When strong authentication is needed

A couple of weeks ago, we outlined some of the concerns users have about the security of VPNs for corporate use, and some readers have written in saying that their concerns aren’t necessarily about the security of the IP tunnels themselves. They are more worried about how remote users are authenticated to the network and how secure that authentication method is.

User name and password is too weak and subject to being hijacked, they say, so they insist on two-factor authentication, the combination of something you have with something you know.

The typical scenario is issuing a security token that is synched with a token server. Both generate changing values periodically, and the server is always able to figure out what value tokens should be generating at any given moment. The something the user has is the token, and they can prove it by entering the number displayed on it at the time of logon. The something they know is a PIN code. In combination, the two constitute strong authentication.

Strong authentication can be used with IPSec and Secure Sockets Layer (SSL) remote access technology. One of the often-touted values of SSL remote access is that it is simple to use, and combining it with two-factor authentication complicates it. It requires buying and issuing the tokens, setting up and maintaining the server, and dealing with end users whenever they lose a token. It is more work and more expense, but the cost of a technology doesn’t always decide whether it gets used.

If data is important enough to send via an IP tunnel, it might very well also be important enough to protect further, even if that means spending more time and money to protect it. This is all part of the tricky process of assigning a value to data and the consequences if it is compromised – something that can keep IT security managers up at night but something that has to be addressed when setting up remote access networks.