Are we reaching a stage where passwords need to be replaced by two- or even three-factor authentication methods and is there a future in federated identities?
Dani Briscoe, services manager, The Corporate IT Forum (Tif), points out that secure user authentication is a difficult balancing-act for IT security professionals.
There needs to be a careful balance between accessibility and the requirements of secure networks and systems.
With users increasingly emanating from federated business environments (such as online customer and colleague communities, remote, mobile and global workforces) the requirement to validate the integrity of the user has become a top priority.
With tokens, passwords and biometrics in common use, what criteria is used to balance the cost of the authentication system against the ever-present risk to business systems and the convenience of the user community?
When asked in 2008, over 60% of Tif members were using some form of two-factor authentication, others used a mixture of token authentication and Active Directory (AD) control. AD was seen as a simple solution due to quick and easy changes being made by first-line support rather than second- or third-line support. All wanted to use strong and complex passwords, but agreed that users only write complex passwords down, negating their usefulness.
Where the user is logging on should be taken into account - nowadays it's unlikely to always be a trusted connection (internet café/hotel/etc) so infection by malware or keylogger is a real risk. All members agreed that any authentication over an 'un-trusted' network from an 'un-trusted' machine should require two factor authentication - unless what you're trying to protect has little value.
Back to Security ThinkTank
This was first published in August 2010