While strong authentication seems failsafe, nearly all of these systems may be bypassed entirely or critically hindered by
using a computer's "safe mode."
If an attacker can gain access to the desktop and run a disk editor of any type, he can search for
user names and passwords that are commonly left by the authentication software in the paging or temp
files of Microsoft Windows. Once he has the user name and password, he can log in as the user with
whatever multifactor authentication system is deployed. Unfortunately, users often store their tokens
or other authentication devices with their computer, making it easy for an intruder to gain
access.
Additionally, the vendor-supplied software of a strong authentication solution must work seamlessly
with your network client software. This is easy using Microsoft, but it has the greatest page file
leaks. Novell, Sun Microsystems and others are not supported as well by security vendors, but tend to
be more secure because they use different network authentication mechanisms.
The time is now
Without a doubt, strong authentication can be expensive, depending on the chosen technology. But
losing 20% or more of your share value due to a loss of consumer confidence when an executive's laptop
is stolen and thousands of private data records are exposed is even more costly.
Authentication technology has improved greatly over the past two years and will continue to do so.
The associated software continues to be a source of failure, though it is also improving. The total
cost of ownership due to administrative costs is still too high, but is dropping.
The regulations are in place, and it is time to provide our businesses and clients with a stronger sense of
security via better authentication.
Two-factor authentication options
Tokens
Smart cards
Biometrics
Certificates
Safe mode: Danger zone
About the author
Tom Bowers is the Security Director of Net4NZIX, an independent think tank and industry analyst group,
as well as a technical editor for Information Security magazine. Bowers, who holds the CISSP,
PMP and Certified Ethical Hacker certifications, is a well known expert on the topics of data leakage
prevention, global enterprise information security architecture and ethical hacking. He is also the
president of the Philadelphia chapter of Infragard, the second largest chapter in the country with
more than 600 members.
This article originally appeared in Information Security magazine.
