Authentication and Access Control

Software and smart cards keep out the wrong users.

B

efore any other security measures become meaningful, there must be a way to reliably identify authorized computer system users and lock others out. Once identified, authorized users should have limited access to the system's resources, consistent with their work responsibilities.

The most commonly used authentication technique is a password. But many passwords can be easily guessed, which is why more sophisticated authentication techniques are becoming more popular. These are usually in the form of cards (either PC cards or credit-card size "smart cards") that users carry with them. Smart cards resemble credit cards but feature an embedded microprocessor in place of a magnetic stripe.

To gain access to a computer, they are either inserted into a card reader, or they display a one-time code on a small LCD screen mounted on the card, in which case the user types the code into the computer. The card may also communicate with the card reader using radio frequency. For additional security, the user must often also enter a personal identification number (PIN), much like when using a bank card.

Users worried about their PINs being compromised through electronic eavesdropping can buy smart cards with small keypads. The PIN code is entered directly into the card, which then creates a scrambled PIN with the one-time code. Security Dynamics and CRYPTOCard are among the companies offering card-based authentication products.

An alternative authentication technique called biometrics relies on such methods as retina or fingerprint scans, but these are currently too expensive to be widely practical. A third method is in the form of software installed on both the server and the computers connected to it; the two sites communicate and confirm the user. Companies that sell software-based authentication include Security Dynamics and Bellcore.

Access control is primarily software-based. In many cases, sufficient security can be achieved by simply implementing the built-in access controls of operating systems and applications. These can ask users for passwords before allowing them to boot up the computer system or before allowing them to open a document.

Third-party access control packages are available from companies such as Computer Associates International Inc., IBM Corp., AXENT Technologies Inc., Mergent International and Fischer International Systems Corp.

NEXT STORY: Meet George Jetson