Those who work in the defense and intelligence community are accustomed to presenting documents to enter facilities or access work stations. Providing authentication as to who we are, to the custodians of the classified information which exists within the building, is a very necessary requirement. The National Industry Security Operations Program Manual (NISPOM) directs the Facility Security Officer (FSO) to ensure only those individuals with appropriate authority be allowed entry. Indeed, facilities are tested and checked by the Defense Security Service (DSS) to ensure adherence to the “need to know” principal of access to both the facility and the information within the facility. These processes and procedures are table stakes and a hallmark of a well-managed security program, and in the post-Snowden era, non-negotiable.
While physical authentication is an easily understood concept, technological authentication is as important and is not as easy to wrap our arms around, as implementation of authentication protocols remains an ongoing and evolving science/practice. To better understand technological authentication, let’s begin with the why.
Why technical authenticate?
To ensure access to information is only provided to those with a need to know. Information is stored in a multitude of locations, ranging from our email folders on our device, to remote databases which require individual log-ins to access the data. No longer is the password-only access solution sufficient, especially when dealing with the classified information. Edward Snowden’s methodology of acquiring information which he subsequently purloined went well beyond accessing only that to which he had natural access. Indeed, Snowden used the log-in credentials and passwords from 20-25 of his colleagues, which he induced them to share based on his “need to do his job.” An additional step, dual-authentication, would have required the individual user to participate in the log-in, and perhaps would have provided an early warning to Snowden’s data collection effort.
How do you authenticate?
Combining something you know, with something you have – both of which are unique to you. In a nutshell – someone may attempt to log-in with your password, but if the second level of authentication is not also provided, then access is denied – the second level may involve answering a security question, obtaining a pin from a text-message or a voice-call to a phone; numbers from a key-fob, etc. Using a second level of authentication, provides a substantial level of security and obviates much of the “sharing of password” threat which may take place.
What is authenticated?
Authentication uses multiple factors to make the determination. Let’s start with something you have. Your employer or customer may have issued you a key fob which provides you an access code to use every time you access the employer/customer network, so that they know it is you who not only provided their access code (password), but also provided their authentication code (the code provided from the device). Similarly, biometrics are often times used to provide validation as to who has access – items which may include retina scan, fingerprint, voiceprint, and facial recognition. In addition your device has an identity code, called a MAC address and your network connection, IP address also provide an identity touch point. All or any of these may fall within the category of “something you have.” This information is then coupled with something you know. The “something you know” may be a strong-password; a pass phrase, answers to authentication questions, or any other piece of data which you and the entry you are accessing know.
Next time you are challenged, be it at an entrance to a facility or when logging into a controlled system, understand why the authentication is so important.