Tuesday, January 29, 2013

Something You Were - 3 Factors of Fail (part 4)

   Today we'll continue our discussion on problems in the world of authentication.  Here are links to parts 1, 2 and 3.

   The 3rd form of authentication is typically called Something You Are.  We typically think of this as some kind of biometric indicator like fingerprints.  But this is probably the earliest and most basic form of authentication used in human or animal species.

   Animal species can identify members by sight, but more often scent or sound.   In addition to the traditional 5 senses, some animals have senses that humans do not, like echolocation, to help identify "friend or food".  Here are some interesting articles.

   Human babies can identify their mother by smell and sound.  People have used visual recognition as a primary identification method for most of the existence of the human race.  Of course, visual recognition can be spoofed. And there are other reasons why visual recognition may not be the best identification method.

Tuesday, January 22, 2013

Something You Lost - 3 Factors of Fail (part 3)

   As you can tell if you read my last post, I have some pretty strong opinions about the failure of passwords as an authentication mechanism.

   To review, the 3 factors of authentication are referred to as: something you know, something you have and something you are.  Today, in part 3 of this series, we'll talk about the failure of the second factor of authentication, "something you have".  Here are links to parts 1 and 2 of the series.

   While not the oldest form of authentication, this factor of authentication has been around for a long time.  Think about a key, or perhaps some kind of scroll with the symbol from a leader, or even the sword in the stone!  A driver's license, ID card, credit card or passport is also something you have.  These are all things someone can have and can be used identify them or grant access.

   Today, the term "2-factor authentication" can the use of any two different factors of authentication.  But most commonly it refers to the combination of password or PIN that you know, with a single use 6-digit number from some kind of token.

   Here are the three most common single use string/token delivery methods:

Tuesday, January 15, 2013

Something You Forgot - 3 Factors of Fail (part 2)

   Last week we started talking about authentication and listing the 3 factors of authentication.  This 2nd in the 5-part series will look at the 1st factor.

   The 1st factor of authentication is "something you know".  We usually think of this as passwords, but there can be other forms like: PINs; lock combinations; "secret" phrases (the phrase that pays!); picture identification; and secret pattern (like on your smartphone).

   There are a few fundamental problems here.  And they are mostly caused by something we can't change... we're trying to authenticate a human! (usually)  So, rather than something we know, these authentication methods rapidly deteriorate into something you forgot.  Here's why...

Tuesday, January 8, 2013

3 Factors of Fail - The Authentication Problem

   Authentication is one of the biggest challenges in information security. We can have all kinds of technical security measures in our systems. There are various controls we can have at the data level. But we still need to allow people to use the systems and get to the data. I should say... we need to allow the right people to use the systems and get to the data! Authentication is how we decide who the right people are.

   Federal regulations like HIPAA, PCI, IRS 1075 and others have major focus on minimum necessary.  That is, giving a user the minimum access they need to do their job.

   Wikipedia defines authentication as: (from Greek: αὐθεντικός; real or genuine, from αὐθέντης authentes; author) is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program, tracing the origins of an artifact, or ensuring that a product is what its packaging and labeling claims to be.  And Webopedia has: The process of identifying an individual, usually based on a username and password.  Interesting that this latter definition directly refers to username and password.

   There has been plenty of news in the past couple of years of breaches involving theft of a password file (encrypted or unencrypted) and customer/citizen personal data. Example like: eHarmony, LinkedIn, South Carolina Dept. of Revenue, and Utah. Many of these attacks involved exploiting authentication.

Tuesday, January 1, 2013

To Freeze or Not to Freeze, That is the Question

   As I make a cup of coffee this morning, I'm thinking about a recent change I made.  I'm getting my coffee out of the cupboard rather than out of the freezer.

   When I was a kid, I always remember my parents keeping their ground coffee in the freezer.  Typically that was perk (coarse) ground.  The thinking was that keeping the coffee in the freezer would keep it fresh longer.

   So, when I got older and had my own freezer, I did the same.  Typically I would either have drip (fine) ground coffee or whole beans.  For many years I never thought about whether or not that made any sense.