Protecting identity during web transactions provides peace of mind to consumers and end-users, reports Eric Butterman.

Members of the IT security community are trusted to control access to sensitive information as much as they are charged with protecting the data itself. Be it the bank customer logging in to her account, the employee trying to access an corporate application or a device seeking permission to connect to the network, effective authentication could be the difference between business-as-usual and a devastating breach.

Two-factor technology has long been a leader in this ongoing battle to verify, requiring computer users to have two means of authenticating their identity before being allowed access to the corporate network.
PayPal and eBay joined the two-factor movement with a key for creating a six-digit code to join a user ID and password in order for their customers to have a successful sign-in. Oracle even went so far as to purchase strong authentication solutions provider Bharosa, partly to enhance its single sign-on offering for enterprise end-users.

In order to fully appreciate a technology such as two-factor authentication, the first step is to recognize that there are multiple places where a breach could occur, says Glenn Veach, chief technology officer for Maumee, Ohio-based 2Factor.

“The question becomes, ‘How do you protect information,' because sometimes it's at rest on the network or a physical device, or even in transit between the network or two parties.”

And that's only the beginning. The enterprise needs content management, as well as policy management, he adds.

“There are cases where information is so sensitive that the IT pro needs to authenticate a user to the device, but also authenticate the device to a trusted network, because one should only be able to open it on that network. A user shouldn't be able to open the document to view it anywhere else.”

Unfortunately, Veach finds that many companies need to have several serious infractions before they step up to a stronger protection solution.

And, he warns that the scenario is likely to get worse. “Enterprise disasters could be devastating in the future,” he says.

It's not just traditional corporations that need this form of protection, but the creative industry as well.
“We work with Hollywood on pre-production video, and it's sensitive because people want to rip off pirated copies of TV shows,” says Veach. “In order to protect their assets, these companies need to collect content from the field. So it's incumbent on us to authenticate that once distributing it out to the producer or director.”

Protecting consumers
Paul Smocer, vice president of security at BITS, a nonprofit consortium with a focus on security of financial transactions, has also found that two-factor authentication helps in protecting consumers from identity theft.

But, he recommends first finding out how much protection is required.

“Companies really need to perform their own risk assessment of what they're presenting to the customer, and what the appropriate level of two-factor authentication should be,” he says.

He cites the Federal Financial Institutions Examination Council (FFIEC) guidelines as a key source for direction.

“The guidelines...have helped the industry bolster its protection of its customers,” says Smocer.
It's all about protecting the information from a consumer who is accessing websites. But in cases where an organization with a business relationship can get to information, the guidelines call for them to identify where that information was used and to assess the risk of accessing it across a few dimensions, he says.

Moving funds from a checking account to a savings account is one example, Smocer says.
“A transaction couldn't move outside of a sphere of controlled accounts, or a user would not be allowed to move funds from customer accounts into a third-party account,” he adds.

The transaction could also involve a bill payment or wire transfer applications, so organizations are asked to look at non-public targeted information and to assess the risks with each of its applications.
“Based on that assessment, they could see if two-factor was the right way to go and what type might make the most sense,” he says.

BITS's Smocer expects further developments in authentication.

“If I as a consumer choose, for example, to give up answers to someone else, I compromise my own authentication. It's more about an awareness and an education by institutions to understand the importance of keeping their credentials private. We're all told to protect passwords, but if we put it on a yellow stickie on our PC, that takes the protection away.”

He thinks the industry as a whole and the vendors that provide authentication software will be looking at biometrics as a growing research area. The question is whether this can gain acceptance over time. It's a long, continuing battle, he says.

“To stop the hacker community we need to see more effort in looking at how effective protections are and what compromises are arising,” he says.


Biometrics: Positive IDs
With biometrics emerging as a major part of the future of authentication, here is a look at some of its key components:

Fingerprints – Considered particularly reliable. One example comes from Digital Persona, which uses a fingerprint swipe reader on notebooks for companies such as Dell, HP and Fujitsu. Proprietary software enables users of supported notebooks to register their fingerprints and authenticate using either the embedded reader or an attached reader.

Face recognition
– A face recognition camera, such as the those from Bioscrypt, are marketed to adjust to myriad picture problems. The company's VisionAccess 3D DeskCam is said to perform both verification and identification operations.

Iris recognition – This popular method uses pattern recognition techniques based on high resolution images of an individual's eyes. This strategy has been successfully deployed at  Schiphol Airport in the Netherlands since 2001 to permit passport-free immigration. It's also been used by the U.S. Marines in Iraq to positively identify registered residents.