While strong authentication seems failsafe, nearly all of these systems may be bypassed entirely or critically hindered by using a computer's "safe mode."
If an attacker can gain access to the desktop and run a disk editor of any type, he can search for user names and passwords that are commonly left by the authentication software in the paging or temp files of Microsoft Windows. Once he has the user name and password, he can log in as the user with whatever multifactor authentication system is deployed. Unfortunately, users often store their tokens or other authentication devices with their computer, making it easy for an intruder to gain access.
Additionally, the vendor-supplied software of a strong authentication solution must work seamlessly with your network client software. This is easy using Microsoft, but it has the greatest page file leaks. Novell, Sun Microsystems and others are not supported as well by security vendors, but tend to be more secure because they use different network authentication mechanisms.
The time is now
Without a doubt, strong authentication can be expensive, depending on the chosen technology. But losing 20% or more of your share value due to a loss of consumer confidence when an executive's laptop is stolen and thousands of private data records are exposed is even more costly.
Authentication technology has improved greatly over the past two years and will continue to do so. The associated software continues to be a source of failure, though it is also improving. The total cost of ownership due to administrative costs is still too high, but is dropping.
The regulations are in place, and it is time to provide our businesses and clients with a stronger sense of security via better authentication.
About the author
Tom Bowers is the Security Director of Net4NZIX, an independent think tank and industry analyst group, as well as a technical editor for Information Security magazine. Bowers, who holds the CISSP, PMP and Certified Ethical Hacker certifications, is a well known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. He is also the president of the Philadelphia chapter of Infragard, the second largest chapter in the country with more than 600 members.
This article originally appeared in Information Security magazine.