Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

Some more multi-factor authentication debate

1 comment

IT TOPICS:Security

There has been some recent debate over the effectiveness of two-factor authentication. Specifically, when used in authenticating to banking sites, it has been shown to be vulnerable to a man-in-the-middle attack. I weighed in on my personal blog about multi-factor authentication coupled with single sign on and got smacked around a little by Chris Hoff (though I agree with him that it was simply a discussion). There was a little back and forth between us, and Mike Rothman got involved as well (links here, here, and here).

I mention all of this because I was asked by a friend who works for an ID management company to write something up for a healthcare client who was thinking of a SSO solution, but they wanted to only use RFID cards without a PIN or password. Basically, single-factor authentication (something you have), but even less secure than username and password. Their argument was that HIPAA on required each user have a unique username and password (this argument goes back to my assertion that compliance with government regulation often hurts security). Below is what I wrote for them. Take in consideration that this was written for a layperson and is not the most technical in nature and does not take into consideration all the arguments since they wanted it short. I just thought I would share it.

The typical method for logging into a network is a username and password. This is considered to be a single-factor authentication method because both a username and password are "something you know". This is becoming a weaker and weaker form of authentication because of the capabilities of hackers to guess and "crack" passwords using sophisticated tools. Because of this, many companies are moving to multi-factor authentication. This is defined as combining two or more authentication techniques together to form a stronger or more reliable level of authentication (something you know - password, something you have - RFID card, something you are - fingerprint).

Having said the above, the proposed solution of using only a badge with no PIN or password is even LESS secure than a username and password. Although both are single authentication methods, it is much simpler for a malicious person (this could be anyone from a hacker to a disgruntled employee) to steal your badge than to guess or crack your password. And in the case of an "insider" (someone working in your organization) who does not have the technical expertise of a hacker, it is infinitely easier for them to steal your badge and authenticate to the network as you (the network would have no way of knowing that the person logged in is not you, so whatever that person does on the network - read patient records, delete files, send "flame" emails, etc. - would appear to come from you).

In regards to the HIPAA security rule, it has been stated that §164.312(2)(i) only requires that each individual be given a unique username and password. This is not entirely true. §164.312(c)(2) states that the covered entity should "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed". Single-factor authentication, even a username and password combination, is considered to be inadequate by many security professionals to verify identity of an individual. In case of legality, the Federal Financial Institutions Examinations Counsel ("FFIEC") has recently concluded "single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions". Though this does not apply specifically to HIPAA, it does give a strong indication as to where all federal regulations are headed.

Simply said, requiring an easily remembered PIN number in addition to the RFID card adds virtually no complication or time to the login process, yet the security benefits are very high. It protects your patient data (your most valuable asset) and secures your network, and it would be a favorable layer of security in case of a HIPAA audit.

BTW, the company my friend works for is Encentuate. From what I have seen, they have a great solution. You really need to check 'em out.

Email this

Digg this

What People Are Saying

Add new comment

I believe that the whole ID

Submitted by R. Ellington Smith, CEO NDS, Inc. on August 7, 2006 - 5:03 P.M.

I believe that the whole ID and authentication, on the most part, is hype. Today's Trojans (SSL issue with banks)can attack after authentication and triple-factor authentication isn't going to work.

As for RFID tags, again those can be duplicated, erased, detached or copied if not outright stolen (one of our companies focuses on validation of RFID tags). However, we are looking at HPs new tacky chip (we believe is shows great promise when combined with our technology).

What is needed is "smart" content that works with multiple trust levels, that self-authenticates not only the content but the user as well. This is done using a modified token inside the content. It also creates an audit trail within a token receipts for archiving.

Content-centric security allows content to be securely transferred globally and outside the enterprise, without centralized authority. No, there is no standard but this approach solves most, if not all, of today's issues concerning authentication.

The whole concept of content-centric security is new and it works with, or without, PKI or DAs. We are using a smart card that works with the content token and can dynamical change user trust levels. The card uses segmented script encoders based on the user's biometrics and profile. This approach does away with smart card encryption keys and is user friendly with much greater security.

This is a major improvement for the business process and administration of security as well. It greatly improves the ease of compliance for HIPAA, GLB, and Sarbanes-Oxley.

Report this comment

Web filtering internationally, part 1: China

The fobbit

Unlock/jailbreak new iPhone 3G software with #blackra1n app

CIO: Clunky security biggest bugaboo in 2010

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Michael R. Farnum's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Some more multi-factor authentication debate

What People Are Saying

I believe that the whole ID

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Michael R. Farnum's Archive

IT Topics

Sponsored Links