Gartner: What matters is risk-appropriate authentication

A glib answer to the first part of the question would be, "No. We have already passed that stage." But that would not be universally true.

Are we reaching a stage where passwords need to be replaced by two- or even three-factor authentication methods and is there a future in federated identities?

Ant Allan, research vice-president at Gartner, says a glib answer to the first part of the question would be, "No. We have already passed that stage." But that would not be universally true. While legacy passwords are vulnerable to a wide variety of attacks, they can still provide appropriate levels of assurance and accountability in some low-risk situations.

We also need to be cautious about using terms like "two-factor authentication," which are no longer precise enough to guide technology decisions. Not all two-factor authentication methods provide the same levels of assurance and accountability, and it's quite possible that one of the stronger single-factor methods may provide higher levels of assurance and accountability than one of the weaker two-factor methods. Moreover, some of the weaker single-factor methods can still provide higher levels of assurance and accountability than legacy passwords do.

The best-practice approach is encapsulated in an architectural principle that Gartner calls "risk-appropriate authentication". An organisation must consider multiple use cases and, for each, evaluate minimum levels of assurance and accountability, commensurate with the level of risk. But risk is not the only selection criterion. It must be balanced against other constraints, such as the lowest acceptable ease of use and the justifiable total cost of ownership.

In general, a need to replace legacy passwords doesn't imply a need to replace them with two- or three-factor authentication methods - although those will still be appropriate choices in some higher-risk use cases.

Gregg Kreizman, research director at Gartner, says that there is a future in federated identity. But is it a bright future in which every organisation must support identity federation? No.

Federation will increasingly be used in some cases to help reduce identity administration efforts, improve convenience for users and enable business.

Identity federation is about one organisation trusting another's identity-proofing, administration, and authentication controls. Technical infrastructure, sound practices and business agreements all play important roles.

Federation did not take off as quickly as Gartner anticipated, but the technology has been sound for years. Early implementations mostly supported access by business partners to government and enterprise systems, but organisations ready to federate often found that their partners were not.

Today, cloud computing is creating renewed interest. Even as organisations grapple with reducing the complexity of identity access management (IAM), they are adding new "identity islands" as they adopt software as a service (SaaS) applications. Each SaaS provider has its own IAM capabilities, some of which support federation, though most do not. This will change positively over time.

Most established federations use the Oasis security assertion markup language standard. User-centric identity frameworks also provide federation capabilities. Newer frameworks promise more flexibility for dynamically managing identity and supporting interactions and transactions with different risk profiles. However, it is early days for these, and their effectiveness remains to be proven.

These are interesting times for identity federation, and organisations will have choices for providing their constituents with convenient and efficient access. However, even with the best and newest technology, organisations must not forget the need for sound identity and access management practices. We will examine these matters further at the Gartner Security & Risk Management Summit 2010 in London, on 22 to 23 September.

Back to Security ThinkTank

Read more on IT risk management