Archive for the ‘Identity and Access Management’ category

How much access control technology is enough?

November 5, 2009

I recently attended a meeting with a group of leading CIOs of U.S. Federal Government agencies, all of whom are working to meet a presidential mandate (HSPD 12) to integrate high-tech Personal Identity Verification cards into their access control systems.  Some level of activity is of course required for compliance—there’s a “just do it” attitude that has to apply in some way. The more surprising conversation for me was a mentality that would be familiar to anyone who has ever remodeled a house: “while we’re in there, let’s also fix that…”. These CIOs were very interested to know how much effort to improve access control beyond mere compliance is worthwhile from a cost/benefit perspective.

IREC’s research efforts on access management and assessing the relative value of control investments shed some light on the question of how much technology is enough.



5 properties of passwords that must be managed to reduce risk

July 8, 2009

Security legend Bruce Schneieropened up a can of worms,” as he himself put it, when he agreed with usability legend Jakob Nielson that applications should not mask passwords as they are being entered. This is surprising from Bruce, who regularly harps on balancing cost against risk reduction, but his follow-up post does a nice job of addressing the pros and cons of password masking.   

For the question of password masking, the obvious security benefit of masking (reducing risk from shoulder surfing) is to some degree counteracted by a less obvious cost (masking may make it harder to enter a password, so it may discourage use of complex passwords).

This is a good reminder that there is in fact a number of password policy issues that on their face increase security, but in fact may actually decrease security when usability is factored into the equation (moreso in most cases I think than does masking):

  1. Password masking
  2. Password complexity is good for protecting against brute force password cracking (but how often does that happen?)
  3. Making passwords regularly expire limits the damage from compromised passwords
  4. Locking out accounts after a certain number of wrong attempts prevents one type of brute force cracking
  5. Rigorous authentication before replacing a forgotten password makes it harder to socially engineer around a simple “secret” like their pet’s name that someone might have to answer

The problem with all of these is that they reduce the usability of passwords.  All of them make a user more likely to do insecure things:

  • Use a weak password
  • Write down their password
  • Use the same password across multiple sites

The best setting for these five properties depends on various factors of each situation, but I think in general security folks worry more than they should about protecting against brute force attacks, and much less than they should about the insecure behaviors above.  In particular, the complexity and reset rules (2&3) are usually taken too far, and more sophisticated alternatives to lock-out (4) where the rate of possible login attempts is decreased with each error are not taken often enough.

Here for example are some data around how often people write down their main corporate login password (N>100,000):


Edited 7/13/09 to add:

Schneier posted today on this subject, referring to an article that concludes that (overly) strong passwords don’t accomplish anything. Unfortunately they seem to endorse a “3 strikes rule” (issue #4 above), rather than a more user-friendly approach of reducing the possible rate of login attempts. This can easily be engineered to prevent brute force cracking without a full lockout. 

One other comment that didn’t make it into the original post: all password complexity is not created equal. Numbers and symbols add a similar amount to password entropy, but create a very different user burden. Maybe Jakob Nielson can do some usability studies to determine the right balance.

Pundits are missing the point on Biometrics

June 3, 2009

We continue to field questions from members about adoption rates of biometrics as part of a multifactor identification scheme.

 Most media coverage focuses on the fact that as a practical matter biometrics does not yet work all that well. Here is a sampling of recent items:

 False negatives:

False positives:

Ease of stealing the information:

However there is a greater problem with biometrics–once your biometric data have been compromised, there is no way to fix things. If my password (what I know) is learned or my token (what I have) lost, those can be revoked and replaced. If someone finds a way to forge my biometric identity for a given biometric authentication implementation, what can I do about that? What I am is a dangerous means of authentication, and we probably shouldn’t even be considering biometrics as a solution so its failings are not news.