Domain: activcard.com
Stories and comments across the archive that link to activcard.com.
Comments · 8
-
Smart cards
There are several providers of smart cards for use as a second authentication factor. The one I'm most familiar with is ActivCard. Their stuff is reasonably good, and if it helps in your corporate environment IBM Global Services has a team that does a lot of ActivCard integration, so you can get plenty of support from a reliable provider (for a price
:-) ).IMO, smart cards are a better solution than SecurID tokens. They're cheaper, allow your logical authentication token to be the same card you use as an ID badge (and perhaps for door access) and can do a lot more things. They can act as one-time password generators, just like a SecurID (but guarantee non-reusability of the passwords, unlike SecurID, as mentioned by another poster) but they can also:
- Store public/private key pairs and certificates for strong web authentication, e-mail signing and decryption, PKI-based login, etc. Most cards can even generate the key pair on-board so that the private key *never* leaves the card, for when non-repudiation is valuable (signatures, mostly).
- Store username/password pairs for situations where one-time password or PKI authentication isn't workable. Done properly, it can be arranged so that cardholders never need to know the passwords, which are large, randomly-generated and changed automatically and frequently. That makes password-based systems nearly as secure as one-time password or PKI, but doesn't require fixing all of the apps.
- Store biometric templates to allow a third authentication factor to be deployed without a central database of biometric data. Note that, IMO, biometrics are highly overrated as a security device for logical access control. Still some people want them, and smart cards can help make them more manageable.
- Provide other services, like electronic cash for the cafeteria, etc.
The major disadvantage of smart cards as compared to SecurID tokens is that smart cards have no display, so you need a smart card reader to use them. This means that, for example, you could use a SecurID to authenticate to a corporate web site from an Internet cafe, whereas you might not be able to attach a smart card reader to some random PC. As a partial solution, handheld, calculator-like smart card readers exist that can retrieve a one-time password from the card and display it on a screen. I say it's a partial solution because carrying two devices is less convenient than one SecurID. The cost of such a device, plus a card, plus a regular PC-attachable card reader all totals to something less than a SecurID token.
Disclaimer: I work for IBM Global Services, in the group that does smart card stuff, including ActivCard integration work, so I have some biases, but I also have a deep knowledge of the industry and, at present, I think the ActivCard product set is the best choice available, overall. Cryptocard has some good stuff as well, but it's not as complete or as mature, especially in the area of enterprise card management (issuance, re-issuance, revocation, etc. all needs to be integrated and automated, complete with automatic key escrow and recovery, etc.). Both ActivCard and Cryptocard support Linux and OS X, though ActivCard's support for Tiger isn't there yet, and Cryptocard's is, mostly. ActivCard also supports Solaris, including SunRay environments. IBM has some nice assets that we use to build customized solutions, but our stuff is focused more on multi-factor biometric authentication for physical security than logical security.
-
Re:A question worth asking
In case its still not clear to you, a common form of two-factor authentication is through the use of a small hand-carried device that uses a time-sensitive algorithm to generate a series of numbers. Time senesitive means that this number series changes over time.
In the industry, this is commonly called a "token" and there are multiple vendors that sell them
:RSA Security
ActivCard
Vasco
[etc.]Typically the "two-factorness" of the authentication is a description of the relative strength of the authentication process. The process itself is one which authenticates users based on several criteria
:
- Something you know [passwords]
- Something you have [tokens]
- Something you are [biometrics]
Is this a good thing? Most people say, guardedly, "yes". But only because its better than just merely using passwords.
/Kafka -
Re:What is this good for?I think these guys do that. They have a range of software. As a bonus they have a fingerprint scanner so you can be l337 too!
Here is a link to their Client Softwareinfo page.
I personally would like one of these Fingerprint Scanner + SmartCard reader My old scanner is getting a little old, and isnt USB.
hint hint
:) -
Re:What is this good for?I think these guys do that. They have a range of software. As a bonus they have a fingerprint scanner so you can be l337 too!
