Identity and access management was a $2.21 billion market in 2003, according to IDC, which expects the market to grow to $3.5 billion by 2008. This spending will be split among various pieces of authentication technology, from user information databases to authentication servers, and middleware to hardware tokens. As the fragments are integrated, authentication will be strengthened by requiring two, three or more factors to assert identity, and by SSO (single sign-on), in which multiple passwords and logins associated with different networks and applications are replaced by a one-time authentication at the beginning of a user's workday.
The Evolution of Identity
In the beginning was the user name, and it was good--for a while. Then came the password and with it, single-factor authentication--your identity is ensured by something known (theoretically) only to you. For the majority of organizations we polled, authentication still requires solely a user name and password, and for some applications, that's enough. However, when companies try to make passwords more secure by requiring frequent changes and to make passwords stronger by requiring a mix of numbers and characters and banning words found in common dictionaries, they often run up against the limits of human memory. Users may write their passwords on Post-its or forget their passwords and place calls to the helpdesk--calls that costs, according to industry estimates, between $10 and $35 each. Add to that the fact that passwords are prone to theft when written down, used in some remote and wireless network-access applications, or attacked through worms or keystroke-logging spyware, and the need for another level of identity assurance is clear.
That bring us to two-factor authentication, which adds something you possess--usually a hardware authentication token--to something you know. This is the setup more companies are moving toward as they seek to replace the requirements of strong passwords with the security of a single-use PIN token.
The most common two-factor authentication tokens are small devices from companies such as ActivCard, Aladdin Knowledge Systems, RSA Security, SafeNet, Secure Computing and Vasco. These devices generate numeric codes that are valid for a limited time or a single use. Some systems require the user to type a challenge string into the token before the passcode is generated, but the level of security for both types is considered similar.
Neither type represents the future of two-factor authentication, according to Steve Hunt, vice president and director of research for security at Forrester Research. "Every token available is a stopgap or migration step towards smart cards," Hunt says.
We agree: Smart cards have the advantage of being multipurpose and can provide physical-premises access along with network and application authentication. They're also familiar to users, resembling credit cards in form and function. So why haven't they become the norm? Because, unlike simple hardware tokens, they require a card reader--a peripheral not yet standard on most enterprise workstations. Until companies like Dell and IBM include readers in every laptop computer and corporate desktop keyboard, hardware tokens, whether handheld or USB, are going to be a primary two-factor authentication method.
When two-factor authentication isn't enough, a third factor--something you are--is added using biometrics, or identification by way of biological characteristics, such as voice response or retinal scan. Vendors are evaluating ways to make this technology more economical and widely available through devices like USB fingerprint scanners. Right now, though, biometrics is sufficiently expensive to make it of interest only to those securing very high-value information, as in the government and financial sectors.
In addition, the National Institute of Standards and Testing cites wide variations in the accuracy of fingerprint biometric systems. NIST's most recent testing yields some interesting results. For example, multiple-finger recognition is much more accurate than single-finger recognition. Perhaps more important, the quality of the fingerprint images stored in the matching database has a greater effect on results than the quality of the authentication scanner (see full results of NIST's tests at fpvte.nist.gov/index.html). Although smaller fingerprint scanners are coming down in cost, capturing fingerprints, tuning the database and using the biometric scanner is an expensive proposition that can be justified only when the systems and data protected have an exceptionally high value.
Finally, though more secure than passwords alone, biometric information is not immune to theft--as we proved (see www.nwc.com/ 910/910r1side1.html), a stolen fingerprint molded into a rubber doppelganger can fool some biometric scanners, and a fingerprint cannot be reset like a password.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio