Hi. My name is Dennis Hoffman. I am the Vice President of RSA, the security division of EMC. Today we are going to be talking about two-factor authentication.
Security is really the management of a conversation between a human and a hunk of data. Historically the way we've managed this conversation is by building a perimeter around the people and the data and locking down the perimeter. Increasingly however, we're learning that's an inefficient way to secure information.
By far a better way to secure the information is to focus on securing both the people and the data. And here's why.
First, data moves. It's constantly traversing perimeters. Whether it's backup tapes, email messages or laptops that are lost in cars. Data is continually leaving the perimeter.
Second, people move too. In fact, there is more than one kind of people. Not only are there employees but there are customers and there are business partners. And all of them need access to the same information. So information-centric security focuses on both the data and validating the identity of the person.
So let's look at authentication. Authentication is the process of validating to an IT system that you are who you say you are, so they can then trust you and give you rights or access to privileges to things like networks or computers.
People are comprised of a number of elements in the digital world. The first is a user name. And then there are a number of factors that we use to increasingly validate that people are who they say they are.
The first factor is something you know. That often takes the form of a password or a PIN. The second is something that you have. Often a randomly generated set of six digits that are known as a pass code. And the last factor is something you are, which is generally a biometric of some form like a fingerprint or a retinal scan or voice print.
Anything more than one factor is known as strong authentication. Today what we are going to talk about is the most common form of authentication or two-factor authentication.
So in two-factor authentication we use two devices or tokens. They can be hardware or they can be software. And they can contain a randomly generated set of six digits or eight digits that are time synchronized with a server that is either at the corporate headquarters or it is hosted somewhere on the Internet.
So the way the process works is that the user enters into a computer their user name, their PIN and the pass code. And that is compared with the value on the server where the user name, the PIN and those six digits have to be exactly matching in order to grant access. If they don't, access is denied and the authentication fails.
The reason this is so important is because PINS are considered widely insufficient to prove you are who you say you are. Passwords and PINS are generally something that people either make too simple so that someone can guess them. Or they make them too complicated in which case they write them down and compromise the security.
Two factor authentication is a way to take something you know, add something you have, and improve the process of securing the people part of information-centric security.
