Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

It may have been drawn two decades ago, but the old New Yorker cartoon still rings true: "On the Internet, nobody knows you're a dog."

"It's really easy to be whoever you want to be on the Internet," says Paul Simmonds, a board member of the Jericho Forum, a group of security thought leaders dedicated to advancing secure business in open network architectures. "We've known about it as an industry for 20 years. We've done almost nothing about it. So shame on us."

The process of authenticating users online -- that is, verifying that you are who you say you are -- has remained largely unchanged for years. When Internet users register to get access to a website, they provide an online service, called a "relying party," with personal information to prove their identity. They create user names and passwords, and forever after use that combo to prove their identity to the relying party when logging in. It's simple, it's intuitive -- and it's highly insecure.

The user name-password approach is "the lowest common denominator for authenticating," says Clain Anderson, director of software at Lenovo. It's "like using sticks and rocks versus a rocket launcher," he says.

In the near term, vendors and researchers are supplanting or augmenting passwords with easier and cheaper authentication factors, such as fingerprints, mobile phone tokens and digital certificates based on asymmetrical cryptography. Along the way, a number of industry coalitions are working on replacing passwords altogether.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
froggywentacourtin
50%
50%
froggywentacourtin,
User Rank: Apprentice
8/8/2014 | 1:16:29 AM
re: The Future Of Web Authentication
 

Macker,

You are so VERY correct.  The last thing I want is some sort of universal identifier that all of these sleazeball companies and government agencies can use to map every aspect of my life.

 

I use separate email/user names and unique highly secure passwords with every site I use.  If slack IT people and less then bright CEOs would get their act together, that would suffice.

 

How did the Russians collect over 1 billion user names and passwords?  SQL injection?  Who dropped the ball there?  Why is SQL injection still possible on any real web site?

 

Once again, they want to punt the problem over to the consumer.  After all, they hate this whole idea of personal privacy, so why not use their ineptness to justify stripping away the last vestiges of it?

TOR won't help much if we all have to have our government issued smart card plugged in to log on.  And of course. no one will EVER figure out a way to compromise the shiny new "solution to everything".

 

Oh well. got to go polish my tinfoil hat...
macker490
50%
50%
macker490,
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.