News

Operating System Security Login and Smart Token Two-Factor Authentication

12/19/2024

As a bridge between computer hardware and software, the operating system is the first line of defense for user identity and data security. The security of the system login process is directly related to the security of user data and system resources. How to make users log into the operating system safely is the direction that system designers and information security practitioners have been working hard on.

Login Credentials for Operating System

Users need to provide login credentials when logging into the operating system. “Username + password” is usually used as the default login credentials. The security of the login process depends on the security of the password.

The rapid development of AI and computer technology also makes passwords easier to crack and attack. Simple passwords are susceptible to brute force cracking or dictionary attacks, resulting in unauthorized access and leakage of user data. Complex passwords are not easy to remember, and they also cause the trouble of forgetting the password and not being able to log in to the system.

In order to meet the diversified login requirements and security requirements, the login authentication frameworks of these mainstream operating systems support not only “username + password” login credentials but also biometrics (fingerprint, iris, etc.), PIN, Smart Card, and other login credentials. These credentials can be classified into the following three categories:

a
Knowledge factors:

     Such as passwords, PIN, etc.

b
Knowledge factors:

     Such as passwords, PIN, etc.

c
Characteristic factors:
     Such as fingerprints, irises, and other biological features.

When two or more authentication factors are used in the authentication process, it is called Multi Factor Authentication (MFA). When using two authentication factors, it is also known as Two-Factor Authentication (2FA).

The operating system improves the usability of the login process by providing a variety of login authentication methods. Through multi factor authentication, the security of the system login process is improved.

Introduction of Smart Token

Smart Token is an identity authentication product that combines modern cryptography technology, Smart Card technology, chip integrated circuits, and other technologies. It has a built-in secure storage space to store sensitive data such as user private keys and certificates. The private key is always stored in the secure storage space and cannot be exported. It is characterized by high security and mature technology.

The common Smart Tokens include first generation USBKey, fingerprint USBKey, second-generation USBKey with button display screen, Bluetooth USBKey, etc.

When using the Smart Token for identity authentication, users need to provide two independent authentication factors to complete the authentication process. These factors include Smart Token physical device, PIN, or fingerprints.

Secure Login to Operating Systems with Smart Token

1. Secure Login to Windows System

The login authentication framework and technology of the Windows operating system are constantly developing. Since Vista, Microsoft has abandoned the old GINA authentication framework and introduced a new Credential Provider (CP) authentication framework.

The new CP authentication framework has high scalability, which simplifies the identity authentication process of the third party and facilitates the development and implementation of the CP-based login authentication module by the third party. The latest Windows 11 systems also support this authentication framework.

Accessing the Smart Token authentication module under the CP authentication framework enables you to log in to the Windows system with a Smart Token in Vista and above systems. The introduction of Smart Token authentication can effectively improve the security and convenience of the Windows system login process.

The CP based Smart Token authentication architecture of the Windows system is shown in the figure below.

Figure 1 Smart Token CP Authentication Architecture

The Smart Token authentication module, implemented in accordance with the CP interface specification, can be used for local account login and domain account login.

2. Secure Login to Linux System

Linux systems usually use the general framework of pluggable authentication modules (PAM) for authentication. The PAM module provides a centralized authentication mechanism. The system administrator can flexibly configure different authentication methods for different services and applications. For example, configure the login authentication module and login authentication policy for the login service.

Developers can implement customized authentication modules and authentication mechanisms based on the PAM general framework. The PAM authentication module based on Smart Token can support secure login to Linux systems using the authentication method of Smart Token. The Smart Token PAM authentication framework is shown in the figure below.

Figure 2 Smart Token PAM Authentication Framework

When a user logs into the Linux system, the system loads and calls the Smart Token authentication module according to the PAM configuration file policy. The authentication module identifies the inserted Smart Token device and obtains the user information bound to the device. Then user enters the PIN or fingerprint of the Smart Token to generate login credentials. The authentication service verifies the login credentials and allows the user to log in after passing the verification. The login process no longer requires a username and password.

WatchKey Smart Token

With 30 years of focus on identity authentication and transaction security, Watchdata’s independently developed WatchKey smart password key combines WatchKey with operating system login authentication mechanisms. Adopting two-factor authentication using “hardware + PIN code” delivers a secure operating system login solution, enhancing security during the system login process and strengthening the first line of defense for operating systems. It provides robust protection for financial transaction security, government e-office systems, login identification, tax document security, and account protection. The implementation of this solution has been widely adopted by various sectors, including finance, government affairs, electric power, education, healthcare, and energy, demonstrating its reliability and versatility.

You can view more product information by using the following link: View More