Problem solve Get help with specific problems with your technologies, process and projects.

Authentication and access

This tip describes levels of authentication and various access methods.

Authentication is becoming increasingly important as worms, viruses, Spam, and information and identify theft continue to rise. We have all had an e-mail from someone we don't know expressing their displeasure that an e-mail was sent to their system from us that contained a virus, while we know good and well, we never sent them an e-mail. That's spoofing at its finest! This simple little spoof causes hours of lost productivity as virus scans are done in an effort to assure ourselves that we did not send a virus. While authentication cannot completely stop that, we can make sure that our resources are protected through various authentication methods.

Two levels of authentication should be considered. The first is physical access. Some people neglect this simple step, but if you can't get to something, you can't hurt it. The other level is system level access. In computer networks, authentication is a means to assure that someone is actually who they say they are. This is generally done through passwords. Typing in a password lets the system assume (key word here is assume) that an individual is who they say they are. The inherent problem with passwords is that they can be shared and quite often guessed. There are some protocols that transmit passwords in clear text making them visible to anyone with a program that snoops packets. I've learned through years of working with end-users that passwords are generally children's names, pet's names and spouse name's. If an enterprise requires changing passwords often, getting someone's password can be as easy as going to a person's desk and looking under "P" on their rolodex, looking for well displayed piece of paper or reading the deskpad.

A lot is being written about biometrics. Biometrics is an authentication method that uses fingerprint, iris imprint, or face recognition technology. Short of something that you may see in the movies where fingers or eyes are stolen, or someone is forced to stand at the panel, this method is being deployed to track access in and out of data centers and other high security areas. This technology is a step ahead of access cards and other methods of identification, as there is no way to "share" your biometric data with someone else. In some instances, this method is used in addition to other methods. It has another benefit in that an end user can not lose their biometric data; it stays with them at all times. Biometrics can be used for both physical access to areas of the building or to computers and equipment.

Access cards are another means of allowing entrance to various parts of buildings via a magnetically coded card that is read at the doorway by readers. These can be used to allow access and deny access to various parts of a building or all areas of a building. They work basically like an electronic key. Care must be taken when implementing either of the above so that provisions for ingress and egress are addressed in the event of a power failure. These cards can be a security risk if not properly programmed and also can be shared between users. Access cards are generally physical security methods to allow or deny access to physical spaces.

Another method is through the use of key fob's. These devices are carried on a keychain and provide passwords that are changed generally every five minutes. The server recognizes the passwords and allows access. The advantage of this method is that the security token is changed often. To use a key fob, the end user enters a PIN and the password is displayed. Access is granted when this password is typed in - once. If the PIN is not shared, access to systems is denied as no password can be learned by the unscrupulous. This also assures that the end user does not use passwords that are easy to guess or can be written down. As the passwords change frequently, it also provides protection against seeing and repeating someone's password.

Another tool for authentication is called a smart card. These cards contain a microchip that can be programmed to provide the same level of authentication as a key fob, but also have other features. For instance, there are smart cards available that will store your last screen and information so that when you access another terminal, you will still be in the same place. Colleges and universities are looking at this technology for meal payments, library check out services, dorm access and student account payments. The ability to program the smart chip on the card with additional information opens a wide range of ancillary services above and beyond authentication access. Smart cards are swiped into a reader and then a PIN is keyed in for access.

There is another new method being added to authentication through the use of CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart). They were developed to stop automated snooping and passing of data scraped off of a screen. A CAPTCHA is a word that is graphically displayed in a human recognizable format, but not one that a computer can read. The word may be imbedded in a graphic background or the letters may be distorted so that only a human can recognize it. This forces a human eye to provide access. This method will foil OCR recognition, but also hinders access to those with visual impairments.

One STRICT word of caution about all of these methods, each one passes information between the user and the server or authenticator. There is still a human factor to each and every one. If a user leaves your employ, there must be a proper chain of information so that services can be discontinued immediately. The majority of attacks that occur within a company are from employees that have left or are about to leave. Companies are far more susceptible to internal theft and corruption of data than they are from outside sources. Some estimates state the 80% of all computer related attacks are from within a company. Regardless of your method of access, make sure that your company has the notification methods in place and enforced to address these potential pitfalls.

Carrie Higbie, Global Network Applications Market Manager, The Siemon Company
Carrie has been involved in the computing and networking industries for nearly 20 years. She has worked with manufacturing firms, medical institutions, casinos, healthcare providers, cable and wireless providers and a wide variety of other industries in both networking design/implementation, project management and software development for privately held consulting firms and most recently Network and Software Solutions.

Carrie currently works with The Siemon Company where her responsibilities include providing liaison services to electronic manufacturers to assure that there is harmony between the active electronics and existing and future cabling infrastructures. She participates with the IEEE, TIA and various consortiums for standards acceptance and works to further educate the end user community on the importance of a quality infrastructure. Carrie currently holds an RCDD/LAN Specialist from BICSI, MCNE from Novell and several other certifications.

This was last published in March 2004

Dig Deeper on Privileged access management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.