Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Guest Blog // Selected Security Content Provided By Intel
What's This?
04:38 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly

Security and Identity Management: Innovative Authentication Techniques

Today I want to take a closer look at identity. Most people will tell you things are pretty bad today, but things have improved quite a lot.

In my last blog, I broke down security pain points into four categories. Today I want to take a closer look at identity. Most people will tell you things are pretty bad today, but things have improved quite a lot since nobles dispatched their missives authenticated with rings impressed into wax. One needed a ring, a unique seal, and a load of wax. Not to mention recipients sufficiently well-trained to distinguish your seal from fakes. So today, with our richer toolkits - instantaneous communications, unlimited computing power in the cloud, and even ginormous touch screens in every purse and jacket pocket. So what the heck is going on? With amazing technology advances of the last decades, how does identity remain a problem?

Scale might be the most important complication. Today about 6 billion devices are internet connected, and as the so-called internet of things scales, some project 50 billion devices to connect by 2020. Even if we wanted to issue all the human users unique rings and hot wax, we'd still be left with the challenge of identifying the remaining billions of devices which lack the prehensile abilities required to hold and impress ring into wax. Today large public suppliers authenticate more users in seconds than the royal seal examiners did in lifetimes. And the risks have scaled accordingly. In a world that runs on automated authentication decisions, adversaries have become better at exploiting gaps and weaknesses. Estimates place the cost of cybercrime to firms globally as high as $1 trillion. So if your users complain you're being paranoid, let them know you have just cause.

So let's look at it from our users' perspective for a moment. They're continually consumed trying to remember usernames and password for a multitude of accounts - both business and personal. Names of first grade teachers, first pets, first cars. Text messages with one time passwords. And still we lack confidence and suffer risk of fraud as sophisticated malware can hijack the most closely guarded user-provided credential. And then we complicate things with byzantine rules and guidelines for creating and changing passwords. It all would be comical - if our guidelines weren't making it impossible for users to get their work done! So now we're all miserable, if united in our misery.

What if it wasn't like this? What if we could simultaneously simplify life for users while at the same time increasing confidence in authentication decisions? What would it take to build authentication systems less vulnerable to compromise when an end-user was tricked into revealing a password?

There's no mystery around the framework for solutions. It's quite possible to design architectures for robust solutions that rely on all three of the traditional elements of authentication (something you know, something you have, something you are). At the September 2012 Intel Developer Forum, Intel's Chief Technology Officer, Justin Rattner, demonstrated the ability to augment conventional passwords and tokens with the more robust schemes. Justin demonstrated a user walking up to a device and using biometric sensors to locally authenticate a user, then providing attestation to a service provider that user has successfully authenticated. I think it would be great if these types of solutions were broadly available, delivered in solutions that were reliable, difficult to compromise, straightforward to manage and scale for large user populations, and - most importantly - simple for users! While some companies have delivered pieces of the puzzle, it's still too tough for relying parties to stitch together a high quality fabric for authentication and decision making that's easy for users. It may not be rings and wax seals, but we have some distance to go.

It would be great to hear your thoughts on these approaches. What are the biggest challenges you're facing in balancing the robust and simple? Where can the industry do a better job solving your needs? (Hey and vendors, please, no blatant product promos).

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/15/2013 | 12:54:44 PM
re: Security and Identity Management: Innovative Authentication Techniques
suggested reading: FTC position on Data Breaches



1. the o/s maker should assume responsibility for the integrity of the o/s: no un-authorized updates.

2. once the o/s is secured then customers can apply security rules to make un-authorized access difficult.

3. the most important security rule lies in controlling what an application program can access or update.
User Rank: Ninja
12/13/2013 | 1:33:03 PM
re: Security and Identity Management: Innovative Authentication Techniques
Slamming shut the door
1. secure the o/s. an app program should not be able to corrupt its host os. the technology for this has been available for many years.
2. restrict application program activity: by application: what directories are permitted for read,write, and execute? is network access allowed?

the typical user workstation today is as lawless as a drunken old west cowboy town on saturday night.
User Rank: Ninja
11/13/2013 | 1:21:26 PM
re: Security and Identity Management: Innovative Authentication Techniques
"There's a Time and a Place for Everything". So it is on the 'Net: In some cases you should be anonymous; in other cases you need secure communication and established credentials -- in both directions.

Business Computing -- banking, shopping, and such -- need the secure communications and established credentials.

I have felt for some time that we have attempted to simply adapt the pen and paper methods of authentication to our new digital network environment -- with less than stellar success. While PGP(GnuPG) has been available for a bit more than 20 years -- we have not moved to make advantage of it. We just need to take it out of the box marked "esoteric" -- and assign it a class number for 7th grade. This would be much more valuable than,.....(e.g.) algebra

When you are ready to add commercial/business computing to your activities -- you should generate your PGP/GnuPG keypair and start establishing your Trust Model. Learning to establish and maintain a Trust Model is a critical skill. PGP/GnuPG signatures can go a long way to reducing fraud.

However, as Phill Zimmerman noted in his original essay, none of this is of any use if your computer has been compromised with un-authorized programming.
User Rank: Apprentice
10/31/2013 | 3:41:20 PM
re: Security and Identity Management: Innovative Authentication Techniques
+1 to this commentary.

There is a triangle of price-security-cost , and we're seeing that we're getting "bigger triangles"--authn mechanisms that are easier to use, more secure, and cheaper.

One consideration is price... 2fa is great but management is not used to paying for authentication--there was no license fee for username/password authn. The good news is that companies can use some "free" methods to better authentication people: http://www.gluu.co/.icn4

Also, the API a domain uses to publish the authn mechanism is a critical part of the equation. Another blog I wrote took a contrarian view that two-factor is not the answer... http://www.gluu.co/2fa_not_the...
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-07-07
With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. This attack can lead to leak of sensitive information.
PUBLISHED: 2022-07-06
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. This vulnerability is due to insufficient pro...
PUBLISHED: 2022-07-06
A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability is due to the storage of certain unencrypted credentials....
PUBLISHED: 2022-07-06
A vulnerability in the database user privileges of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an auth...
PUBLISHED: 2022-07-06
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity ...