Every week in our daily threat and intelligence briefings I read about government and business computer systems that are hacked. And many, many times the stated reason is that a user name and password was revealed, hacked or stolen and the cyber criminals were able to use it to log into the system. But I don’t think this is the real reason at all; the real reason is that we are not properly establishing the identity of whoever is trying to access the system.
I know how inconvenient computer security can be for everyone. I not only see it every day in my profession, I also suffer from it myself as an individual. And the last thing most of us want is to make the task even more inconvenient and frustrating. But the fact is that identifying one’s self to a computer system by simply inputting a user name and password is just not good enough. We must increase the reliability of identity verification systems if we are to have any real hope of preventing illicit access.
To establish the identity of any person there are only three factors that can be employed. You can identify a person by something that they know, by something that they have or by something that they are. Obviously, a user name and password is something that a person knows, and we waste all kinds of time and effort in the futile hope that we can keep this special knowledge secret. I say futile because, as we all know, secrets have a frustrating habit of not lasting very long.
Something we have can be a physical object such as an RSA token or smart card, or it can be a “soft token” such as a digital certificate. An example of using something you have and something you know in tandem is a debit card and PIN. Something we are can be a number of things: fingerprints, retinal patterns, DNA, body features, etc.
Every time you add another “factor” to your user identification scheme, you more than double the amount of real security you are adding to the access control system. That is why, despite the inconvenience, I am a big proponent of using all three types of identification factors at once, especially for privileged or high-risk access. As far as I’m concerned, it’s time to bite the bullet, live with the inconvenience and just get the job done!