Page 72 - DCAP516_COMPUTER_SECURITY
P. 72
Computer Security
Notes the user has or where the user is. Proving who the user is usually requires a biometric method,
such as a fingerprint, iris scan or voice verification, to prove biology.
The biometric is combined with a keyboard password or Personal Identification Number (PIN)
the user enters, to prove what the user knows, while a smart card or digital certificate satisfies
what the user has and a Global Positioning Satellite (GPS) receiver reports on where the user is.
Combining multiple user authentication methods creates almost foolproof user authentication
for the virtual world, just as multiple levels of identification provide security for the physical
world. For example, before entering the top secret area of a building, a visitor might be required
to show two sets of identification, recite two pieces of information known only to the visitor,
match a fingerprint, and finally punch in the combination for an electronic door lock. Once
inside, the visitor still must unlock and log onto the computer. Multi-factor user authentication
such as this has been employed for a long time in physical world security systems.
Despite the analogy with physical security, strong user authentication has not been commonly
recognized as a major information systems security goal for several reasons. First, user
authentication methods are costly to acquire. A smart card magnetic strip reader is also a friendly
affair. Retinal scanning equipment is far more expensive. Only voice verification currently has
mass market potential, since almost all PCs shipped today include multimedia capability. Each
of these methods has complex client software to configure and install.
Second, strong user authentication is an expensive and daunting management proposition. The
yearly cost of configuring, installing, inventorying and reissuing the hardware and software
involved in multiple user authentication methods typically exceeds the acquisition cost of the
authentication methods by five to seven times. Adopting strong user authentication also requires
management to ensure that the multiple authentication methods actually provide the desired
security synergies.
Authentication policies are needed to govern how the authentication methods interoperate.
These highly specialized written statements choreograph user authentication methods, such as
the methods to use for specific resources, the order in which to use them and the back-up
activities to undertake should the selected methods fail. Developing user authentication policies
usually requires the expertise of a highly skilled consultant to implement the system during a
long-term engagement.
Notes Automated user authentication management systems are only now beginning to
appear to relieve the human-intensive effort traditionally associated with deploying and
operating strong authentication.
The management-intensive nature of user authentication contributes to another drawback –
limited scalability. With the exception of “what the user knows” keyboard passwords, there
have been very few implementations of stronger, more sophisticated authentication methods,
such as “what the user has” digital certificates or “who the user is” biometrics, for more than
5,000 users. This is primarily due to the management complexity and delay introduced by
increased network traffic and the additional processing required.
Finally, users often object to strong authentication because it places extra steps some consider
intrusive into user logins and Internet sessions. Once a user is authenticated, the user’s identity
is securely established. Studies show that users in the business-to-business community are more
receptive to strong user authentication, especially since it can be a condition of employment.
66 LOVELY PROFESSIONAL UNIVERSITY
