The Future Of Web AuthenticationAfter years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.
Multifactor Authentication Within Reach
The financial industry has been a proving ground for two-factor authentication. That push came from the Federal Financial Institutions Examination Council, a government auditing body that works on behalf of several financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Office of Thrift Supervision. The FFIEC released its "Authentication In An Electronic Banking Environment" guidance in 2005, requiring banks to augment passwords with additional risk-mitigation mechanisms. The group started auditing banks for compliance at the end of 2006.
The mandate spurred banks to experiment with various forms of second-factor authentication. Many banks instituted question-and-response systems. They also set up fraud-prevention systems that trigger an additional form of authentication if a high-risk event occurs, such as if someone logs in from an unfamiliar computer. That form could be asking a person to enter a code sent via email, text or phone call for an address or number the bank has on file. For high-net-worth customers, some banks invested in hardware tokens. The FFIEC guidance pumped money into development of new forms of authentication, as vendors chased the financial industry's burgeoning compliance market.
But other industries haven't faced these sorts of regulatory requirements, and the costs and inconvenience, along with complacency, have kept them from embracing multifactor authentication. It doesn't make business sense for companies to buy expensive authentication if the accounts they're protecting aren't worth as much as the protections themselves.
Larger online companies, like Google, Twitter and PayPal, see risks to their brands if people get hacked. So all three Internet giants are working on two-factor authenticators. They've each hired authentication experts and are sharing their research on bolstering Web authentication techniques.
Advancements in mobile technology are helping drive multifactor authentication. Putting software tokens on mobile phones could eliminate the need for people to carry around many hardware-based token devices. But this approach continues to use shared secrets -- algorithmic code shared between the user's phone and the relying party's server. Plus, often people are using smartphones to access a website, so they're receiving their tokens on the same devices they're using to log in -- referred to as "in-band" authentication. The in-band approach is only secure as long as the device itself isn't compromised.
An alternative to shared-secrets approaches to authentication is to use mobile devices and asymmetric cryptography. This approach relies on digital signatures signed by encryption keys that are held on a person's devices. The user's identity information is encrypted and stored on her computer using public key cryptography. The keys to unlock that system sit on the computer browser, the mobile device and the identity service provider's cloud server. When the user signs in to a site enabled with the identity provider's software, she must use digital signatures from at least two of these keys to log in. From the user's point of view, it's simple -- done with a click, says Steve Kirsch, founder and CTO of OneID, an identity provider. Another positive is that the relying parties aren't maintaining central repositories for the bad guys to steal from, Kirsch says.
This system doesn't pose an in-band problem because it uses encryption and because all of the key information isn't located on the same device that the user is using to login. And if attackers were to steal the key information held in the server-side repository, they wouldn't be able to commit a mass breach because they wouldn't have the key information that each individual user holds. This model doesn't stop a motivated attacker from potentially breaking it on a case-by-case basis, but it's the difference between "retail hacking and wholesale hacking," says Jon Callas, co-founder of encrypted mobile communications vendor Silent Circle.
Biometric applications incorporated into mobile devices also have potential as authentication mechanisms of the future. Online companies could find ways to use smartphones equipped with cameras, microphones and even built-in fingerprint readers to authenticate accounts. It will depend on how well these methods are deployed within a wider authentication framework, because consumer device providers will have to enable federated authentication protocols, says Darren Platt, CTO of cloud identity provider Symplified. Done right, this would let carriers provide authentication to third-party apps and services, including e-commerce websites and financial services providers, he says.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
4 of 6