Recognizing how easily computer passwords can get into the wrong hands, Indiana University (IU) has implemented a new kind of authentication technology for staff and faculty members who have access to sensitive school data.

The technology is known as a “two-factor” login system, because it requires users to enter two passwords before they can log onto the network: their standard, fixed identification and a computer-generated password that is much more difficult to crack. The technology is already in use by a growing number of banks, health-care organizations, and corporations to safeguard sensitive information–but IU is believed to be one of the first schools to deploy it.

Ensuring the safety of passwords has become more challenging, given that users are now accessing and creating logins on a wide variety of services online, said Mark S. Bruhn, chief IT security and policy officer for the university.

Many people will use the same password out of convenience, Bruhn explained, and “the worry is that some or many of these other systems do not get the security attention they need to ensure that the stored or transmitted password isn’t disclosed.”

To address this concern, IU has issued a two-factor authentication system made by Secure Computing Corp. to everyone who has access to sensitive, law-protected data stored in systems for student information, payroll, personnel, financial aid, and more.

The system, called SafeWord Remote Access, consists of server-based software and a key-sized device known as a token. To log in with the SafeWord system, users must enter three things: their fixed login name, their fixed user identification number, and a unique password generated by the SafeWord token.

To generate this unique password, users simply push a button on their token and a password appears on its display. Users then type this password into their computer, which compares it with the password generated by the server software based on the same sequential formula.

The SafeWord system creates a new password each time users access the network by calculating an algorithm based on the number of times users push the button on their token and try to log in. The first time a user pushes the button and logs in is counted as “event one,” the second time is counted as “event two,” and so on.

If a user pushes the token’s button more times than he or she attempts to log in, the device becomes out of sequence with the server software. However, the system automatically resets itself after a user enters two sequential passwords generated by the token.

“On the second try, it lets you in,” said Paul Ardoin, SafeWord product manager. “This is one of the things that makes the SafeWord token idiot-proof–say, if your four-year-old gets a hold of it and pushes the button ten times. A lot of times a user won’t even know that (he or she has) gotten out of sequence.”

The theory behind this automatic reset is that it’s virtually impossible to enter two sequential passwords without the correct token, user name, and ID number, he said.

System administrators can remove a token from the system if it is lost. And the threat of a token getting into the wrong hands is minimal, Ardoin said. Besides having the token, the person would have to know the correct user name, ID number, login address, and procedure to log in.

Recent high-profile instances of hackers gaining access to students’ personal information at universities nationwide illustrate the usefulness of the technology for schools. In January, for example, the Associated Press reported that hackers might have gained access to the Social Security and credit card numbers of 31,000 University of Georgia students and applicants.

“Personal identification for students, social security numbers, health records are all stored on computers now. It’s very important for schools to show due diligence in protecting this information,” Ardoin said.

Unlike passwords, which are often hackable, guessable, or just left on someone’s desk for others to see, two-factor authentication systems allow school officials to log in from remote locations, while giving network administrators a high level of assurance that the correct person is logging in.

With roughly 10,750 tokens in place at IU, “we haven’t worried too much about password and network issues related to our most sensitive systems. In addition, we feel much more comfortable allowing access to these sensitive systems from off campus,” Bruhn said.

However, issuing and maintaining tokens across the university’s eight campuses has been a procedural challenge, he said.

Secure Computing’s solution ranges in price from about $27 per token for up to 100 users to about $8 per token for 5,000 or more users. In addition to the initial cost of the tokens, IU spends about $40,000 to $50,000 annually on support staff needed to manage, program, and deploy the tokens.

Besides Secure Computing, other makers of two-factor login systems include RSA Security Inc., whose SecurID product generates a unique code every 60 seconds that is based on the time a user logs in rather than a sequential formula.

See these related links:

Indiana University
http://cacr.iu.edu

Secure Computing Corp.
http://www.securecomputing.com