billion, according to the U.S. Federal Trade Commission.
Obviously, we need something better than passwords, and the consensus is that the "something better" is a concept called two-factor authentication.
This is neither academic nor theoretical. Two-factor authentication is bearing down on us with the speed—and all the fine control—of a runaway freight train. Last December, the Federal Deposit Insurance Corporation (FDIC) issued a report recommending that financial institutions move to two-factor authentication in place of passwords. Many banks, such as Bank of America, are running pilot projects to evaluate two-factor authentication for the customers in online banking. Some institutions have already made the jump. For example, E*Trade Financial, a leading online brokerage, is already offering customers a two-factor authentication system.
This isn't just banks and brokerages. We can expect to see passwords rapidly replaced by two-factor systems in any application for which security is important. At this year's CeBIT trade show in Europe, Microsoft announced that it plans to go to two-factor authentication in future versions of its operating systems.
Some vendors are already using the technique. Nexsan Technologies has just released a secure storage system that uses two-factor authentication to ensure the integrity of key recovery. Nexsan's Assureon product uses an elaborate encryption system that encrypts each file separately and then encrypts a manifest file containing the keys to the files. To recover the files in the event of a failure, the administrator needs a hardware key. Nexsan issues several copies of the key device with each Assureon system, and the customers keep them in safe deposit boxes or other secure locations until needed.
In fact, any application that uses passwords today is a strong candidate for two-factor authentication in the next few years. This implies that any enterprise that develops applications will have to choose a two-factor authentication system to use with its products. It also suggests that all Windows administrators are going to be expected to evaluate two-factor authentication schemes as part of nearly any product selection.
And evaluating two-factor authentication—whether as part of evaluating an application for your enterprise's use or choosing a system to incorporate in your own applications—isn't simple. Two-factor authentication isn't a product; it isn't even a technology. It's a concept, and there are many, many ways of implementing it. Not all of those ways are equally useful or equally secure and not all the products that use them are equally well-designed. What's more, there are major tradeoffs among security, cost, and performance. The systems that provide the highest levels of security are also the most costly and usually extract the largest performance penalties.