Strong Authentication Myths Debunked – Part 2
In comparing strong authentication methods, what are some key areas to look at in determining which one offers the best security, usability and price trade off? First thing to consider is, do you want to eliminate username and password for all users? If this is the case, then you need a solution that supports desktop/network login, VPN access and application access.
There are only two types of credentials that are directly supported by Microsoft for XP, Vista, Windows 2003, Windows 7 and Server 2008. The first is username and password. The second is smart card. All other methods are not first class citizens and will require a custom GINA or credential provider for authentication. This means OTP or biometrics requires additional software installation on all end user computers. This also means that you still are really using passwords for authentication to the Windows infrastructure. In most cases, this also involves adding an additional server to perform the authentication using the additional credential like an OTP or a fingerprint. Then that server unlocks the password for authentication to Active Directory.
Now some may argue that PKI requires an additional server, but Microsoft already has a Certificate Authority in their server operating systems. Some identity management companies including Dexa Systems provide a Certificate Authority with their appliance. For PKI, the CA is only involved with certificate management and not directly for authentication. In the case of an OTP server, which might be based on RADIUS, every authentication request must go through this server. This means the OTP or biometric server must be scaled for high volumes of traffic and should be configured for high availability so that the authentication process is not interrupted. The server must also support password synchronization so that when the system requires a change in the account password, the stored password will be correctly updated.
Another key consideration is authentication to non-Windows platforms, Windows terminal services and VPN. A few years ago most of this was a real challenge for smart cards, and OTP systems clearly had the lead. That is no longer true. There are PAM modules, reader drivers and smart cards that can utilize the same credentials as Windows authentication. These modules are available for Mac OSX and most Linux distributions. The same is true for terminal services authentication starting with Windows Server 2003, smart cards have been considered first class citizens. In most cases, the drivers are already installed on the server platform so that no additional components need to be installed.
The situation with VPN access has evolved as well. In the past, only full IPSec based VPN solutions supported smart card login. These required full clients, and for the most part, were painful to configure. Those wanting to avoid a full client were driven to OTP as the only truly viable solution. Today most clientless (SSL) and client based VPN solutions support smart cards for authentication. In a Windows 2008 Server and Windows 7 Direct Access environment, an even stronger case for smart cards can be made. This new technology from Microsoft allows a transparent secure connection to be made from a remote client machine to a Microsoft domain. In this model the user does nothing more than log onto their machine as they normally would. Then the machine establishes a secure connection to the domain without additional interaction with the user. To ensure that the client, server and user are who they claim to be, mutual authentication using certificates is required. The security of the connection can be enhanced by having the user credentials on a smart card.
This post is starting to get long so I will save more details about the benefits of smart cards for the next installment. I will also discuss more about application authentication and some of the realities around Single-Sign-On (SSO).
View All 
