Authentication dates back many centuries. Castle guards required spoken passwords to prove an identity. Mechanical devices and key-operated locks enabled “unattended” authentication. Through the years, many methods were created to allow entry into a secure environment. Yet, we still have problems managing the process.
Today, technological advances require modern-day unattended authentication – “unattended” in the sense that you cannot be present every time you want to authenticate a presence. It is not practical to physically sit at every user’s desk and verify users are, in fact, who they say they are. Instead, we must create a system for authentication.
In his book Authentication, Richard E. Smith explains that an authentication system must contain five elements:
- The person to be authenticated.
- A distinguishing characteristic that differentiates that person from another.
- A proprietor who owns the system and is trying to distinguish between authorized users and others.
- An authentication mechanism to verify the distinguishing characteristic.
- An access control mechanism that grants some privileges if authentication succeeds.
Defense vs. Attack
When discussing digital identity and authentication technologies, we are normally looking at the distinguishing characteristics and authentication mechanisms that arise from an age-old problem. An attacker wants to gain access to the proprietor’s system, creating a circular reference. The proprietor implements a “defense,” or an authentication mechanism, to verify distinguishing characteristics, while the attacker develops a way to circumvent the system. This is an “attack.”
Passwords as Authentication
Since most organizations are at the electronic password defense stage (see illustration), they only require some sort of password without any “real” requirement for what makes up that password. Unfortunately, this is not much of a defense these days. Think of it this way: a typical 200,000-entry dictionary attack takes just over three minutes, and an attack against a four-character password, trying every combination, takes about 10 minutes. As you can see, a simple electronic password is of little challenge to an attacker.
Nevertheless, there are many ways to provide a stronger defense against attacks. Some of these are quite technical, including digital IDs, passkeys, physical keys, smartcards, and biometrics. The question is: Should these technical defenses replace the requirement to maintain strong passwords?
A strong password:
- has eight or more characters;
- contains upper and lowercase letters;
- does not contain a dictionary word; and
- contains a special character (those “above the number” keys and punctuation).
There’s no doubt about it, passwords are the least expensive way to improve authentication, but they must be strong. For example, a password that contains two words separated by a special character would take years for a computer to guess every combination. If users are sloppy with their password selection, they may be sloppy with other technical defenses.
Issues With Authentication
Authentication is like many other forms of information security. We need it, but we hate it. For example, we should use strong passwords, but they may be more difficult to remember. If they are difficult to remember, we may tend to write them down. If we write them down, we are likely to put them on sticky notes and post them somewhere convenient. If we stick them somewhere convenient, they are no longer “strong” passwords because someone can find them.
How about forcing password changes every 90 days? While that is a nice thing to do, it’s inconvenient, so we revert to writing the passwords down. As a result, authentication becomes a delicate balance between strong security and convenience.
If we look beyond passwords at other means of authentication, we may think there are more convenient authentication mechanisms. For instance, biometrics (fingerprints) are very convenient because we always have our fingers with us. We can’t forget them, lose them or leave them at home. As discussed earlier, when a defense is created, attackers develop ways to get around it; therefore, once an authentication method is determined, it must be constantly re-evaluated.
Another form of authentication that is becoming more accepted is digital IDs or digital certificates, electronic files that identify the user or prove your identity to another person or computer. For example, when you perform online banking, the banks need to confirm you are the person who has access to an account – very similar to showing your driver’s license to a bank teller. Digital IDs are also used when sending e-mails you want to “digitally” sign. A digital signature serves two purposes: it proves the e-mail is from you and also tells the recipient that the e-mail has not been tampered with after you sent it.
Digital IDs can be attached to most electronic files, such as e-mails, Microsoft Excel spreadsheets and Word documents, and Adobe PDFs. These files are normally given to clients through e-mails, diskettes, CDs and USB drives. If the client has the full version of the software, he/she can open the file and make changes. This includes changes to Adobe PDFs, which are often misconstrued as static files that cannot be changed. Users can actually open a PDF with the “full” version of Adobe Acrobat and directly edit the information. In this particular case, we are not concerned about authenticating the user (however, this may be an issue to be discussed in a future article); we are more concerned about maintaining the integrity of the files we produce.
For example, a CPA prepares a financial statement, sends it electronically to the client, and the client sends it electronically to the bank.
How does the bank know that the file came from the CPA? Through the use of a digital ID or digital signature. Prior to sending it to the client, the client would digitally “sign” the financial statement. When the bank receives it, they will check the digital ID to verity that the file came from the CPA, and more importantly, that the file has not been changed from the time the CPA originally sent it and the time the bank received it.
The information superhighway is part of our daily lives and is only going to get larger and stronger in the future. As a consequence, clients, employees, suppliers, owners, bankers, and others demand access to data, and the requirement to authenticate users is becoming more critical. Each organization must approach its own situation as a unique opportunity to determine the appropriate authentication strategy.
About the Author: Bryan L. Smith, CPA.CITP, CISA, is co-founder of CPA Crossings, LLC in Rochester, Mich., a professional services firm deploying an innovative model to work with CPAs to bridge the gap between business and technology for the small- and mid-size business market. He was formerly with BDO Seidman, LLP, and is a member of AICPA’s CITP Credential Committee.