Recently, an external consulting company audited my company's Windows NT 4.0 environment security. One of the audit's most striking discoveries was the overall low quality of NT account passwords. A simple dictionary attack could crack most passwords. In response to this audit, IT management chose to explore two-factor authentication for domain logon. Can you offer some advice about two-factor authentication solutions for NT?
Two-factor authentication solutions, such as tokens and smart cards, authenticate users based—unsurprisingly—on two factors: knowledge and possession. To use a token or smart card to authenticate, you must have both the device and a PIN or password to unlock the device.
Smart cards usually provide the highest level of security. The principal reason is that true smart card two-factor authentication solutions are built on asymmetric cryptography, whereas token-based solutions are built on symmetric cryptography—an older technology.
Several vendors offer smart card—based authentication solutions for NT (e.g., Gemplus, ActivCard, VASCO, CyberSafe). So far, however, most of these solutions don't support smart card—based two-factor authentication that uses asymmetric cryptography. Most solutions use the smart card to store NT user accounts (i.e., password credentials) rather than to store a private key and certificate. Also, the authentication protocol behind these solutions doesn't support asymmetric cryptography credentials.
Therefore, when you authenticate with most smart card—based authentication solutions, you'll be using a two-factor solution, but no asymmetric cryptography exchanges occur behind the scenes. In the case of NT, when the authentication software has retrieved your credentials from the smart card, a plain NT LAN Manager (NTLM) authentication sequence takes place. True smart card authentication also requires an authentication protocol that supports asymmetric credentials for authentication. Through its support for the Kerberos Public Key Cryptography for Initial Authentication (PKINIT) extension, Windows 2000 does support true smart card two-factor authentication.
For NT, the token is the most frequently deployed two-factor authentication solution. One popular NT token solution is RSA Security's RSA SecurID. Built on a time- and Challenge/Response-based authentication mechanism, RSA SecurID's strengths include its advanced management system and its tight integration with the Windows platform. Another advantage of a token solution is that unlike a smart card—based solution, you don't have to connect an extra reading device to your computer. (For most smart card solutions, you must connect a reader to your computer. However, some vendors already offer smart card—based devices that you can plug into a USB port—and that don't require an extra reader.)
If you want state-of-the-art two-factor or multifactor authentication, you might want to look at biometric solutions. Currently, fingerprint devices are prime time. Vendors such as Ankari, Sony, Compaq, Identix, and DigitalPersona offer fingerprint solutions for an acceptable price. A valuable feature of some fingerprint solutions is that you can integrate them into smart card—based technology.
With both smart card— and token-based solutions, make sure that you know how the solution actually works. For example, it doesn't make sense to have users identified by fingerprint if, after identification, the fingerprint images are sent in the clear to the authentication server for validation.
Whether you select token-, smart card—, or biometrics-based two-factor authentication, pay special attention to the management software that comes with the solution. Many two-factor—based authentication solutions aren't ready for the enterprise and offer poor (or no) capabilities for centralized and remote device management. Also, make sure that the solution integrates well with your NT environment. Finally, know whether your solution is proven security technology: Does the solution have known bugs or loopholes? Have many organizations adopted it?