Are we reaching a stage where passwords need to be replaced by two- or even three-factor authentication methods and is there a future in federated identities?
John Colley, managing director EMEA for (ISC)2, says that as with any security measure the answer to the first part of this question depends on the application. There are some instances where even the use of a password is too much. Why, for example, when I order theatre tickets or book a restaurant must I use a password to make a reservation?
At the other end of the scale there are cases where two-factor identification isn't good enough. I would suggest that this question is a little narrow in its focus. The issue isn't whether authentication technologies are strong enough: the challenge we face is to develop a richer appreciation of what we are using these technologies for before we decide what is appropriate.
With the example of my theatre tickets the motivation is quite likely to be primarily marketing - they collect more data than they need for marketing, this requires an effort to secure it. Another application includes the desire to track accountability. The strength of authentication required here will also depend on the context-of what is being tracked and the impact of an error in the records.
Overall we are finding that as these technologies develop, their application is getting richer, and the options are getting wider. An assessment of the risks to the objective being achieved must be the guide. Included in this assessment must be the level of effort put on the user. Anything too complicated that is widely applied - three-factor authentication, for example - introduces a higher risk of human error and the motivation to work around the barriers, undermining the security.
Federated IDs are seen as a response to this. But they too have their challenges. They have been around for a long time, and have been widely assessed by the banking sector - yet there is still no accepted standard for interoperability.
It comes down to trust. Institutions are not ready to trust the registration process of others, or third parties. Even our real-world example of federated IDs - passports - are not fool proof, so how can we move to an electronic version of such a system.
Back to Security ThinkTank