One-two punch: two-factor authentication helps prevent cyberattacks

Fermilab is moving to widespread use of two-factor authentication, which will help strengthen our defenses against hackers.

“Greetings. This is to inform you that your credit card information from our point-of-sale system has been accessed by unauthorized individuals.”

Many of you may have received communications similar to this recently, as two major national retail chains have revealed that their systems containing customer personal information, specifically, credit card data, had been compromised. While Fermilab does not process any credit card data (all purchases from lab organizations utilize third-party processors), we do handle other sensitive information that we need to protect.

There are several different ways hackers can access sensitive data. Unpatched operating system vulnerabilities can enable outsiders to access these systems. Application software vulnerabilities can be exploited. Careless users may inadvertently download malicious code while browsing the Web or by clicking harmful links in email. But by far the simplest method of compromising is a system using an illicitly obtained identification credential, such as a password, of someone who already has access.

Fermilab takes care to protect passwords to limit this danger. We enforce strict segregation of duties so passwords in normal use are not valid for accessing sensitive systems; we check passwords at time of creation to make sure they meet security standards; we search lab offices for written passwords; and we provide mechanisms so that passwords used for logging in remotely are encrypted. For our most sensitive systems, we put further protection into practice: two-factor authentication.

There are three different “factors” you can use to identify yourself: something you know (typically a password); something you have (usually some hardware token or smart card you carry); and something you are (fingerprints or retinal scans). Two-factor authentication uses two of these elements to identify yourself before you’re allowed to access sensitive computing systems. Most often, this authentication method uses a password in combination with a challenge code from your token or smart card.

Fermilab now operates a two-factor authentication service using tokens from a vendor called RSA, which will be distributed to those who need to access sensitive applications. They are already in use for access to our domain controllers, which affect access to all Windows systems at the lab. Soon, they will also be used for access to network control systems, for certain business applications and for certain types of remote access to sensitive systems. You will soon see more widespread use of these tokens at the lab as their use is extended to more systems.

Irwin Gaines