One, two, three factor security?

Getting security right is a balancing act. Too much, and the system that's protected becomes too difficult to use. Too little, and the repercussions can be enormous -- not only can fraud impoverish a company, but there are significant legal and practical implications if sensitive company data has been revealed or modified.

Security systems can be categorised by factors, the number of different ways that a user is authenticated before being allowed access. One factor security is by far the most common -- if you know your username and password, you're in.

Two factor security relies on something you alone have and something you alone know. You already use it when you get cash from a hole in the wall, where the combination of the bank card and your PIN identifies you in two ways. Security companies are also keen to promote yet more secure system: three-factor security, which includes biometric identification to check something you are alongside what you have and know. However, even two factor security is a massive improvement on systems that just use a password -- no security consultant will fail to recommend it as a minimum acceptable level of safety. But most companies choose to ignore this.

It's not that single factor security is safe. While it's true that a well-chosen password can be effectively impossible to crack, few people take that much trouble. If a 2GHz Pentium 4 computer tried to guess an eight-character password by working its way through all the combinations, it'll take more than a decade, on average. Yet nearly every survey of people's preferences shows thirty percent or more choose single words, family names or other short, easy to remember passwords. Even when a company has -- and enforces -- a password policy that excludes these, it takes little work to get people to divulge their passwords over the phone. One survey, by security consultants PentaSafe, found that two-thirds of commuters at Victoria Station in London would give their password to a pollster in exchange for a promotional pen.

In any case, forcing people to use hard-to-guess, frequently changed passwords merely increases the incidence of people writing the passwords down and sticking them to the front of their monitors. Some people recommend teaching users a way of mentally converting a passphrase to a password -- so "Time for bed, said Zebedee" becomes T4bsZ -- but this is rarely popular.

Two factor security is much safer. The most common system uses an authenticator, a small device -- SecureID is the best known -- that constantly generates a long and constantly changing sequence of numbers which the user has to type in alongside their normal password. While this will certainly deter the ad hoc intruder, it's not safe against the skilled hacker, for example, phoning up an IT centre and successfully posing as an authorised user on a tight deadline who's left their authenticator elsewhere.

Another two factor scheme uses cellphones, where the person logging on has to answer an authentication challenge sent from the computer to their mobile phone by text message. This reduces the number of devices the user has to carry, but if they're out of range, have flat batteries or have left the phone elsewhere it disbars them from access.

Three factor security typically uses fingerprint, retina, iris, voice or face recognition. These are all physiological features that can be easily digitised and are mathematically unlikely either to give a false negative -- when the authorised user isn't recognised -- or a false positive, when someone unauthorised passes. The downsides to these systems are that the readers are expensive, have to be physically installed, and all have weak points that can be exploited. Most recently, fingerprint scanners were shown to be unable to differentiate between a real finger and one made from gelatin.

All security systems can be circumvented if the intruder gains access to the system, even temporarily, at a high enough level. Biometric tests are no safeguard if the intruder has the freedom to either create a new account keyed to themselves, or can tamper with existing accounts to the same effect.

You should have two factor security. Even if you don't, you should educate users on selecting sensible passwords, warn them never to disclose their passwords to anyone -- no matter what the excuse -- and make sure the reasons behind this are well understood. People with access to their work systems are the equivalent of people who hold the keys to the company premises, and this incurs responsibility. If that is widely known and respected, half the battle will have been won.

Have your say instantly in the Tech Update forum.

Find out what's where in the new Tech Update with our Guided Tour.

Let the editors know what you think in the Mailroom.