8. The Means of Cybersecurity: Access Control 197 it must be reported as soon as possible, and the lost smart card can be deactivated and a new one issued. Debit cards are similar to smart cards. When a bank customer uses an automated teller machine (ATM) to withdraw cash from his account, he must insert his debit card. The machine reads the debit card to determine the account number. ATMs also require a PIN number (i.e., “something you know”) for logging in. This is true with most smart cardbased authentication mechanisms—another authentication token is usually required. 8.1.3.3 Security Key A similar type of token is a security key. A security key is a USB stick that can perform cryptographically-secure authentication. When a user tries to login to a computer or a website, if his security key is plugged into the computer, then the user can be authenticated. If the user does not have their security key, then they cannot be authenticated. Some security keys include a built-in fingerprint reader to collect a “something you are” token as well at login time. Because the fingerprint is also needed, users can leave their security key plugged into their computer without too much risk of an imposter logging in as them. 8.1.3.4 Keychain Pseudo-Random Number Generator Another hardware-based system uses keychain-sized battery-powered tokens with a builtin number display (see Figure 8.3). The token runs a simple pseudo-random number generator (PRNG) to generate an endless stream of unpredictable numbers that change every thirty seconds or so. At login time, the user is prompted to enter the number displayed on the token at that time, proving he has the device. Even though the token is offline and has no way of communicating with the authentication server, it is synchronized with the authentication server during the enrollment phase, so the server can always calculate what number is displayed on the device at any given time. Every physical token uses a different seed for the PRNG so they can be uniquely identified. Having access to one device will not help a person hack into someone else’s account. However, these types of tokens are hackable. If an attacker discovers the seed for a device or cracks the PRNG algorithm—which is possible since it is deterministic—he may be able to determine the numbers on the device just like the authentication server does. For this reason, these devices should always be used with another authentication token like a password. 8.1.3.5 Summary Using a physical token for authentication is effective, but it can be an inconvenience. If a user needs to login but does not have his token, then he cannot be authenticated. It could be that he lost it or that his token is inaccessible—maybe he is at home but left it at work— or just that the token is in another room—he is upstairs but the token is downstairs. Foreseeing circumstances like these, many users will push back on adopting “something you have” tokens fearing it will be an inconvenience and cost them time—a clear secu-
RkJQdWJsaXNoZXIy MTM4ODY=