 he effect of the Internet since 2001 has fundamentally changed the way we access business systems. The network security perimeter has crumbled at all levels while the number of users needing network access has grown. The geographical location of users has also increased to where they may not only be in a different department or company branch office but also anywhere in the world.
Devices for gaining access have multiplied and diversified. Users now want access from mobile and wireless devices, including laptops. The information they want to access has widened to all aspects of business, including email, a broader range of applications, and various types of data.
While there are enormous productivity benefits with increased access, the associated security risks have risen concurrently. The traditional method of securing system access was by authentication via passwords. Unfortunately, traditional password authentication is totally unsuitable for securing the access requirements of today’s distributed users.
According to some 2007 surveys, businesses are still overwhelmingly dependant on user IDs and passwords to check the identity of users attempting to access their systems, with only 1 percent of businesses having a comprehensive approach for identity management: authentication, access control, and user provisioning. And when it comes to authentication, security can vary widely among the six types this article discusses.
Weak single-factor authentication
There is one main advantage and many disadvantages when it comes to weak single-factor authentication, which many are more familiar with as the single static passwords still employed by most companies. One advantage is that static passwords are easy to remember. However, when
different systems have different passwords, they can be difficult to remember and may have to be written down, raising their vulnerability.
The many disadvantages of single static passwords include how easy they are to decipher. Most often, they are short and based on subjects close to the user—birthdays, partner names, children’s names—and they are typically only letters.
Single static passwords are also vulnerable to social engineering, i.e., people asking for passwords or guessing them correctly. Some surveys carried out at railway stations have shown how easy it is to get people to reveal their passwords. They can also be picked up by spyware.
The alternate method of password management is changing passwords regularly. Done correctly, this is inherently more secure than static passwords. A disadvantage of frequently changing passwords is that they can be forgotten, leading to high support and increased administration costs. This is particularly relevant for organizations with hundreds of applications.
Single sign-on
Single sign-on (SSO) has major security and user benefits, as well as significantly reduces password management costs. SSO allows users to authenticate once and gain access to multiple, authorized systems. This benefits users when they need to access an increasing number of applications.
However, security is at risk with static password-based SSO because a breach of |
 |
password security means all systems accessible by a particular user can be compromised. Typically, SSO is deployed along with two-factor authentication. SSO is now undergoing rapid growth thanks to new technology, which has dramatically lowered the cost of deployment.
Strong authentication
Strong authentication involves one of a range of elements such as hardware tokens, soft tokens, fingerprint recognition, or swipe cards. Most strong authentication deployments are used together with passwords, i.e., two-factor authentication.
Strong two-factor authentication
Strong two-factor authentication is a more secure means of authenticating users onto networks because it requires two separate security elements.
It comprises something the user knows, like a password, and something she has, such as a token. Tokens are currently the most popular two-factor solution, due to their low cost, ease of deployment, ease of management, and the standard of security they provide.
Vasco, one of the market leaders, provides hardware tokens that generate one time passwords. The rapid fall in the price of tokens means they are now available for only a few dollars per user per year. Putting that in perspective, it’s less than the cost of one password helpdesk call. With password calls making up 30 to 50 percent of all helpdesk calls, tokens can represent cost savings as well as security improvement.
Other two-factor options include soft tokens that can be sent to cell phones, swipe cards, USB authentication, and fingerprint recognition. Proximity authentication is another, which means that once authenticated and within wireless range, users will not need to reauthenticate, for example, when they use SecureClient Mobile to roam across cellular or WiFi networks.
Similarly, as with physical/
logical security, physical swipe card entry systems linked to IT security allow organizations to integrate access security with network security.
Three-factor authentication
Three-factor authentication is far superior to all other methods of authentication, involving something the user knows (a password), something she has (an authentication token), and something that is part of her (e.g. fingerprints, retinas, facial features). While biometric authentication is more costly, it is appropriate for high security departments such as R&D and finance.
Biometric authentication Biometric authentication is a more recent and developing area of security technologies. It can be either two- or three-factor. Examples of physical-, physiological-, or biometric-based authentication include fingerprint identification, scanning of retinas or irises, facial-pattern recognition, and hand measurements. Biometric authentication is more appropriate than tokens for certain applications such as some manufacturing.
Conclusion
The growth of the Internet, the increase in users requiring access to networks, and the move to remote working has fundamentally changed the requirements for authentication over the last few years. However, users are still lagging behind developments and relying on single static passwords, which are wholly inadequate.
The need for strong authentication is greater than ever, the cost of solutions such as single sign-on technologies like UserAuthority and strong two-factor authentication has come down, and these solutions are now easier to use. It is time for companies to improve their authentication procedures, if they want to remain secure and avoid potential business disruption, financial loss, and reputation damage.
|
