Tech Insight: A Practitioner's Guide To Authentication

How to craft a strong enough yet manageable authentication strategy
Throughout the enterprise we manage passwords, certificates, and two-factor tokens to authenticate users. Without some form of authentication, we wouldn’t be able to keep the bad guys out of our accounts or employees from snooping on each other. Overcomplicating authentication leads to more security issues, such as passwords written down and stored under a keyboard or on the back of access cards, and requires more management and steps for the user. And oversimplification makes it too easy for the bad guy to get our uber secrets. We need a balance and to integrate where possible, such as cloud and on-site solutions. We also need to minimize the pain for both users and ourselves.

During the years, we’ve preached the importance of long, complex passwords. Uppercase, lowercase, numbers, symbols -- and as long as possible -- has been the mantra. But users can’t remember these complex passwords. So they write them down or use the same password for online dating sites and work. Single sign-on and consolidating authentication points to a common directory, such as Active Directory, are the preferred methods to reduce password pain, but neither is always possible with off-the-shelf, legacy, and SaaS applications.

Luckily, tools have evolved to help us: PasswordSafe and 1Password are heavily used by IT and security teams, and are recommended to users for safe, secure storage of passwords. Allowing users to store passwords isn’t a problem: It’s the insecure Post-it note under the keyboard that’s the problem. Encourage your users to use secure storage for their passwords that allows for automatically inserting or copying passwords. 1Password will even clear the contents of the clipboard after a specified time to ensure the password doesn’t remain.

When authenticating to a single source is possible, most organizations will move to this model to reduce the number of accounts, passwords, and configurations required across the organization. Active Directory is a common authentication point for most organizations. With the ever-expanding use of SaaS applications, users have more applications at their fingertips at a faster pace than ever before. The downside is that IT has more applications to authenticate in a shorter time than ever before.

Some providers that are aware of the authentication problems offer connectors for Google Apps, AD, and even SAP, if your organization uses SAP as an enterprise directory for authentication. Vendors have responded with cloud authentication management solutions for the enterprise, such as Ping Identity, Symplified, and Okta. These solutions provide a gateway between your authentication directory, such as AD, and the SaaS application. Users log in with their AD credentials and, in turn, the authentication vendor authenticates the user to the SaaS application without requiring the enterprise to configure each and every SaaS service to interact with the internal directory services. This saves a lot of time, allows for faster deployment of dispersed applications, and doesn’t require more authentication management and passwords or tokens for users.

The risk with consolidation is that if one set of credentials is compromised, then everything falls, so be sure to follow some best practices or increase the requirements since there is less for the user to remember.

When reviewing requirements for passwords, tokens, certificates, or other authentication methods, keep in mind the impact to the user as well as the risk if the method were compromised. For years, we’ve preached long, complex passwords. While there is merit here, it has been proved that users can’t remember too many of these, so they repeat them, write them down, or don’t follow the policy unless the system automatically enforces the requirements, which not all software does.

To assist, provide users with helpful information to make strong passphrases. Instead of a password based on a single word or random character set, recommend passphrases that will naturally be longer and more complex. Mix in cases, numbers, and symbols, and then you have a better solution than breaking a strong-super, uber-complex password.

For instance, a password of “Kd4u7Q#4mAns!” is hard to remember; without something like 1Password, which will autogenerate, store, and insert this to Web applications, I’d never remember it. On the other hand, I can remember a passphrase of “!reallyh4t3statu5reportsbutthatshowIget$” Which is stronger? Which is easier to remember? Obviously, the second password wins both contests.

To really reduce the headache of remembering passwords, organizations use tokens -- hardware, software, smartcards, or even certificate tokens.

While certificates aren’t really considered tokens, I’m lumping them into this category as being something other than a string you type. Organizations face many options and issues when moving into this direction: Two-factor authentication is all the rage for VPNs, sensitive applications, and SaaS services. If your workforce is distributed around the globe, then it becomes difficult to support phone-based, two-factor authentication, and expensive to mail hardware tokens. If users don’t have smartphones or use an operating system that soft token vendors don’t support, then soft token ROI weakens, and certificates -- while easy to deploy and maintain -- face threats from malware designed to steal the certificate, keylog the username and password, and log the application hostname or IP.

At the end of the day, it's really up to the organization to figure out what works best. Users want burden-free access, security teams want secure access, and we all want less work.

Layering the authentication types and structuring based on risk can work well, but organizations should be cautious to not overcomplicate things in the name of security. One organization with users primarily located in the same country and near regional offices opted to use hardware tokens for remote access. But of its all internal applications are tied to SAP, which is less common than consolidating on AD, and its outsourced staff overseas authenticates via certificates for remote access. Those users have less access than hardware token users, and are routed through other security controls, such as access gateways. All of this increased complexity in management, but was a business decision based on risk of different user types and access levels, plus cost and management of hardware tokens globally.

Consolidating to a common authentication point will provide great value in account management and configuration. Layering two-factor authentication or using a certificate or access card with internal credentials will provide a higher level of security and risk management. It will also let you structure when a user must pass the full authentication gauntlet -- and when she can simply provide one level of authentication.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.