Content

Authentication

This group has been around so long that it is getting harder and harder to come up with an opening column each year. After all, how much is there to say about a product type whose reason for existing is to make sure that you are who you claim to be. There. That's it. Nothing more to say, right? Well, not exactly. We are constantly amazed by the level of ingenuity that this product group displays year after year. Really, our best course of action is to let the products speak for themselves. But, just for the sake of formality, we'll continue to help them along.

The basic idea behind authentication is that a subject identifies itself, proves it's who or what it claims, and then becomes authorized to do certain things, usually based on a policy of some sort. That's really all there is to it. But, if this is so simple, why do we keep getting it wrong? Why are there record-breaking breaches month after month, year after year? The reason is simplicity itself: The simplicity of taking the easy way out. The username and password that are predictable and crackable. The predictable username patterns that can be guessed easily by looking at a dozen or so email addresses from a given organization, and the passwords that are simple (remember Fido1234?) and that get reused on all of that user's accounts. That's the problem, and a tough nut it is to crack - much tougher than Fido1234.

We access the US-CERT portal for some of our research. They have a really neat approach - one that took us aback somewhat. When we type our username to login, it is masked in exactly the same way that passwords are. Then we use a combination of an assigned PIN and an RSA SecurID token-generated PIN. That, of course, is masked as well. So we have a nice combination of something we know (the PIN and the username... not, by the way, a standard email username), something we possess (the hardware token), and something that changes dynamically (the time-based token calculation for the second half of the PIN). Nice and secure.

However, this is an expensive approach - the hardware tokens are pricier than other forms of token - and it may be difficult for some people to master. We need alternatives. That is what keeps this product group interesting year after year. There are drivers that shape this market. Price is a key issue. Ease of use and, of course, security are critical. Along with the obvious customer ease of use there is, for the enterprise world, administrator ease of use. Admins may be more experienced than the people they support, but they also spend their days putting out fires. They have no time to play with a tool just to get it to work. That might be fun, but it certainly isn't practical.

The products in this year's authentication group go a long way toward addressing both the cost and ease of use issues. As well, they address security, but in each one's own unique way. So, with all of this choice, how do you chose? There are a few simple rules that can guide you.

First, don't buy more than you need. The US-CERT approach is very cool and quite secure, but there is a lot of really sensitive stuff behind that locked door. Stuff that affects national security. It needs a lot of protection. Start with the assumption that you need strong authentication - you do. No matter who you are, you do. Then start thinking about your users, your organization, its topological footprint and your support team. Such things as user provisioning, help desk work load and skill sets, cost, organizational growth, the things that you need to protect... all of these help define what you need for strong authentication.

Then - and perhaps we should have started here - think about what you want to protect. It is not uncommon to have multiple levels of strong authentication. In today's environment with open source standards such as OAUTH, mixing and matching products is a lot easier than it used to be. So take the example of a bank. The customers need strong authentication - simple, cheap, secure. The employees need strong authentication: Perhaps not quite so simple, maybe not as cheap and probably more secure. Then there are high-risk user accounts, such as system administrators. Simple doesn't matter much. Cost, within reason, is not much of an issue. Rather, the driver here is security. That could well be three different types of devices, some hardware and some software.

So, it's time to dive into the products. We'll just log back into the website and grab our notes... let's see: Fido1234...

Specifications for authentication security tools                      =yes =no

Company

Bayometrics

Datablink 

Gemalto

SecureAuth

Yubico

Supports 
Yubikey

Supports 
physical 
token

Supports software 
authentication

Offers self-service 
password reset

Offers API 
for custom 
products

Offers biometric 
support

Offers RADIUS
support

with supporting 
back-end solution
Offers VPN 
support

with supporting 
back-end solution
Offers Active 
Directory 
support

with supporting 
back-end solution
Offers SMS 
authentication

Offers 
Bluetooth 
authentication


At press time, we had yet to receive specification details from PortalGuard and Vasco.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.