Let's be honest: Everyone hates passwords.
Users hate remembering them, IT hates resetting them, and IT security hates that staffers use the same passwords for the corporate network that they use for Facebook. And passwords are easy to crack -- modern, pregenerated hash tables can crack most passwords up to 10 characters long in minutes.
So what can we do about it?
Many companies have been successful with smartcards, but issuing and maintaining them can be a hassle. Authentication tokens may be a better option. They give you the two-factor authentication you want, and they are more convenient for your users. In addition, tokens are easy to issue, support and manage.
The big word in tokens these days is "OATH," which stands for Open Authentication and defines how hardware authentication tokens work. With the right software back end, you can buy any OATH-compliant tokens you want: key fobs, credit cards, even software tokens that run on users' home computers (facilitating work from home) or mobile devices (like smartphones). Soft tokens run from free to just a few bucks per user; hardware tokens usually cost less than $30 in any quantity.
To use the token, you deploy an agent to your server and client computers that modifies Windows' built-in logon dialog. When a user presses Ctrl+Alt+Delete, he'll be asked for a personal identification number (PIN) and whatever numeric password is on the OATH token. The answer is compared to a back-end system that knows what each token is showing at each moment, and the user is logged on.
If a user loses his key, it's rarely a problem because whoever finds it won't know the PIN. (A simple six-digit PIN has almost a million combinations that an attacker would have to test.) Just disable the old token and issue a new one.
But what if your users jot their PINs down and stick them to their monitors? That's not a problem, either, because the PIN is useless without the physical token, which users usually keep with them -- either on their phones, in wallets or in purses.
You'll need an OATH-compliant solution that integrates with Active Directory and ideally also works with standardized Remote Authentication Dial In User Service (RADIUS) clients. There are many options, but the best ones have self-service websites that users can visit to self-activate hardware tokens or download and install software tokens. That's right, self-service. Just put a bucket of tokens in the lunchroom and let users use their old usernames and passwords to activate whatever tokens they grab. It's a hands-off, low-overhead process that the help desk will love.
So, in a nutshell, pick a token, any token. Heck, mix and match: Men might prefer a credit card design for their wallets, while women might prefer a key fob that can go into their purses. Geeks of either gender will love soft tokens that run on their iPhone, Android, Palm or Windows devices.
Next, get a back-end solution and hook it into Active Directory (most products take less than 20 minutes to install and configure). Set up the self-service website that comes with the back-end solution, deploy logon agents to your clients, and you're done. A token project can take just a few weeks from start to finish, but it can eliminate the "I forgot my password" calls forever.
ABOUT THE AUTHORS
Don Jones is a co-founder of Concentrated Technology LLC, the author of more than 30 IT books and a speaker at technical conferences worldwide.
Greg Shields is co-founder of Concentrated Technology LLC, an independent author, instructor, Microsoft MVP and IT consultant based in Denver, Colorado.
Contact them through their website at ConcentratedTech.com.
This was first published in November 2010