Advanced authentication can’t cure all security ills

Many companies I work with are interested in beefing up end-user authentication. Usually, this means they’re considering going beyond the standard Windows name-and-password logon to bring in smartcards, physical tokens, or biometric identifiers. And as you’ve probably seen in Windows 8 TV commercials by now, Windows 8 adds Picture Passwords to the mix.

But you can’t improve authentication if you don’t really understand how Windows logon and authentication works under the hood. I find that most people — even many security admins — have only a vague idea. The key to getting a clue is to realize the differences among the main components in the authentication cycle.

[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld’s Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Authentication 101

Let’s start from square one: Digital authentication happens when someone using a particular identity proves that identity to the system to which access is desired. The identity can be represented by a user name, a digital certificate, or another unique item within the authentication namespace. Unlike a password, an identity isn’t meant to be secret.

The person possessing the identity must prove sole ownership of the identity by presenting info only he or she possesses, known as an authenticator. This can be a password, a private cryptographic key, a biometric trait, and so on. Successfully submitting the correct secret and having it verified by an access control system is the actual process of authentication. Once a person’s identity has been authenticated, the computer system or network then trusts the identity, and the identity is not subsequently used for access control or auditing.

People sometimes mix up the identity with the authenticator. For example, a biometric fingerprint is an authenticator, not an identity. Usually, when someone logs on using a fingerprint and proves ownership of the identity, the fingerprint won’t be flying around the network to control access; that role is typically handled by an authentication protocol. In Microsoft Windows, if you successfully logon to the computer using a password, smartcard, or biometric device, Windows then reverts to its authentication protocols (such as LAN Manager, NTLMx, or Kerberos) to do the heavy lifting.

Adding advanced authentication Only when you understand the basics of authentication do you realize what “advanced” logon methods — such as smartcards, biometrics, and other two-factor mechanisms — can and can’t give you.

Basically, these advanced methods prevent a bad actor from easily logging in or authenticating as a specific identity. It’s harder for the malicious person to be identified as someone he or she is not. Advanced authentication mechanisms are great for meeting these types of challenges and defeating hackers, simply because it takes more effort for a hacker to defeat a biometric or two-factor authentication method than just stealing or hacking a password.

But advanced authentication won’t prevent all hacking. For instance, I’ve encountered customers who mistakenly believe that smartcards will prevent hackers from penetrating their network. If the attacker can get onto a computer as local administrator (or root) using some other method, they can steal the ultimate authenticator and begin to impersonate the true owner. On Windows, an elevated hacker can steal a smartcard user’s password hash and use NTLM or Kerberos to authenticate as that smartcard user to other computers.

The original Windows computer that was hacked was responsible for authenticating the smartcard user and requiring a valid smartcard logon. But once a smartcard user has been authenticated, his or her identity has been accepted, and the traditional authentication protocols kick in. The user’s identity is represented by password hashes or Kerberos tokens. Smartcard users may have their identities “stolen” and used on a network, even if the hacker doesn’t have their smartcards or PINs. Neither smartcards nor two-factor mechanisms nor biometrics can prevent stolen authentication credential assaults such as pass-the-hash attacks.

I help clients install advanced authentication techniques all the time, but I make sure not to oversell the protection they provide. They beat passwords in most use cases, but they’re no panacea and won’t solve every hacker-related problem.

This story, “Advanced authentication can’t cure all security ills,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.