Here is a link to their Client Softwareinfo page.
I personally would like one of these Fingerprint Scanner + SmartCard reader My old scanner is getting a little old, and isnt USB.
hint hint
:) -
Re:What is this good for?I think these guys do that. They have a range of software. As a bonus they have a fingerprint scanner so you can be l337 too!
Here is a link to their Client Softwareinfo page.
I personally would like one of these Fingerprint Scanner + SmartCard reader My old scanner is getting a little old, and isnt USB.
hint hint
:) -
Biometrics are not the answer.
In terms of secure authentication biometrics are only usefull as an enhancement to other authentication means such as passwords and physical tokens (keys, smart cards etc). Retina and Iris scans are good, but not proven to be absolutely unique and equipment is not cheap. DNA could be absolute (hmm what about twins??) but is easily spoofed. Think of collecting a few hairs from someones head. Watch Gattaga. It might be a movie but it presents enough senerios to bypass most forms of biometrics.
Finger print scans on the other hand are a poor form of authentication. Finger print scans suffer from a very high false negative rate. Back when American Biometric existed and were making the BioMouse they were talking about a high secure mode of 1 in 10000 unique fingerprints, and a more resonable operating mode 1 in 5000 or lower. What that is saying is that given 5000 random finger prints (only 500 people!) one finger print will authenticate to the system as a false positive for a specific user. This is a result of a person's finger print scan changeing day to day due to the temperature, the humidity, the person's health, stress, heart beat, etc. If the system was absolutely secure the user would rarely be able to authenticate.
Biometrics are good for some forms of authentication. Biometrics are great for quick and easy authentication where other access control features will mitigate some of the risk, or where strong authentication is overkill. Think of a door lock to a house. A finger print scan would be a quick and easy way for the owner to unlock the door. A burglar isen't going to try to bypass the finger print scan, they will throw a rock though the back window. Similarly for a private office finger prints can be used as other access control features such as a guard at the front gate will mitigate the risk of a couple hundred people walking up to a finger print scanner and trying to get in. When combined with a unique token such as smart card an attack against the biometric authenticator is harder as the attacker needs to steal the token (which should be reported by the owner so that the token is disabled) or the attacker needs to spoof the token which should be more effort then the gain of bypassing the authenticator.
Banks would love to add iris and retina scans to their bank machines. However the cost of the machines is expensive. More importantly the general public is not cool with the idea of lights shinning in their eys to take pictures. This is over and above the privacy freaks who don't want to be tracked everywhere they go. Iris scans are the better of the two by far as they don't involve any bright lights and can authenticate people from a few metres (yards) away. However rris scanners are still a tough sell to the general public.
Regarless of the type of biometrics used it still needs to be combined with a password for truely secure authentication. By today's standards strong authentication combines both "something your have" and "something you know." Biometrics, secure tokens, swipe cards, and cryptographinc keys are all something you have. A password is something you know. If you want the most secure authentication it will involve a password.
The bottom line to all of thins is that biometrics aren't the most secure form of authentication. Biometrics are very convinient. A lot of people would prefer to use biometrics as passwords get written down and forgotten, and physical tokens get lost and stolen. -
ActivCard: Another solution
One other company providing this kind of solution is ActivCard.
They provide standard X9.9 tokens, authentication libraries (not open source, but you can integrate that into any server) and RADIUS server.
More important is that they also allow an easy migration between Token and smartcard, so that when your company wants to move to smartcards (for PKI for instance), you can migrate your population of token users. -
Strong authentication with Smartcard
For strong authentication, you can also at ActivCard (the company I am working for). They have one time password solution using hardware tokens or smartcards (X9.9 or synchronous password). Another feature with the smartcard is to store the certificate (and the private key) in the smartcard. It is then possible to do HTTPS with Netscape (through PKCS#11) or IE (through Microsoft CAPI). To use your certificate, you need to provide your PIN code and the smartcard. My $0.02