Authentication:
The End of the Password Era Looms
In an era where risks to corporate data and processes abound, organizations can no longer afford to rely on passwords alone for identity verification. Already, companies in many industries — notably financial, federal government and healthcare — are implementing strong, multi-factor authentication systems that use passwords only as one form of identification, if at all.
Multi-factor authentication systems rely on at least two different factors to verify a user's identity. These credentials may be based on something the user knows, such as a password; something they have, such as a one-time password token or smart card; something inherent to them, including a biometric characteristic such as a fingerprint; or something known about them, such as their login patterns. Requiring one credential from at least two different categories provides a far higher likelihood that only authorized users will be able to authenticate. For example, even if an intruder manages to acquire a user's password, it does no good without the accompanying smart card or fingerprint.
In a February 2007 research note, Gartner offered some blunt advice: "All organizations should look to use stronger authentication in high-risk situations such as remote access now, and consider wider use of stronger authentication by the end of 2007 and plan for deployment during the following two to three years." Gartner advises that online banking and other high-value business-to-consumer services should be implementing strong authentication now, while users with lots of system privileges, such as system administrators, should have it by year-end. By the end of 2008, organizations should implement strong authentication for all business-to-business and business-to-employee remote access requirements, Gartner says.
Strong Authentication Drivers
A number of factors are coalescing to drive the urgency behind Gartner's advice. A primary driver is the need to comply with regulations and standards that require controls over data access and data protection. Examples include:
- The Federal Financial Institutions Examination Council (FFIEC) guidelines on "Authentication in an Internet Banking Environment," which — like earlier Federal Deposit Insurance Corporation (FDIC) guidelines — say that user ID and password alone should not be presumed to be a sufficient form of authentication for online banking.
- NIST Special Publication 800-63, which provides electronic authentication guidelines for federal government agencies; some levels require two-factor authentication.
Multi-factor authentication also reduces the risk from increasingly sophisticated attacks on corporate data. In addition to social engineering attacks that can be highly successful in getting users to give away passwords, various forms of spyware are capable of capturing passwords and forwarding them to would-be intruders, all without the knowledge of the end user or IT department. At the same time, companies need to open up their networks to suppliers, customers and business partners. Companies involved in mergers and acquisitions, or even those with multiple divisions or business units, may be in a similar situation — they need to provide access to corporate data to disparate groups. Strong, multi-factor authentication is part of a security strategy that allows them to do so while maintaining proper security posture.
Strong Authentication Defined:
MULTIPLE SOLUTIONS TO MEET VARYING REQUIREMENTS
Numerous forms of strong authentication are available today, each with pros and cons that make it suitable for some applications, but perhaps not ideal for others. Organizations may find they need to deploy multiple options for different applications — and thus will want security management solutions that allow them to mix and match authentication options. These options fall into one of four categories:
SOMETHING YOU KNOW
- Passwords A password or personal identification number (PIN) is the most common form of authentication. Used by itself, even a long, complex password is not considered a form of strong authentication. But it can be a crucial component of a two-factor authentication system.
- Knowledge-Based Authentication (KBA) KBA tests the user's ability to correctly answer "personal" questions, such as favorite color, place of birth or even highly personal financial data such as mortgage payment size for authentication. This is commonly deployed to help protect online applications as a secondary form of authentication.
