Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

It may have been drawn two decades ago, but the old New Yorker cartoon still rings true: "On the Internet, nobody knows you're a dog."

"It's really easy to be whoever you want to be on the Internet," says Paul Simmonds, a board member of the Jericho Forum, a group of security thought leaders dedicated to advancing secure business in open network architectures. "We've known about it as an industry for 20 years. We've done almost nothing about it. So shame on us."

The process of authenticating users online -- that is, verifying that you are who you say you are -- has remained largely unchanged for years. When Internet users register to get access to a website, they provide an online service, called a "relying party," with personal information to prove their identity. They create user names and passwords, and forever after use that combo to prove their identity to the relying party when logging in. It's simple, it's intuitive -- and it's highly insecure.

The user name-password approach is "the lowest common denominator for authenticating," says Clain Anderson, director of software at Lenovo. It's "like using sticks and rocks versus a rocket launcher," he says.

In the near term, vendors and researchers are supplanting or augmenting passwords with easier and cheaper authentication factors, such as fingerprints, mobile phone tokens and digital certificates based on asymmetrical cryptography. Along the way, a number of industry coalitions are working on replacing passwords altogether.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Apprentice
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web