At a Glance
 
Central Software
CityVoD - CSC Forum Archive
Software List on CSC Student LAN
Location and Floor Plan of the CSC Teaching Studio Areas
Opening Hours of the CSC
Systems Maintenance Schedule
List of Blocked Network Cards / IP Addresses
List of CSC Representatives
List of Departmental Network Administrators
Staff Computer Courses
Sitemap
 
CSC e-Forms
 
Submit CSC Work Req.
Req. for Printing
Req. for Dump / Restore
Teaching Studio Booking / Cancellation
Email Alias Application
Apply for a New Domain Name
Remove an Existing Domain Name
Modify the Hosting of an Existing Domain Name
 
Useful Links
 
OCIO Home
IT Information for Students
IT Information for Staff
IT Information for Alumni
 
Got any questions, comments or suggestions? Contact the editors at ccnetcom@cityu.edu.hk
Issue 45 - September 2005
Two-Factor Authentication Increases Your Online Security
By Raymond Poon

What is two-factor authentication?

It means users, in addition to their password, need one of the following to log in a system or to access a network service:

  • One form of tokens provided by the service provider (e.g., a key fob or a smart card)

  • The output of one form of biometric scans on finger or irises, or a biometric analysis on voice.

Why two-factor authentication?

To overcome the following vulnerabilities of using password as the only means for authentication:

  • Users tend to choose passwords that are easy to remember. As a result, these passwords are equally easy to be cracked by brutal force.

  • Users often fail to conceal or protect their passwords properly (e.g., writing their passwords on a piece of paper, sharing passwords among others, entering passwords to a non-secured compute which has keyboard logger software secretly running on it to capture the password, entering password to a computer while others nearby are able to see it, etc)

  • Users seldom or never change their passwords. This allows hackers ample chances and time to crack their passwords.

Does two-factor authentication really necessary?

Probably not unless:

  • It is a strategic move or the situation warrants.

  • Total cost of ownership of two-factor authentication (including all the existing and additional costs of software, hardware, and support) can be justified. After all, password support is still required and its support effort may not be reduced with the introduction of yet another factor of authentication.

  • The interpretabilities and the user acceptance of different or same tokens among different systems and services will not become a hassle to users (e.g., users need not carry too many tokens or manually input too many characters during authentication of a token).

  • Your systems or services cannot support or cannot be modified to support passphrases to log in. If they can, paraphrase should be considered first before other form(s) of authentication. However, the passphrases, like passwords, must also need to be changed regularly (Note: a passphrase is a phrase or a sentence with or without punctuations that are often up to 100 characters in length. The latest version of Windows supports a 127-character passphrase.)

Tokens and Biometric Systems, which one is better?

The biometric scans/analyzers, such as: scans of fingerprint or irises, analysis of voiceprint, etc, attempt to prove "something one is" while tokens, such as: key fob or smartcard, attempt to prove "something one has". The accuracy and the reliability of the formers are still unsatisfactory or even questionable when compared to the latter. It had been demonstrated in 2002 by Professor Tsutomu Matsumoto, a cryptographer in Japan, that fingerprint can be collected by immerging the finger into free-molding plastic to make a plastic mold. He then melted and poured gelatin (the substance which makes jellied soups and desserts) into the plastic mold and let it harden. The fingerprint imprinted on the solidified gelatin can fool the fingerprint detectors for about 80% of the time. Nor have the reliability of the other forms of biometric systems been shown to be comparable to or better than that of the fingerprint reader. In particular, biometric systems are not suitable for supporting persons with multiple roles requiring different security levels of authentications on the same system or for the same service. According to the CSI/FBI survey, the adoption rate of biometric systems is about 10% and has been flat for the last several years. Therefore most experts in general agree that some form of physical tokens will be much more widely deployed than the biometric systems in most organizations.

Common Forms of Tokens

Key fob; smartcard; random codes generated from an algorithm running on a computer, PDA, smartphone, etc.; and codes pre-printed on a card, etc.

How Do these Tokens Work?

There are codes (which can be in the form of ID, access code, electronic certificate, etc.) being either statically stored/printed on these tokens, or dynamically generated by using a mutually agreed algorithms running on a computer, PDA, smartphone, or the processor inside the token. Some of these codes are made time dependent (i.e., only valid at certain period or only at current login time) and/or can only be used once. These codes are either manually entered or read automatically from the tokens by the authentication software and then sent to the authorization server for validation. If the codes sent match with those stored on or those calculated by the authentication server, then the authentication is successful and the access granted.

Summary

Two-factor authentication should be considered for transactions that need high assurance of the authentication. However, we should access the cost and benefits and the impact to user convenience before implementing it.

References

  1. Identification Authentication
    http://infotech.aicpa.org/Resources/System+Security+and+Reliability
    /Security/Solutions/Identification+Authentication/

  2. Electronic Authentication Guideline
    http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf

  3. Expert advice: Does two-factor authentication protect you from hackers?
    http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci995757,00.html

  4. Computer Security Institute
    http://www.gocsi.com

Also in this issue...
Desktop Security Management
New Look of Mobile Computer Service
Computer Support Services in Lecture Theatres and Classrooms
Enhanced Junk Mail Filtering Service
Help Desk Report - a Useful Tool to Enhance Service Quality


 
Current & Back Issues
 
 
Search Articles
 
 
FAQs
 
Microsoft Windows10
Microsoft Windows 7
Office 365 ProPlus
Microsoft Office 2013
Microsoft Office 2010
中文支援常見問題
Internet Explorer 11
Internet Explorer 9
Email Services
Confidential Email
Wireless LAN
Virtual Desktop Service (VDS)
USB Flash Drive
Mirroring360
CityU SMS (for Department)
CityU SMS (for Staff & Student)
iPad (iOS 5.x)
Wiping a Mobile Device
Wiping Mass Storage Device
Handling Handheld Smart Devices for Service Maintenance, Recycling Use, and Disposal
Staff Account Renewal
Changing Local Administrator Password
McAfee Endpoint Security
Full Scan of Your Computer for Concealed Computer Virus
Anti-spyware
Computer Warranty Scheme Software Copyright Declaration and Compliance Observation
 
Technical Guides
 
AV Facilities User Guide
Connecting to Wireless LAN (WiFi)
VPN Connection Setup Guide BitLocker To Go User Guide
 
Copyright© Computing Services Centre, City University of Hong Kong. Best viewed in 1024x768 with IE. Javascript enabled. Last modified on Friday December 28 2018 .