We know how to make the Internet secure. Now the question is, "Will we do it?"
I wrote in this space
last week about "Pass2Go," a piece of software
that resides on a key-sized USB Flash drive. The device stores all of the
username/password combinations that log you into the various Web sites and
secure servers you use. When you remove the drive from the USB port, your
passwords are no longer available to anyone else who may use that computer.
This is better than storing your passwords within Microsoft's Internet
Explorer browser (whose password encryption was cracked long ago) or
the Mozilla Foundation's Firefox (which stores passwords in an ordinary
file unless you set up a "master password").
But Pass2Go -- or any device that relies on passwords -- is insufficient
to allow you to safely log on to your accounts when you're away from
your desk. The answer to the problem is here, today. But will people use it?
The Problem With Passwords
To be sure, storing your passwords in a removable device using Pass2Go
is preferable to writing them on sticky notes and gluing them to your
monitor. The problem isn't how you remember your passwords, but the
fact that you have to use them at all.
• Using A Nonsecure PC On A Nonsecure Network.
If you use a PC at an Internet café, a library, a college, or any other
public location, you have no easy way to guarantee that that machine isn't
infected with a Trojan-horse program. Such a program could be watching for
passwords and sending the information to a hacker at a remote location or a
dishonest employee of the shared-PC service.
• Opening The Veil.
The username/password combinations that are stored by Pass2Go are, it's true, unreadable when you insert your Flash drive into a USB slot. But as soon
as you type your "master password," any Trojan horse on the Internet
café's machine can copy the information by monitoring the keyboard.
The Trojan can also capture the screen to learn what information may be
displayed.
• The Savvier They Come, The Harder They Fall.
A variety of companies have invented USB Flash drives that can be configured
to require a registered user's fingerprint before releasing any
username/password combinations to a browser login form. One such product is the
Lexar JumpDrive TouchGuard, a $70, 256 MB drive. Your
fingerprint makes a very good "master password." But a Trojan horse on an
Internet café PC can still monitor your keystrokes and capture the
screen as soon as your finger has opened the passwords on your Flash drive.
Carrying your passwords around in a Flash drive isn't a secure way for you
to use public-access PCs to log in to your accounts. Passwords themselves
are the problem. The solution is at hand, and it may free us from having
to remember passwords at all.
Two-Factor and Challenge/Response Authentication
What's better than strong passwords? The answer lies in two-factor
authentication and challenge/response authentication.
These are big words for some simple concepts:
• Two-Factor Authentication
relies upon "something you have" and "something you know." The most successful
example is bank cards and PINs (personal identification numbers). A thief
might steal your bank card, but it's unlikely that he'd guess your PIN
before the card was swallowed up by a cash machine after three incorrect tries.
• Challenge/Response Authentication.
Bank cards are merely a piece of plastic with a magnetized strip that contains
your account information. But USB Flash drives (and similar technologies,
including "smart cards") can do much more than just store bytes.
They're also capable of carrying and using digital certificates. A secure
server can issue a digital "challenge" that only a smart device can
correctly respond to.
I've been calling devices such as these "USB keys," because they make it as easy
for you to log in to a secure server as it is to start your car with a car key.
U.S. Bancorp Signs Up For USB Keys
Verisign Inc. is one of several companies that are beginning to sell
USB keys, technically known as secure authentication tokens, to banks and
other enterprises.
Verisign recently
announced that U.S. Bancorp, the sixth-largest U.S.
financial services holding company, would start giving secure USB tokens
to its commercial banking customers. In my opinion, this is the first step
toward all financial institutions requiring two-factor authentication for
any online customer communication.
The company's
Unified Authentication USB Token, shown at the bottom
of the photo to the left, can hold up to seven digital certificates, according to
Mark Griffiths, vice president of security services for Verisign.
The
Multipurpose Next-Generation Token, shown at the top
of the photo, also displays a 6-digit number when the user pushes a button.
The number is one of a series that a secure server will accept as a
valid password, in combination with a user's 4-digit PIN.
One-Time Passwords And Multiple-Use USB Keys
For many business applications, such as remote access to e-mail, a one-time
password is sufficient security to let an end user log in from an Internet
café. Even if a Trojan horse is monitoring all of a PC's keystrokes and
capturing everything on the screen, a hacker wouldn't be able to use the
discovered password, since it would work only once.
For more sensitive applications -- such as online banking -- the
challenge/response capabilities of USB keys provide much better security.
No Trojan-horse program could understand the long digital strings that
make up a secure challenge, much less formulate the exact arrangement of
bytes that would make up the calculated answer.
A hacked public terminal might still be able to capture the text of your
e-mails, your bank balance, or whatever else you display on the screen. But
it would be impossible for the hacker to log in to your e-mail account and
send e-mails under your name -- or log in to your bank account and send all
of your money to Russia.
Conclusion
Verisign's Griffiths says a rollout of secure tokens -- including the use of
Verisign's 24/7 back-end server that can lock out lost and stolen Flash drives
-- will cost a company only $25 to $35 per year per user for 5,000 users. That
sounds to me like a bargain, if it eliminates the use of passwords and any
eavesdropping on them by hackers.
Unfortunately, there's no program at the current time that allows an
individual consumer to purchase a USB Key and then demand that his or her bank
start supporting it as a form of identification.
Until that day comes, I recommend against using a public terminal to log in
to your e-mail account without one-time passwords -- and against logging in
to your online bank account without full challenge/response authentication.
Wait, you might say. If this catches on, what will keep consumers and
corporate travelers from having to carry around a fistful of different
USB keys to log in to different servers?
A standard is on the way that will allow a single key to work on all servers.
That'll be the subject of my next column on Jan. 11, 2005, after the
holiday break.