Welcome back from the holidays. It is time to get back to work after the very successful SC World Congress, SC Congress Canada and our annual Innovators issue. It is good to see that innovation in our field has returned to a healthy state. We kick off the year with strong authentication as our theme. That includes multifactor and biometric authentication.
Multifactor authentication provided us with some challenges this time around. The notion of multifactor authentication is being embraced by quite a few vendors, but many are building the capabilities into their larger products. This often requires integration with authentication products, such as smart cards or, as in our other Group Test this month, biometrics. That means that pure-play multifactor vendors are becoming fewer and fewer. That said, some perennial participants are still with us and Mike Lipinski has put them through their paces this month with interesting results.
One of my favorite groups has always been biometrics. We see a very interesting progression of events with this group. First, we see new, innovative methods of biometric authentication. Then, usually within a year or so, we see those companies absorbed by other companies. While this certainly validates the value of the products, it does make for a very fluid market space. This month, we have some very cool products and we also have some new twists on familiar themes, such as USB keys that take fingerprint authentication.
The idea of strong authentication is really starting to take off with the convergence of two important factors: need and cost. Never has the need been greater for strong authentication. Most exploits, especially against financial institutions, depend for their success in great part on weak authentication – such as passwords. There are two major problems with passwords. The first is crackability. Passwords often are weak and easy to crack. Even for relatively strong passwords, cracking tools available today make it possible, eventually, to crack just about any password. That makes passwords, in general, a relatively weak defense.
The second problem is the man-in-the-middle attack. This is an attack – in this context, anyway – where the password is intercepted and replayed. Since there are no time or reuse limitations on passwords, in general, this is a fairly straightforward attack.
In the cost department, the price for very sophisticated multifactor and biometric devices is coming down rapidly making strong authentication practical for larger and larger groups.
Strong authentication addresses both of these issues by providing a one-time/one-use pass code that has limitations on it to prevent reuse or interception attacks. The strongest of these, of course, are multifactor combinations. This allows a combination of factors, such as biometrics, one-time pass codes, PINs and more.
Over the course of this year, we will have the latest products and the market leaders as we have in previous years. However, this year we have adjusted our groups somewhat due to convergences, mergers and acquisitions, and the like. The result is going to be very interesting. Among our “old reliable” we'll have the Norwich University forensics students performing the testing and reviewing on forensic tools for the May issue. In that same issue, we'll look at SIEMs. SIEMs in the context of network forensics, are becoming the state of the practice, so we're keeping the forensic tools together in that sense. In August, we will look at all things email, including security and content management. These are ambiguous terms today, so we decided to put both groups together and give a complete picture. That's the type of thing you can expect in 2011. In a discipline that moves so fast that we are in a constant state of prediction, though, look for some last-minute changes that reflect the fluid nature of our industry.