http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2012-02-28T15:00:00ZUsernames and passwords are inadequate for strong authentication. Mobile devices are increasingly popular as a second factor.http://www.informationweek.com/byte/news/232601447?cid=RSSfeed_IWK_Authors <P> Authentication is a basic element of software and service deployment that is commonly taken for granted. Sure, we log in to various sites and applications 20 times a day, but how many of us truly contemplate the importance of secure authentication? <P> Security admins, that's who. That's because they know that strong identification and authentication forms a solid layer within a larger defense-in-depth strategy. Most of us are familiar with single-factor authentication--user name and password--and adding more authentication factors is becoming more widely implemented.</p> <P> <P> Providing a user name as identification and a password as authentication assumes that knowledge of the password proves the user is who he says he is. Typically, a user registers, or is registered by someone else, and uses an assigned or self-created password. On each successive use, the user must know and use the previously stored password. The weakness in this system is that passwords can often be stolen, revealed, forgotten, or guessed.</p> <P> <P> In order to strengthen this weakness, many Internet facing systems require a second authentication factor, such as a token, digital certificate, or other out-of-band method, in addition to the password. Authentication factors are usually grouped into "something you know" (typically a password), "something you have" (for instance, a token), and "something you are" (probably a biometric). Combining factors makes breaking into an account more difficult than any single factor, unless users try to subvert these measures--for example, by writing their passwords on the back of a token.</p> <P> <P> An interesting development is SMS-based authentication codes. SMS can be used to send a one-time passcode to a phone. The advantages to using this authentication factor are that the phone is something the user already has and that the passcode travels out of band. Because the user already has a phone, the website doesn't have to purchase tokens and ship them to each new user, and the phone by definition serves as "something you have." This is important because the high cost of provisioning, replacing, revoking, and managing physical tokens has been a barrier to widespread implementation.</p> <P> <P> A pioneer in this field is <a target="_blank" href="http://www.phonefactor.com/">PhoneFactor</a>. The PhoneFactor system allows users to choose the authentication method they prefer, such as phone call, text message, or smartphone app, all with the same level of out-of-band security and convenience. Additional security features, such as PIN, voice recognition, and transaction verification, can be implemented for particular users or groups. For example, PhoneFactor would send an automated phone call to the user's trusted device, and the user would answer and press '#' or a button to authenticate. The image below shows such a prompt.</p> <P> <P> Another solution is <a target="_blank" href="https://www.trustwave.com/myidentity">Trustwave's MyIdentity</a>. Similar to PhoneFactor, a user logs in with their existing user name and password, and the system provides a number of additional authentication options. MyIdentity can be configured to use digital certificates, SMS-based authenticator codes, voice callback, or a smartphone app to supply an additional authentication method. Trustwave MyIdentity offers a free trial.</p> <P> <P> Security professionals generally agree that a username/password combination is not serious security. Additional factors are a huge improvement, and mobile devices--even simple feature phones--can be the universal device to make authentication stronger.</p> <P> <img src="http://twimgs.com/informationweek/byte/news/2012-February/phonefactor.png" /> <P>2012-02-01T11:52:00ZSociety runs on trust and would collapse without it. The interconnectedness of the modern world creates new and dangerous risks to trust.http://www.informationweek.com/byte/news/232600022?cid=RSSfeed_IWK_Authors <P> <a target="_blank" href="http://www.schneier.com/">Bruce Schneier</a>'s recent book <a target="_blank" href="http://www.schneier.com/book-lo.html">Liars and Outliers</a> is a philosophical exploration of the role of trust in society, and is likely to appeal more to policy makers and academics than to information security practitioners. He describes how theories regarding trust (and perhaps trust itself) have evolved over time and sets this within the context of today's global interconnected society. <P> Schneier has done a very careful literature review, citing theories and experiments across multiple disciplines such as sociology, anthropology, and psychology. The computer scientist will find that the book does a very good job of discussing abstract concepts, while the computer professional will find that it lacks a concreteness needed for it to be useful in their daily work. </p> <P> Schneier puts forth the idea that society runs on trust and that failures in trust now have global consequences. Parasites and fraudsters could ruin everything for honest people. The interest of society may be put into conflict with certain individuals within society. Society builds laws as controls to keep people from "ruining it for everyone." The book is more about how society establishes and maintains that trust--specifically, it explains how society enforces, evokes, elicits, compels, encourages "...trustworthiness, or at least compliance, through systems of what I call societal pressures, similar to sociology's social controls: coercive mechanisms that induce people to cooperate, act in the group interest, and follow group norms." It's all about the societal pressures that keep the masses in line by inducing cooperation. <P> <div style="margin:0; padding: 0 0 10px 10px; width:211px; float:right; text-align:center;"> <a target="_blank" href="http://twimgs.com/informationweek/byte/reviews/schneier-big.png"><img src="http://twimgs.com/informationweek/byte/reviews/schneier-200.png" hspace="0" vspace="0" border="0" /></a></div>The nearby image, from page 12, does a great job of breaking the entire book down into a flow chart. Click it to open a full-size image. <P> The book is divided into four parts. <P> In Part I, Schneier explores the background sciences of that shed light on trust: experimental psychology, evolutionary psychology, sociology, economics, behavioral economics, evolutionary biology, neuroscience, game theory, systems dynamics, anthropology, archeology, history, political science, law, philosophy, theology, cognitive science, and computer security. He provides a "cursory overview" that demonstrates where the "broad arcs of research" are pointing. He concludes Part I with some generalized societal dilemmas that "illustrate how society ensures that its members forsake their own interests when they run counter to society's interest." <P> Part II is where Schneier shares his full model of societal trust with the reader. <P> There are four basic categories of societal pressure that can induce cooperation in societal dilemmas:<ul> <li><i>Moral pressure.</i> A lot of societal pressure comes from inside our own heads. Most of us don't steal, and it's not because there are armed guards and alarms protecting piles of stuff. We don't steal because we believe it's wrong, or we'll feel guilty if we do, or we want to follow the rules.</li> <li><i>Reputational pressure.</i> A wholly different, and much stronger, type of pressure comes from how others respond to our actions. Reputational pressure can be very powerful; both individuals and organizations feel a lot of pressure to follow the group norms because they don't want a bad reputation.</li> <li><i>Institutional pressure.</i> Institutions have rules and laws. These are norms that are codified, and whose enactment and enforcement is generally delegated. Institutional pressure induces people to behave according to the group norm by imposing sanctions on those who don't, and occasionally by rewarding those who do.</li> <li><i>Security systems.</i> Security systems are another form of societal pressure. This includes any security mechanism designed to induce cooperation, prevent defection, induce trust, and compel compliance. It includes things that work to prevent defectors, such as door locks and tall fences; things that interdict defectors, such as alarm systems and guards; things that only work after the fact, such as forensic and audit systems; and mitigation systems that help the victim recover faster and care less that the defection occurred.</li></ul> <P> Part III then applies the model to "the more complex dilemmas that arise in the real world" and explains how the above four forces are used to balance individual and group desires and actions. Part IV discusses the different ways societal pressures fail. Special attention is given to the issue of how living in an information society changes societal pressures. <P> Theoreticians, public policy students, and public policy professionals will find plenty in <em>Liars and Outliers</em> to stimulate thought regarding the abstract concept of trust. However, to loosely paraphrase Einstein, I am a security practitioner, not a philosopher; I am much more interested in learning how to secure something than I am in learning how to conceptualize trust. For my purposes, <em>Liars and Outliers</em> was an informative diversion and didn't provide very much, if any, practical security information or techniques.