Darn Passwords
I was struck the other day by the sheer number of passwords I have to maintain...over 200! Then my mind started wandering about how easy it would be for someone to guess my passwords. I use strong passwords (wicked strong) which would put the best brute force password cracker through a good workout, but eventually with enough computing power, time, and a little luck, my passwords could be broken.Help with Passwords
This in turn got me thinking about small business owners and what do they do for security and passwords. As any security professional knows, getting users to remember randomly generated strong passwords is an exercise in itself and almost impossible. If your password requirements get overly complex the staff will write down the password on a Post-It Note and that note eventually gets thrown out in the trash for a hacker to find and use against your business. Sometimes strong passwords can work against you. So what can you do?Two factor authentication!
Two Factor Authentication
Two factor authentication can help reduce those password support calls and still maintain a level of security. With two factor authentication you can have a simpler password but still have better security then just complex passwords alone.Two factor authentication is nothing new. In the past, the majority of security for users has involved a password of some kind. These passwords we call “something they know”. Two factor authentication goes one step further in requiring “some thing you have” as well as “something you know” to complete the security circuit. For example, authentication happens when you log into your computer system. Think back to the old movies when the two military technicians needed two separate keys to launch the nuclear missiles at the enemy. Same idea with two factor authentication except we use a password as one key and a device (usually a USB token that holds a certificate) as the other. This way with two factor authentication having only one component does not allow you to gain access. So even if somebody knew your password, the bad guy would still require the physical USB device to gain access to your system.
Many small shops shy away from two factor authentication citing support and fiscal reasons. This is a shame as many manufacturers make the transition to two factor authentication fairly painless. We recently had a chance to review the BestToken Pro, a two factor USB device and were pleasantly surprised with the performance. Let me show you how easy it is to set it up and how you could immediately start to secure all of your company’s computers.
If you are looking at the best place to pilot two factor authentication in your business, I would suggest your laptops. Two factor authentication helps to protect your laptops in case they are lost or stolen. Two factor authentication will help protect your laptop from a password attack attempting to break into your laptop by the finder/thief. With a USB token like from BestToken the finder of the laptop would require both the password and the USB token to log into the laptop. An important note is not to leave your USB token in your laptop bag, but keep it on your key chain or around your neck. When you marry two factor authentication with some flavour of data encryption (especially encryption that leverages two factor authentication as well) your data will be very secure and protected on that stolen laptop.
The device is made by BestBuy Deluxe and is reasonably cheap. It is a standard USB device form factor and is simple to add to a key chain or lanyard. What I like about the BestToken is that it has a Software Development Kit (SDK). Being a software developer I am looking to be able to deeply integrate products I use into my computer environment.
Installing the Certificate
Once you have the device, it isn’t much use to you without a certificate. So where does one get the certificate? Some multifactor devices allow you to generate a certificate, with the BestToken, you will need to produce or procure a .pfx file. You can install your own certificate authority with a Windows 2003 Server, or you could go to Thawte and sign up for a free personal certificate. Alternatively, you can always purchase one. Once you have a certificate issued you need to get it securely onto the USB device. This is accomplished by using the Token Manager. From here you can import a certificate by clicking the import button. Once you have done that, you can view the statistics of the certificate:
The last two steps involve changing the User PIN and configuring Windows to require a Smart card. Click “Change User PIN” and enter a strong password of your choosing. This is like the PIN on your ATM card. If someone finds your BestToken device they will still require the PIN to access the device.
Enable Sign In With SmartCard / USB Token
Now that you have a PIN and a device, we need to tell Windows to only allow Smart card authentication for logging in. This is accomplished by opening the Local Security Policy under Administrative tools in the Control Panel and selecting Local Policies and then Security Options. Now scroll down on the right side and find Interactive Logon:Require Smart Card and select Enabled:
Reboot the system and you will be prompted to insert the BestToken device and enter your PIN before you are allowed to logon.
In Closing
To factor authentication is a much safer bet than relying on passwords solely. The BestToken device offers a fast, simple and secure method to help your users become security aware and still protect their passwords.
