Tokens aid IT security

Sept. 1, 2003
In his book, “Being Digital,” Nicholas Negraponte, founding head of the MIT Media Lab, draws a fundamental distinction between atoms and bits.

Atoms, the stuff of matter, have historically been the focus of commerce: making, moving, and repairing things drove the economy even before the industrial revolution. Bits, on the other hand, are the stuff of the virtual world. Whether stored on disks, traversing fiber-optic networks, or sitting in the random access memory in our desktop computers, bits are the indivisible units that are assembled into the information edifices of our age.

In the world of automated manufacturing, atoms and bits collide in a way that has significant implications for information technology (IT) security. More and more manufacturing companies are relying on networked software to manage the production process. Or to put it another way, they are using bits to manage atoms. And when the bits that manage atoms are connected to the Internet, the prospect of havoc can be very real.

We are all familiar with user names and passwords as mechanisms that we use to get into our computers. Passwords, however, are a notoriously bad authentication mechanism. They can be stolen, shared, inadvertently revealed, or guessed. Even the most rigorously encrypted passwords will eventually yield to cracking tools, if the password files fall into the wrong hands. In computer security circles, passwords are considered “weak” authentication. In contrast, “strong” authentication, also called “two-factor” authentication, adds either a) something you have, or b) something you are, to the personal identification number (PIN) or password.

Using bits to move atoms is among the circumstances where we consider strong authentication to be mandatory. That is, if you are using computer software to move or manipulate a physical object, passwords just don’t cut it, especially if the control software is accessible through the Internet.

So, strong authentication means adding “tokens” or biometrics to the authentication process. Both of them add to the “hassle factor,” but depending on requirements, it’s not hard to figure out the right choice.

Things people don’t like about biometrics include their use of invasive technology such as retinal scanners. And some of the technologies more acceptable to the squeamish, such as voice recognition software or thumbprint devices, can produce annoying false negative rates. The nice thing about biometrics is that no matter how forgetful a person is, nobody ever leaves his or her thumb on the bedroom nightstand.

At Accenture, we recently chose the RSA SecureID token, from RSA Security (, Bedford, Mass., and deployed it to all of our approximately 70,000 employees. Of the several form factors available, we chose the key fob. It’s a device about 2-in. by 1-in., with a small liquid crystal display that displays a unique code generated by a hash algorithm in combination with a symmetric key contained in the token. Using an internal clock, the algorithm generates a new six-digit number every 60 seconds. To log in, the user enters a four digit PIN, followed by the number currently displayed on the key fob device.

A device, known as an ACE server, runs the same algorithm and knows what particular permutation of the algorithm each token is running. Remarkably, no amount of inspection will help you guess what the next number will be.

[email protected] is manager, security technologies, at Accenture Global Architecture and Core Technologies.