385 Identifying Computer Users with Authentication Devices i Tokens) \ J J-C. Spender VP Mktg, Enigma CA 94520, USA Logic Inc., 2151 Salvio, Suite 301, Concord, This paper introduces the reader to hand-held devices for identifying users to computer systems. The technology has two parts; a device or “key” and a software “lock” which teaches the secured system to look for a user’s key. The alternative lock and key interactions are explained. The paper goes on to discuss alternative key/system interfacing technologies, the problems of managing and supporting populations of key devices, and the administration of the lock software. As sys- tems become more complex, comprising multiple CPUs, PCs as terminals and powerful telecommunications facilities, so the security system designer has important options about where to locate the lock. Keywords: Authentication devices, User identification, Dy- namic passwords. around, London, 1919 strategy. He has many Dr. Spender has been involved with computer security and the introduc- tion of authentication devices for three years. He holds engineering degrees from Oxford (UK) and a Ph.D. in competitive strategy from Manchester (UK). He has worked in nuclear power, computers, and industrial banking as a strategic consultant, and has taught in business schools in UK, US, Canada, New Zealand and Japan. He has published a study of engineer- ing company management - Turn- - and numerous papers on corporate involvements with high-tech start-ups. North-Holland Computers & Security 6 (1987) 385-395 1. Introduction The paper introduces the use of hand-held authen- tication devices for computer system security. These “ personal authenticators” or “tokens” offer a new solution to the old problem of correctly identifying computer users. Effective system ad- ministration, security and efficient resource management all depend on correct user identifica- tion. We discuss various types of token and com- pare them with conventional memorized pass- words and, in less depth, with biometric authenti- cation technologies. As computer systems become more complex, geographically widespread and important, there is a clear need for a better authentication technol- ogy. Computer crime statistics show that the in- sider is often the real threat and that memorized passwords cannot be the basis of effective secur- ity. The forthcoming ANSI Secure Sign-on stan- dard will likely demand some version of this new technology. Authentication technologies have two principal components; a “ key,” which might be a token, and a software or firmware “lock” that teaches the secured system to look for that key. Some alternative lock and key interactions are ex- plained. We address some of the problems presented by this new technology; designing tokens, designing locks, managing the lock, finding where to locate the lock in the host system, and managing the population of tokens (Fig. I ). We reaffirm that the technology is only a tool in the hands of the system administrator. Security is ultimately about trusting only trustworthy people. We conclude with a discussion of preliminary user and organi- zational reactions to this technology. 2. Authentication Keys It is often said that computer users can be identi- fied by what they know, what they have and what 0167-4048/87/$3.50 0 1987, Elsevier Science Publishers B.V. (North-Holland)