[iwar] [fc:Now.is.the.time.for.two-factor.security.[?]]

From: Fred Cohen (fc@all.net)
Date: 2001-10-25 20:44:15


Return-Path: <sentto-279987-3458-1004067891-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 25 Oct 2001 20:46:08 -0700 (PDT)
Received: (qmail 1470 invoked by uid 510); 26 Oct 2001 03:44:15 -0000
Received: from n13.groups.yahoo.com (216.115.96.63) by 204.181.12.215 with SMTP; 26 Oct 2001 03:44:15 -0000
X-eGroups-Return: sentto-279987-3458-1004067891-fc=all.net@returns.onelist.com
Received: from [10.1.1.223] by n13.groups.yahoo.com with NNFMP; 26 Oct 2001 03:42:51 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 26 Oct 2001 03:44:50 -0000
Received: (qmail 11991 invoked from network); 26 Oct 2001 03:44:11 -0000
Received: from unknown (10.1.10.26) by 10.1.1.223 with QMQP; 26 Oct 2001 03:44:11 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1 with SMTP; 26 Oct 2001 03:44:10 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9Q3iF428595 for iwar@onelist.com; Thu, 25 Oct 2001 20:44:15 -0700
Message-Id: <200110260344.f9Q3iF428595@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 25 Oct 2001 20:44:15 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Now.is.the.time.for.two-factor.security.[?]]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Now is the time for two-factor security 
By David Berlind, ZD Net, 10/25/2001
<a href="http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2819968,00.html">http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2819968,00.html>

Whether you're a consumer, or a manager who shares the responsibility
for protecting your company's digital assets and the privacy of your
customers, it's time to get ready for two-factor security. In fact, it's
time to start insisting on it. 

For decades, computer users have been practicing single-factor security
(also known as one-factor security). Single-factor security, most often
exemplified by user IDs and passwords, is based on a very simple
premise: what you know. Single-factor security is like no security at
all. If you think that user IDs and passwords can't be discovered by
someone determined to discover them, you're gravely mistaken. 
In contrast, two-factor security isn't limited to what you know. It's
also "what you have." As we head into the 21st century, two-factor
security will become a way of life for all of us. In some ways, it
already has. It's just not very well implemented (except in the case of
ATM cards). 

For example, try getting on an airplane, buying alcohol, or opening a
bank account without presenting some form of identification issued by a
widely acknowledged "authority." The physical document you present is
the "what you have" part of two-factor security. Over the coming years,
a lot of attention will be paid to the "what you have" part's two
biggest challenges: its authenticity and verification of that
authenticity. 

Ask any security expert. A two-factor security system that depends on
easily forged documents such as driver's licenses, passports, or birth
certificates is a joke. Those same security experts will tell you that
the problem is compounded exponentially when human beings are
responsible for the verification process. After all, we're only human.
The system is only as good as its weakest link. As links go, there isn't
much out there that's weaker than paper credentials and people. 
How many of you have gained entrance to a bar, or know someone who has,
with fake ID? A few years ago, I needed a replacement driver' s license.
I watched in horror as the Department of Motor Vehicles printed the
license for me on regular paper--using the same model printer I had at
home. For kicks, I went home and reproduced the document with my word
processor and scanner. Then I changed the name, address, and photo.
Mickey Mouse had a driver's license. 

To strengthen the system, the authenticity of the "what you have" part
will need to be guaranteed, immune to forgery or tampering. Human
verification of those credentials will have to be eliminated.
Accomplishing these objectives will challenge the technology sector,
governments, businesses, and people--we will have live with certain
inconveniences if we want certain protections. 

The technology sector in particular has its work cut out for it.
Tamper-proof and forgery-proof credentials and verification of these
credentials' authenticity (in the context of any transaction) are
solutions that only technology can provide. Technological solutions
involving authentic and theoretically tamper-proof digital credentials
exist today. But, for the most part, they're not 100 percent compatible
with each other. Because of the way most solutions use different
methods, technologies and form factors, it would be impossible to move
seamlessly from one two-factor-secured transaction to the next (for
example, from making a cell phone call to sending an e-mail to placing a
bid on eBay) without tremendous inconvenience. Heck, we can barely do it
today with single-factor security. Therein lies the technology sector's
biggest challenge: to minimize the inconvenience without compromising
the security. 

Microsoft and the Liberty Alliance are mounting separate efforts to
provide that seamless experience from one membership-based Web site to
the next. But what consumers do on the Internet hardly makes up the bulk
of the transactions that will need to be secured. The final solution,
whatever it is, will have to bridge our virtual and physical worlds. And
there isn't a solution that comes close to solving that problem today. 
In the physical world and in the wake of the Sept. 11 tragedies, Sun CEO
Scott McNealy and Oracle CEO Larry Ellison have been advocating national
ID cards. I would argue that we have those already. They're called
passports. They're not mandatory, but even if they were, I'm not sure
what problem would be solved. In a recent story, McNealy was quoted as
saying "I have not spoken to one person who hasn't flipped a switch to
say, 'You're darn right, I want to know who's getting on a plane with
me.' " 

While I'm not convinced that a national ID would protect us from harm,
in order for it to really work, the card would have to be a
tamper-proof, forgery-proof digital credential. That credential would be
required for all transactions, including credit card purchases, boarding
planes, and sending e-mail from a library workstation. (E-mail providers
could prompt users to insert their digital credentials into the computer
before granting account access.) 

Forgetting for a moment that someone (I'm not sure who) would have to
agree on a global standard for the data schema, the form factor of such
a digital credential is another big problem. To minimize inconvenience,
we will need something that is compatible with every transaction-enabled
terminal we might encounter. Today, digital credentials come in the form
of software and hardware. On the hardware side, the credentials can be
PC Card-based (such as ActivCard), USB-based (such Rainbow's iKey
solution that fits on your key ring), credit card-based, compact
flash-based, or even biometric-based (requiring a fingerprint or retina
scan). 

Imagine opting for the iKey solution, only to find out that there's no
USB port in the public kiosk where you want to check your mail or in the
machine that takes your boarding pass as you get on the plane. Can we
really be expected to carry 19 versions of our digital credentials? And
if you're the kiosk vendor, or the airline, what form factor will you
support? Maybe the answer lies in an extremely secure version of
Bluetooth. 

If it sounds to you like standards will be big part of the problem,
you're right. That's why emerging schemes that barely scratch the
surface of the bigger problem, like Passport and the Liberty Alliance,
need to put their differences aside now. Yes, now. 

Finally, even if standards pave the way for interconnected,
interoperable, and international digital security systems, democratic
governments will still have to wrestle with the civil libertarians who
oppose anything that smacks of Big Brother-like capability. Today, we
leave all sorts of breadcrumbs behind us as we go about our daily lives.
But, in such a tightly interconnected digital utopia, many of the legal
and technological barriers to following those breadcrumb trails would be
dramatically lowered because there would be only one trail. Personally,
I am willing to give up some of that anonymity if it means future
generations of my family don't have to live in fear. But then again, I
guess it depends on whom you fear. 

What do you think? Share your thoughts with your fellow readers at ZDNet
TechUpdate's Talkback, or write directly to david.berlind@cnet.com. 
Got a great tip? An industry rumor? Or do you want to submit your own
column to ZDNet TechUpdate? Send David your submission, and if we use
it, you'll be compensated with some of the cool vendor schwag that
arrives in our mailboxes on a daily basis.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:57 PST