Slashdot Mirror
Replacing Passwords With Other Security Gadgets?
jfmiller asks: "I'm an intern at an anonymous government agency (not the TLA kind). I have been tasked with simplifying and increasing password security. At present each of our users must log into Novell (and winnt) then Lotus Notes, telnet into a both a local and a statewide mainframe and then log into the individual subunits of each of those systems. In all they have to remember something like 7 passwords. What technology is available to simplify this situation? What experience have people had? I'm especially interested in Biometrics. Remember: the sky's the limit, after all, it's your tax dollars at work."
I mean, you're going to be accessing state-owned Mainframes.
What you need is a little password synchronization to simplify things.
First, install the Notes password synch services, which logs you in to Notes if your NT password matches the Notes password.
Next, use Samba to synchronize NT and Unix passwords. Set up Unix so that you're using NIS. Now we're up to 3 systems using the same password. Lotus Notes can be configured to use NT authentication, via IIS, but it's not easy. There's also several third-party products, but we frankly wrote our own.
As for "unified login" products, I've seen and used several, and they all sucked. Most of them just cache your password locally with encryption, then use the Windows APIs with calls to intercept logins, and present your credentials for you. There was no attempt to use the same credentials database on the back end. Think of it as a pluggable authentication module. Every one of your products should use the same authentication on the back end. Each time you eliminate one of those credential databases, you elminate jobs, complexity, software, problems, password-resets, hardware, and you save money.
If you can ditch either NT or Novell (more likely Novell), then you can reduce the number of logins. Most folks I've seen using Novell are using NDS for just basic authentication, and adding only complexity (meaning, they don't get what NDS is for). That, or they're just doing print spooling, which Samba, NT, or a decent LAN card for a printer can all do.
Biometrics, dongles, java buttons, SecureID cards, and all that are interesting, but if you either forgot your little device, or the computer doesn't have a way to read that device, you can't log in. That's why the use of passwords and login names will be the norm for about 15 more years.
It appears your requirements are to simplify the login and security process. Regardless of the solution on the front end, you will need to develop a means of synchronizing passwords across the enterprise. This is a task in itself. I am certain someone here knows of a software package that does this.
Biometrics, while having some very cool technology, does have some drawbacks. Mainly, they depend on people to remain somewhat consistent across your workforce. While this would seem easy enough, consider that fingerprint scanners assume you have one. That eliminates most people missing hands, although they may be capable of doing the job.
Retinal scanners, and voice print have some issues with consistency (i.e. colds, hangovers, etc.) that can present an issue especially if you are not in a very high level security area. (You will become immediately unpopular the first time your boss cannot get her presentation, because of a head cold).
Now there are ways around all of these issues. However, if you have to handle the exceptions in the normal process of business, then what is the point?
You may want to try a key fob RSA SecurID.[I am sure there are other companies too] The fob changes its code every 30 seconds in synchronization with its host. A friend consults at a company that uses this to create a connection from anywhere. They have it set up to use a pin, key fob, IP combination to authenticate. If any one piece is changed, the access is rendered useless. After signing in, you are set to go. Now she did end up with two fobs but I believe that one is the "normal" environment, and the other authenticates the high security system when she needs access there.
Good luck, and I would be interested in hearing what you decide upon.
- There's so much I still don't understand...as it should be
- Centralized Authentication.
- Single Sign-On.
- Password Replacement
There are various solutions that solve some or all of these problems. As it happens, I consult on these issues for a living.Do you need a cluster of 'authentication servers' so all the various systems can use a single authenticatior?
Do you need users to authenticate once at the beginning of the session, and be able to access distributed resources without having to re-authenticate for each server/service?
Do you need to eliminate insecure reusable passwords and provide a multi-factor (Something you know, something you have, something your are) authentication mechanism?
I do not deploy Linux. Ever.
You can readily integrate the Novell login into the NT login. I see it all the time at a local unnamed government entity who is one of my customers. In addition to all the other mentions regarding SAMBA, etc. to synchronize passwords with systems, I really like the hardware keys and biometrics.
;-)
I use fingerprint authentication on several systems here. I enjoy it. It works. To a point. Just don't was your hands right before logging in. That causes enough tissue swelling that you can't get an accurate reading. I use a $100 scanner from Digital Persona that we routinely pick up at Fry's. These things are very flexible and cheap enough to be used on any USB system. They currently only have Windoze support for their drivers, but I haven't checked in a while. I like the hardware tokens like iButton which can store enough data to provide a login for each individual system. Some awefully large amount of storage for keys and completely waterproof, etc.
If you want to keep people from taking them home and losing them, have a security guard type checkout for these bad little boys. That depends upon your level of security, of course. If someone loses one, it can be disabled from the network immediately and a new one issued. Every time they lose one, dock their pay! I know their union would have a fit for that!
My name fits again.