Are we reaching a stage where passwords need to be replaced by two- or even three-factor authentication methods and is there a future in federated identities?
In a world where users expect access any time, any place, anywhere, the days of an employee just sitting at an office desk in front of a desktop PC and accessing 'the network' by entering a single username and password are long gone, writes Gary Wood, research consultant at the Information Security Forum (ISF).
The employee may be a contractor or outsourced, and the desktop replaced by a laptop, smartphone or PC at home or in an Internet café. Users now access a far wider set of applications, services and other information sources.
Where weak passwords don't cut it, there are many alternatives that provide stronger two-factor authentication, such as hardware or software tokens, smartcards and biometrics. In a recent survey of ISF members, 90% or those who responded said that they now mandate multiple factors for remote access to internal systems.
As well as providing secure user authentication, these mechanisms also reduce vulnerabilities to malware attacks, remove the burden of password resets and can combine physical and logical security into a single device.
However, it is important to remember that like any security control, authentication is a business choice - during a recent research project, many ISF Members cited usability and cost to be at least as important. Ensuring that users have reliable, quick and easy access to information may outweigh any potential loss arising from compromised access.
By combining user education and strong password policies, these organisations are extending the useful life of their existing password access mechanisms. Others are applying innovative locked password self-recovery processes such as those based on voice recognition rather than shared secrets, to facilitate easier password reset and recovery to maintain the advantage of easy distribution that passwords allow. Remember too: you can't leave a password on the kitchen table when leaving on that important business trip.
While using two- or three-factor authentication clearly increases the level of control, it can lead to multiple remote access credentials for different systems or applications increasing the burden on the user. Federated identity services, where users of one domain can be securely granted access to another domain without the need for separate authentication processes hold great appeal. For example, if a business and its partner companies use a federated identity management system, this means that they have a contracted mutual trust in each other's authentication of the user.
However, federation is still not widely used outside a small number of industries such as aerospace: the cost of modifying applications to support federation (even with standards such as SAML) is still cited as the main reason for low uptake.
The development that might prove to be the spur to adopt federation, and also be a compelling reason to use multiple factors is cloud computing. The key sticking point preventing many organisations from widespread adoption is a desire to keep user identity management in-house; federation provides an available, standardised and proven solution to that challenge.
Back to Secuirty ThinkTank