Systems administrators often need to strike a balance between password policies that offer greater levels of security and policies that permit users to choose passwords that are easy to remember. This can be a tricky balancing act: If you force passwords with greater levels of security, users are likely to forget them and continually need to call the help desk to have them reset or write them down on a piece of paper kept at their desk (negating the security of the pa). If you allow less-secure passwords, they can be easily guessed or cracked. As users become more mobile, this becomes an even greater dilemma because of the potential theft of portable computers or the inherent lack of security when users access resources via unprotected Wi-Fi hotspots or home Internet connections. VPN offers some protection for remote access, but in many cases even VPN relies on passwords as the method of authenticating users and granting remote access.
One solution to this conundrum is the use of token-based authentication such as smart cards or one-time password tokens. Both of these technologies offer the capability to beef up security by means of two factor authentication—which requires a physical token as well as either a PIN number or a biometric evidence to grant access. The requirement of a physical device as well as a secret code or other identifying information such as a fingerprint greatly enhance security because the password or PIN is essentially useless without the token, and the token is useless without the PIN or user’s biometric evidence. Also, because a token is a physical object, its absence will be noticed quickly if it is lost or stolen (unlike a compromised username and password).
One-Time Password Solutions
One-time password solutions are devices (often referred to as tokens) that are used to enhance security. They are small devices that have a microprocessor and LCD screen. Each token is seeded with a unique encryption key from a server. The token uses that key to generate a unique one-time password, either each time a user makes a login attempt or at a set interval that is displayed on the LCD screen. To log in to the secured computer or service, a user must enter a username that is associated with his or her token, along with the one-time password displayed on the token and a PIN number that is appended to the sequence of numbers displayed on the token. One-time password solutions for Mac OS X and Mac OS X Server are available from CryptoCard and RSA, although RSA’s solution is limited to VPN access.