However, solutions do exist, and security professionals must play an active role in their adoption.
Strong authentication is the practice of requiring at least two forms of identity authentication for accessing a network or online application. This usually means combining something a user "knows," such as a password or challenge/response question (what's your pet's name?), with something a user "has," such as a token or smart card. Who a person "is," determined by a photograph, a biometric scan or fingerprint, to ensure authentication, may also be included with stronger authentication to verify identity. The difficulty comes in combining these forms in a way that balances the certainty of the person's identity against the possible user experience barriers/difficulties created by this additional checking.
Historically, most strong authentication solutions consisted of proprietary technologies that were developed to meet requirements of specific vertical markets. As a result, many of these solutions are not interoperable and can be costly to deploy.
The Liberty Alliance took a hard look at the critical challenges facing the industry and created the Strong Authentication Expert Group to help organizations meet new industry and government demands for stronger authentication solutions.
We also have worked diligently to develop the market requirements for appropriately deploying strong authentication in a federated environment.
To date, the focus has been on determining business-use cases and what existing standards activity is already underway so the Alliance does not re-create the wheel.
Liberty's Strong Authentication Expert Group is expanding the alliance's work beyond federation to build ID-SAFE (Identity Strong Authentication Framework), an open framework that allows hardware and software tokens, smart cards, SMS-based systems, and biometrics to interoperate across organizations, networks and vertical market segments. ID-SAFE eliminates the need to rely on passwords and user names alone. It aims to enable these individual mechanisms to interoperate, reducing costs, increasing security and improving ease of use.
The ID-SAFE technical development process will be modeled on the group's successful introduction of identity specifications for federated identity management.
Liberty also will incorporate relevant work from other open standards bodies into its specifications. We welcome any open standards bodies to participate in the development of ID-SAFE.
We believe ID-SAFE will help drive mass adoption of strong authentication by dramatically reducing the costs and time required to deploy and manage strong authentication solutions. It will increase ease-of-use and interoperability across all vertical segments, and provide organizations with opportunities to focus on developing new lines of business without having to worry about compromising their customers' identities. On the consumer side, Liberty Strong Authentication will offer increased protection against identity theft and fraud, a seamless user experience across networks, and advanced privacy protection — from anonymous to strong — based on individual user content and controls.
As organizations move toward a password "breaking point," they will need to strengthen user authentication with alternative security methods. Organizations should begin planning now for their eventual transition from passwords to stronger authentication methods.
A standards-based framework, ID-SAFE provides a roadmap for transition and helps make the internet a more secure place.
Roger K. Sullivan serves as vice president of the Liberty Alliance's Management Board and is vice president, business development for Oracle Identity Management.
