informa
/
Risk
Commentary

Silent Authentication

Authenticating users without explicit login
In today's e-commerce environment, each of us logs on to a plethora of different websites. But if we go back a decade or two, many of us logged on to the Internet once and then got access to many resources. Those days are long gone, but, in fact, that was a much better time from a user-authentication point of view.

We have a large number of user accounts today that require us to remember credentials. There are a number of movements to make the user experience easier while improving, or at least maintaining, the level of security.

A number of the popular websites offers to other sites the ability to use the same login credentials to enable users to reduce the number of passwords they have to remember. This movement is seeing a fair level of success, but will not obviously be the way we login to every Web resource we need. The security level could perhaps be somewhat improved if the authenticating sites have more knowledge of the users and can validate more than just their login user names and passwords.

The more interesting approach, however, would be for the user's first login to be "remembered" by the Internet so that when the user visits a new site, the site can have an interface to an Internet service to ask whether the user on that particular device is the same user who always signs on from that device.

The use of this so-called "fingerprinting" method has been in use in the financial industry for many years. Banks and other financial sites can validate that it is, in fact, their customer who is signing up from that device, which can help avoid the issues associated with stolen passwords.

This Internet silent authentication service can be used by everyone to make sure intruders cannot easily use stolen credentials to get access to other users' accounts.

Recognized in the industry as the "inventor of SSL," Dr. Taher Elgamal led the SSL efforts at Netscape. He also wrote the SSL patent and promoted SSL as the Internet security standard within standard committees and the industry. Dr. Elgamal invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. He holds a Ph.D. and M.S. in Computer Science from Stanford University.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5