Every week there's another article on identity theft and another network is breached. We are all challenged with securing our computers. Whether you are a business securing a global communication system or a home user protecting your personal files and online account information, authentication and identity verification are two challenges we all face. As a business, we want to know that it's really you accessing your private information. As a user of a service, we want to know that no one else can pretend to be "me" and gain access to our information.
User names and passwords are a good start, and we've all gotten better at not using our children's or pet's names for passwords, and not hanging our credentials around the office or home. When we look at the various levels of authentication, the user name and password is commonly known as the first factor of authentication: "something you know."
When a user name and password are no longer sufficient to provide assurance of identity, strong authentication methods are required. Strong authentication has been traditionally defined as two- and three-factor authentication. These additional forms of authentication add "something you have" and "something you are" to the "something you know" factor. Something you have would be technology, such as a token with an additional PIN, or pass-code, to validate that you are, in fact, the person using your credentials. Something you are works in the same fashion and uses such things as a fingerprint or iris scan.
There are numerous solutions addressing the strong authentication market. This month, we focused on solutions that address identification and authentication. We were impressed with both the traditional and unique approaches we found in the products we tested. We were also very surprised with the number of identity and authentication options that were offered. We found soft and hard token offerings (i.e., certificate-based or agent-based as examples of software; and key fob, proximity cards or USB keys as examples of hardware), biometric, PIN-based solutions, out-of-band solutions that would change your cell phone or PDA into a hard token for a one-time password (OTP), and knowledge-based authentication solutions.
Without a doubt, all the solutions we evaluated provided an added layer of security. The plethora of authentication options available today provide organizations a great amount of deployment and management flexibility, and various cost structures to fit most budgets. I did, however, find myself coming back to the traditional definition of strong authentication, and asked myself if authentication forms, such as certificates or agents on computers, machine authentication or even knowledge-based solutions, truly qualified as either something I have or something I am. In the end, I came to the conclusion that any additional level of security is a good thing. We just need to understand that if a notebook or portable device with a soft token install is stolen, and the traditional user name and password is cracked, then that device is compromised.
There will always be challenges in the deployment of client software across a large enterprise. There are logistical and support challenges with distributing, enrolling and supporting hard token technologies. We evaluated solutions that had a near zero footprint from an end-user deployment perspective. As well, we evaluated solutions on the other end of the spectrum that required deploying software and/or hardware for each systems to be secured. We did find that even the more secure solutions - that provided a one-time, token-based authentication - have come a long way in their ability to manage and distribute the tokens to a large enterprise. The server-based solutions required quite a bit of effort and time to install, configure and manage. For those solutions that provided server side management solutions, we were pleased with the management interfaces and the ability to integrate with directory services, such as Active Directory and LDAP. We evaluated solutions that were software based, stand-alone endpoint solutions and appliance-based.
At the end of the day, there are numerous choices available for adding stronger authentication into your current user name and password authentication model. You will find yourself balancing risk, cost and ease of use when choosing the right solution for you or your organization.