5.4 Describe security password policies elements, such as management, complexity, and password alternatives (multifactor authentication, certificates, and biometrics)

How can keep unauthorized users out? 

One strategy is to use strong passwords.  This is known as password complexity.

  • A password policy may require a user to have capital letters, numbers, special symbols and/or lowercase letters in their password
  • A user cannot repeat a character
  • A user cannot use a dictionary word or their name in the password
  • The password must have a minimum length

Passwords that are easy to guess represent security risks because they can be broken by brute force.

We can manage user passwords centrally through an Active Directory or RADIUS server.  A good password policy

  • Requires users to choose complex passwords
  • Requires users to change their passwords often (at least every three months)
  • Locks a user account if the password is entered incorrectly several times in a short period

But even complex passwords can be guessed or seen by unauthorized users.  As phishing and social engineering attacks grow more complex, it is more likely that a user will be tricked into giving up his credentials without realizing it.  How can we keep our network safe if the hackers can trick our users into handing over their passwords?  There are three ways

  • Multifactor authentication
  • Certificates
  • Biometrics

Multifactor authentication means having to provide more than just your username and password.  The principles of multifactor authentication (formally two-factor authentication) are important.  The three main factors are Something You Are, Something You Have, and Something You Know.  Basic authentication methods combine Something You Have (a username/access card) with either Something You Know (a password) or Something You Are (biometric).

  • Something You Are – something you are refers to a biometric identity such as facial recognition, fingerprints, voice recognition, or a retinal scan.  Select the best type of biometric for your environment.  A construction site or hospital may have employees with gloves or
  • Something You Have – something you have refers to a smartcard, identification card, or username; it could also refer to a randomly generated password (such as an RSA SecurID or authenticator app)
  • Something You Know – something you know refers to a password or PIN
  • Somewhere You Are – somewhere you are refers to your physical location.  In the case of connecting to the internet, somewhere you are is your IP address.  If a hacker compromises a username/password and logs in through a computer or network location that is not recognized, then the login may be denied.  Websites have sophisticated ways of detecting users – IP address, web browser version, computer version, date/time of the login, other user behaviors.  If the username/login is correct, but the other factors aren’t it could be that the account was compromised, or it could be that the user is travelling/bought a new computer.  The site can ask the user for additional verification (such as through an automated phone call)
  • Something You Do – something you do is an observation of the user’s action’s or behaviors.  In Windows a user can choose a picture password; in an Android phone the user can interact with a pattern.

Instead of entering a username and password, a user can present a certificate to the authentication server.  A certificate is a digital file that confirms the identity of a user or device.  A certificate must be signed by a certification authority.  IEEE 802.1X is a standard for Network Access Control.  It allows a device to authenticate when connecting to a LAN or WAN.

There are three devices in the protocol

  • The supplicant is the device that chooses to connect to the LAN/WAN.  It could be a laptop, desktop, smartphone, tablet, or other computing device
  • The authenticator is a network device that allows/denies access.  It could be a switch, a router, a firewall, or a proxy server.
  • The authentication server is a server that decides whether a device should be granted access

The procedure works as follows

  • The supplicant connects to the network
  • The authenticator (switch) detects the new supplicant and automatically sets the port to an unauthenticated status.  Only traffic related to 802.1X is permitted.
  • The authenticator sends frames to the supplicant.  These frames demand that the supplicant provide credentials such as a user ID.  The frames are sent on the local network segment to a specific address (01:80:C2:00:00:03).  The supplicant listens for messages on this address.
  • The supplicant replies to the message with an EAP-Response Identity frame
  • The authenticator sends the supplicant’s response to an authentication server
  • The authentication server and the supplicant negotiate an authentication method.  The server and the supplicant may support different methods and must agree on one that both understand.  The negotiation methods are transported through the authenticator.
  • The authentication server attempts to authenticate the suppliant.  If successful, the authenticator changes the port status to authorized.  If unsuccessful, the authenticator keeps the port status as unauthorized.

When the supplicant logs off or is disconnected, the authenticator changes the port status back to unauthorized.  When the supplicant logs off, it sends an EAPOL-Logoff message to the authenticator.

Biometrics are used in combination with other devices to provide an additional layer of authentication.  These include

  • Facial recognition
  • Finger print reader
  • Voice recognition
  • Palm reader
  • Retinal scan

A biometric reader takes a photograph of a human body part and then converts it into a mathematical model.  For example, a fingerprint reader understands the bumps and ridges on a fingerprint and compares their relative sizes.  There are many different algorithms and each one is different.

Not every scan is perfect.  Most biometrics have a false positive because of the algorithm.  The false positive rate for a fingerprint sensor is approximately 1 in 50,000.

A biometric reader does not (and cannot) create a pixel-by-pixel comparison of a person.  Imagine taking a photograph of your face 100 times.  Each photo will be slightly different.  The lighting, the reflection, the angle of your head, and the position of your hair will be slightly different each time.

What are some pros and cons of the different biometric devices?

  • Fingerprints
    • A fingerprint scanner maps a person’s fingerprint and converts it into a mathematical signature.  This signature is stored.
    • It later compares new scans to the original mathematical signature.
    • Advanced fingerprint scanners can verify that a real finger has been scanned (as opposed to a mold of a finger)
    • Fingerprint scanners are cheaper than other biometric sensors
  • Retinal Scan
    • A retinal scan uses a laser to examine the blood vessels in the back of the eye
    • Retinal scans are unpopular because they require a user to have a laser shined into his eye; the user must also put his eye up against the sensor
  • Iris
    • An iris scan photographs the front of the eye from a distance
    • Iris scanners are more popular than retinal scanners
  • Voice Recognition
    • Voice recognition is hard to implement
    • Voice recognition sensors have a high rate of false positives and false negatives
  • Facial Recognition
    • Facial recognition scans features that are present on the user’s face
    • Facial recognition systems work well