Are we reaching a stage where passwords need to be replaced by two- or even three-factor authentication methods and is there a future in federated identities?
We are all familiar with the following string of characters '12345' - according to some articles it was the most commonly used password at the dawn of the internet, writes Kevin Wharram, a member of the ISACA security committee..
Passwords are used on a daily basis to access online applications or systems. The problem with passwords is that they are generally easy to guess and are often easily compromised. Most systems and applications have weak password complexity that allows the use of basic passwords like '12345', and the data behind the systems contain sensitive and personal information.
Some online applications nowadays enforce some type of password complexity and improve password security. However, since the advent of phishing and malware attacks, there has been a rise in password compromises and some organisations have moved to using two-factor authentication, including some banks, such as Barclays.
Two-factor authentication uses two methods to authenticate the bearer: something you have (a bank card) and something you know (a pin number) to increase the assurance that the bearer has been authorised to access the system or application. Research indicates that two-factor authentication does improve security: this can be seen with chip and Pin technology cutting bank fraud. However, it is vulnerable to what is known as the man-in-the-middle (MITM) attack.
What about three-factor authentication, which uses all three types of authentication factors? For example, to access a secure building you will need to pass a guard who checks your face against an image (something you are), swipe an access card (something you have), and enter a code (something you know).
Security can definitely be improved when using two-factor or three-factor authentication, and the amount of work generally increases for an attacker when more authentication factors are used. However, adding additional factors to the authentication process usually leads to increased costs for implementation and maintenance.
What about other authentication system like Federated Identity Management (FID) which simplifies a user's authentication experience? FID allows a user to efficiently authenticate to one system and access other systems across multiple domains. But there are security and privacy issues around the use of Federated Identity Management.
This was first published in August 2010