03:30 PM
Connect Directly
Repost This

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

The Limits Of Multifactor Authentication

The security industry has developed a number of workable, if imperfect, supplemental authentication factors to tack onto the user name-password schema.

The most basic is a challenge question system that requires users to answer questions that strangers wouldn't likely know, such as "What is your mother's maiden name?" and "What street did you grow up on?" While this approach increases the barrier to entry into a site or a system, the answers are possible to steal or find out with Internet searches.

More secure are biometric readers that tie in fingerprints, retinal images or voice prints with a user's identity. There also are hardware-based one-time-password tokens, such as those RSA sells. A user gets a key-chain-sized hardware fob that generates a multiple-number PIN created by an algorithm using some variable like the time of day combined with an additional value stored on the device called the seed. That seed is tied to the user's identity on the back-end system that controls access to whatever software or online site needs protecting. Each time the user logs in, he presses a button on the fob to get a PIN that's created on the spot using the algorithm, the variable and the seed value. The person then enters a user name, password and PIN into the system, which crunches the PIN algorithm based on that user's mutually shared seed with an additional variable that can be tied to that user's identity.

Hardware tokens and biometrics have worked reasonably well in business environments that require people to sign on to an internal network, hardware device or software system. However, they haven't translated well online, because the cost of providing tens of thousands of people with the hardware is prohibitive. Two-factor systems based on tokens are difficult to use since people must have the PIN-generating device any time they log on. For online authentication to be widely used, people would have to carry numerous fobs to authenticate into multiple websites. It's an unwieldy process and still based on shared secrets -- though admittedly more complicated ones.

Crooks can't steal the shared secret directly, but they can steal a person's hardware token and log on as that user. In 2011, thieves attacked RSA and gained access to the token seed data for many customers in one fell swoop, forcing the company to reissue tokens with new shared secrets.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

3 of 6
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web