It was a cartoon in The New Yorker back in 1993 that made the comment "On the Internet, nobody knows you're a...
The cartoon was a joke, of course, but it did highlight the problem of authenticating users on your network. How do you make sure people really are who they claim to be, especially if you rely on just a username and password, which can easily be stolen or guessed?
Strong authentication methods and technologies, such as hardware tokens, have long been available, but they require plenty of resources and help desk support to manage their deployment. Tokens, for example, have a limited life span and can be easily lost.
But as a new report explains, new models are bringing down the cost of strong authentication and making it easier for companies to extend control out to customers and business partners. Key developments include next-generation authentication servers that automate all tasks involved, and services provided in the cloud.
The report, called "The Evolution of Strong Authentication," comes from the consultancy group Quocirca Ltd., and was commissioned by CryptoCard Inc.
Author Fran Howarth said the growing range of options available to provide two-factor or multifactor authentication makes it much easier for organisations to strengthen their security and also manage the administration of user accounts.
While early implementations of security tokens relied on spreadsheets for managing the provisioning and de-provisioning of users, she said, the new generation of server-based authentication management systems do much to remove the complexity and hidden administration costs of deployments and are designed to provide authentication and access control processes that can be scaled in many cases to handle millions of users.
Such systems can also provide a user self-service portal for performing authorised tasks such as self-provisioning of tokens, personal identification number resets and new token requests, thereby saving on administration costs.
In addition, new cloud-based authentication services are available which can be used on a subscription basis, and therefore require little or no upfront investment.
New strong authentication methods, such as software, SMS and BlackBerry tokens, are also helping to reduce the cost of strong authentication and opening up its use to a whole new range of possibilities, Howarth said.
Instead of asking users to carry a separate hardware token to generate one-time passcodes, for example, they can have a code sent to the mobile device of their choice, which they carry anyway. The code option also removes the cost of hardware tokens as well as the problem of tokens being lost or coming to the end of their lifespan and having to be replaced.
"It offers a lot more flexibility and opens up the possibility of authenticating a broader base of users, including customers and business partners," Howarth said.
What about biometrics?
Although it is estimated that around half of all new laptops have a built-in fingerprint reader, Howarth said the use of biometric technologies for authentication still tends to be confined to airports and border controls.
There is, however, one area of biometrics that could be ideal for many applications, and which, its proponents say, has reached a high level of reliability: voice recognition.
Ian Turner is European general manager at Nuance Communications, which produces voice and speech recognition systems for a wide range of environments, ranging from in-car satellite navigation systems to call centres.
Turner said that, in the wake of the economic collapse, several of the big banks are reviving projects to implement voice recognition systems to help authenticate the identity of customers telephoning them. "Banks are now starting to plan and will revisit the projects. By 2010 or 2011, some of this will be rolled out in the U.K. in mainstream companies," he said.
Voice recognition has a big advantage over most other biometric technologies in that users can enrol themselves over the telephone rather than have to attend in person to deliver a fingerprint or an iris scan. The technology also requires no special reader, other than a microphone.
Voice recognition systems could provide a solution for those companies struggling to meet PCI DSS compliance in their call centres, where credit card details are recorded and kept. Turner explained: "At some customers now, when it comes to asking for the credit card details, the call is transferred to an IVR (interactive voice response) system to take the credit card details. It removes the danger of a call centre worker writing down the number and using it illegally."
The biggest challenge for using voice recognition technology to authenticate a user logging in to a network is the poor quality of the microphone in most PCs, said Turner. But he forecasts that some authentication for online sessions will happen via a mobile phone. "You log on to a website and you give them your phone number. The website then rings your phone, you authenticate with your voice and then you gain access," he said.
He warned, however, that although the technology is now robust and able to cope with difficult environments, such as background noise, there will always be a small percentage of instances where the system will fail to recognise a voice properly.
"There will be around 5% of people whose voice cannot be recognised -- for instance if they have a really bad cold -- and that case you provide them with some other means of authentication, such as a PIN number," he said. "The verification engine provides a score on how confident it is of a match. When that falls below a threshold, it may ask for another piece of information."