More often than not, static or single password (one-factor) authentication mechanisms are susceptible to brute-force attacks resulting in unauthorized access, given enough attempts and time. Authentication based on one factor does not provide adequate security, because the static password does not change between subsequent logons or is rarely altered. This risk can be greatly reduced by continually altering the password, as offered by the one-time password (two-factor) authentication mechanism.
Two-factor authentication solutions are primarily based on technologies that generate one-time passwords (OTP).
OTP technology is a system based on S/KEY but it was renamed because of trademark issues associated with the S/KEY name. S/KEY is a seminal OTP system that was developed at Bell Communications Research, Inc. or Bellcore.
The basic principle of an OTP solution is that it requires a new password every time a user authenticates. This effectively protects against replay attacks or any attack that attempts to use an intercepted password. The OTP system makes unauthorized access attempts more difficult.
There are three basic types of OTP technologies:
Mathematical algorithm: This system uses a one-way hash function to generate a new password based on the previous password. This type of system requires an initial seed (pass phrase or PIN), which then generates subsequent passwords based on the previous password.
Challenge/response: This type also uses a mathematical algorithm, but with a challenge function. The user receives a challenge (a random number or secret key) at the time of login, which needs to be entered into the password-generating token/software to generate a one-time password. This system is very strong because it computes the new password based on a challenge mechanism instead of being based on the previous password.
Time-synchronized: This system is tightly controlled by the system clock generating the password. Usually this is available on a physical hardware token, which is used to generate the password. The token has an accurate clock that is synchronized with the clock on the authentication server.
The OTP system is documented in IETF RFC 2289.
As mentioned earlier, S/KEY is a seminal OTP system developed for authentication at Bellcore. Using this system, the real password is never transmitted across the network. Instead, the real password is combined with a short set of characters and a decrementing counter to form a new single-use, one-time password. The S/KEY OTP system generates a password based on a seed secret pass phrase with a secure hash function such as MD5. The S/KEY server verifies the one-time password by making a pass through the secure hash algorithm and comparing the result with the previous password.
Inverting the hash function that produced the one-time single-use password is extremely difficult. However, S/KEY is sensitive to man-in-the-middle attacks. A secure transport layer protocol (SSL/TLS) can be used to counteract this.
S/KEY one-time password is documented in IETF RFC 1760.
One of the most common attacks on the network is a replay attack in which an intruder can be sniffing and eavesdropping network transmission to obtain usernames and passwords of legitimate connections. The illegitimately captured usernames and passwords can be used at a later time to gain unauthorized network access.
The OTP solution can be used to counter this type of attack because OTP generates a new password for every new user request. The captured credentials are not valid for subsequent attempts. Note that OTP does not provide confidentiality or privacy of data. After network access is granted, information is readily available to the authenticated user (legitimate or illegitimate).
Note
OTP does not provide nonrepudiation, because the authentication mechanism is valid only for a certain period.
To provide a strong authentication mechanism, the two-factor authentication system requires two elements: establishing the user identity and granting appropriate network access. The first piece consists of something you know, such as a password, and the second piece consists of something you have, such as a token or smart card. Some solutions also offer three-factor authentication, which requires an additional third piece that consists of something you are—that is, a biometric scan such as a fingerprint or an iris scan.
Authentication factors can be based on the following three most commonly recognized input attributes:
Something a user knows: A password, a personal identification number (PIN), or a pass phrase.
Something a user has: A smart card or token (hardware or software).
Something a user is: A biometric pattern such as a fingerprint, voice, retina or iris scan, or DNA sequence.
Combinations of any two of the three methods can provide a strong, secure authentication mechanism—hence the term two-factor authentication solution.
Smart cards and tokens are the most common forms of the "something a user has" factor in authentication systems.
Tokens can be in the form of hardware or software. Software tokens are a weaker form of two-factor authentication, because they store tokens on a PC and are therefore vulnerable to malicious attacks and software break-ins. Another common form is USB-based tokens. The USB token has a different form factor that is not in the form of a card, but in a standard USB key type. Using a USB token is a much easier and more scalable approach because USB ports are widely available in standard equipment used today. Another advantage of using a USB token is that it has a larger storage capacity and can be used to store more numerous logon credentials than a regular smart card. Another advantage of the USB token is that it can have built-in OTP hardware. Vendors such as Booleansoft, RSA Security, VASCO, and Aladdin Knowledge Systems offer USB-based tokens as part of their two-factor authentication solution. See Figure 10-1 for samples.
A smart card resembles a normal credit card, but inside it has an embedded microprocessor and a memory chip or, in some cases, only a memory chip with nonprogrammable logic. Many vendors offer smart card technology, some of which include RSA Security, Secure Technologies, VASCO, and ActivIdentity. Some vendors, such as ActivIdentity, HID, and RSA Security, also offer smart cards that perform the function of a proximity card in addition to network authentication. This offers proximity detection, and users can only use the cards after they enter the building or are close to the device; users then insert the card into their PC to be able to access network logon credentials. These types of solutions can also serve as employee ID badges. The downside is that these types of smart cards are bigger in size, and the card reader is an extra expense.
Figure 10-1 shows samples of various smart cards and tokens (regular and USB).
RSA SecurID is a two-factor authentication solution developed by the vendor RSA Security. RSA stands for the founders' last names: Ron Rivest, Adi Shamir, and Len Adleman, who are also the co-inventors of the RSA public key cryptography algorithm.
The RSA SecurID authentication mechanism combines multiple components to provide a two-factor authentication platform. The platform consists of a token—a piece of hardware (a USB token or other type of token)—or software ("soft token" for a PC, PDA, or mobile phone) that is assigned to a user. The platform generates an authentication code by using a built-in clock and the card's factory-encoded random key (the "seed"). The mechanism works on time-synchronized OTP technology, as discussed earlier.
Cisco Secure ACS server supports the RSA SecurID authentication solution.