The Future Of Web AuthenticationAfter years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.
The Limits Of Multifactor Authentication
The security industry has developed a number of workable, if imperfect, supplemental authentication factors to tack onto the user name-password schema.
The most basic is a challenge question system that requires users to answer questions that strangers wouldn't likely know, such as "What is your mother's maiden name?" and "What street did you grow up on?" While this approach increases the barrier to entry into a site or a system, the answers are possible to steal or find out with Internet searches.
More secure are biometric readers that tie in fingerprints, retinal images or voice prints with a user's identity. There also are hardware-based one-time-password tokens, such as those RSA sells. A user gets a key-chain-sized hardware fob that generates a multiple-number PIN created by an algorithm using some variable like the time of day combined with an additional value stored on the device called the seed. That seed is tied to the user's identity on the back-end system that controls access to whatever software or online site needs protecting. Each time the user logs in, he presses a button on the fob to get a PIN that's created on the spot using the algorithm, the variable and the seed value. The person then enters a user name, password and PIN into the system, which crunches the PIN algorithm based on that user's mutually shared seed with an additional variable that can be tied to that user's identity.
Hardware tokens and biometrics have worked reasonably well in business environments that require people to sign on to an internal network, hardware device or software system. However, they haven't translated well online, because the cost of providing tens of thousands of people with the hardware is prohibitive. Two-factor systems based on tokens are difficult to use since people must have the PIN-generating device any time they log on. For online authentication to be widely used, people would have to carry numerous fobs to authenticate into multiple websites. It's an unwieldy process and still based on shared secrets -- though admittedly more complicated ones.
Crooks can't steal the shared secret directly, but they can steal a person's hardware token and log on as that user. In 2011, thieves attacked RSA and gained access to the token seed data for many customers in one fell swoop, forcing the company to reissue tokens with new shared secrets.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
3 of 6