Authentication: Strength, cost and simplicity
This month we look at authentication. This is a constantly evolving product group and, therefore, a very interesting one. Historically, authentication meant username and password. We quickly got to the point where those "in the know" understood that simple protections are simply defeated. The notion of "strong authentication" was born, but it was unclear what that really meant. It really sort of still is not quite understood.
There are several ways to think about strong authentication. It might mean one-time passwords. Or it might mean multifactor authentication...that was and still is a popular definition. I think back over my very early years in security – while I was in the Navy – and I recall what we used to think of as strong authentication. It consisted of a pair of books. There were two copies of the pair and one went to a pilot while the other stayed back in the communication center.
When one user wanted to send a message to the other, he opened the first book and selected a key which he transmitted verbally to the other person. That dictated the code for the message and could be used only once. Once the code was selected, the sender would verbally spell out the letters of the message from his other book, which the receiver would then decode with the second book using the same key. Pretty complicated, but pretty secure. There were several variations on this method of authentication, based on the concept of a one-time pad, but you get the idea. That was strong authentication in the 1960s. Today we have lots of better choices.
Strong authentication today, however, seems to be evolving as a sort of back seat to convenience. It is convenient to use a username and password. You can use one password for everything, make it your dog's name and you've got an easy-to-remember – and compromise – authentication. Afterall, what could be simpler than "Fido1234"? Easy to remember, but a very bad idea compounded, of course, by using the same password for everything.
So, the big question is: How do we retain the simplicity of Fido1234 and still get something secure? Really, as much as being about the cool technologies surrounding today's authentication schemes, answering that question is at the top of what we view today as strong authentication. We want the strength of the one-time pad with the simplicity of Fido1234.
The second issue – or, if you include the strength of the authentication scheme itself, the third – is cost. I really want my bank customers to use strong authentication. It minimizes phishing impacts and a bunch of other things. But I have 100,000 or more customers (this is a smallish bank) and I don't want to send every one of them a $75 hardware token, half of which will be lost or broken and which I'll have to replace. Also, teaching my blue-haired granny to use a time-based token may be more of a challenge than my help desk is up to.
The alternative, though, is a user-selected PIN. With a four-character minimum, you can bet that 90 percent will be four characters. And the number? 1234 always is a good choice. Neither of these options is particularly appealing. So that, really, is what strong authentication – and this month's offerings – are all about: strength, cost and simplicity. I hope that you enjoy this as much as I enjoyed doing it and perhaps you, as did I, will find something new to consider in the evolving field of strong authentication.