Authentication Network and application managers need to know who is accessing their systems to determine appropriate access levels. Typically, they require that users create secret passwords. A secret password, known only to the user, allows an administrator to feel confident that a user is who the user says he or she is. Systems administrators even have the authority to determine the characteristics of passwords. For example, they may set a minimum length and require that a password include numbers, symbols, or mixed letter case. They may also require that a user change his or her password every few weeks or months. These approaches have numerous problems:
• Users often forget complicated or frequently changing passwords, resulting in frequent calls to a help desk. The help-desk employee then faces the burden of identifying the employee by some other means and resetting the password. This process takes time and is subject to social engineering.
• Users may write down their passwords. However, this leaves passwords subject to discovery and theft.
• Users often pick the same password for many different accounts, which means that someone who discovers one of these passwords then has the “keys” to all the accounts.
• Users may pick an easy-to-remember password, which is easy to anticipate and therefore easy to guess. Password-cracking programs cycle through entire dictionaries of English language words and common word/number combinations such as “smart1” or “2smart4U.”
• Users may give away their passwords over the phone (social engineering) or via e-mail (phishing, a type of social engineering) to individuals representing themselves as a system administrator. Perhaps you have already received e-mails purportedly from a financial institution claiming identity or account difficulties and asking you to “reconfirm” your account information on their authentic-looking Web site. As you can see, using passwords to identify a person is fraught with problems. Here are some alternatives to explore. Look up each authentication approach listed below on the Internet, describe the method in your own words (be sure to cite your sources), and briefly list the advantages and disadvantages.
a. Biometrics (biological measuring)
b. Smart cards
c. Biochips