Product Group Tests

Authentication (2009)

by Michael Lipinski February 01, 2009
products

GROUP SUMMARY:

A really complete solution for enterprise strong authentication at a good price makes Aladdin eToken PRO our Best Buy.

Strong all-round features and attractive price win Recommended rating for Entrust IdentityGuard 9.1

What you know, have or are - all factors that help to keep you secure. By Michael Lipinski.

Every week, another article on identity theft or loss of personal information; every week, another commercial or government network breached. It is now all about securing the computers. Whether it is a business defending a global communication system or a home user protecting their personal files and online account information, authentication and identity verification are challenges we all face. A business wants to know that it's really the correct customer accessing their private information. And as a user of a service, we want to know that no-one else can pretend to be "me" and gain access to our personal information.

Usernames and passwords are a good place to start and we've all got better at not using our children's or pets' names for passwords and not hanging our security credentials around the office or home on sticky notes.

Looking at the various levels of authentication, that combination of username and password is commonly known as the first factor of authentication, called "something you know".

When a username and password are no longer sufficient to provide assurance of identity, "strong authentication" methods are required. This has traditionally been divided into two- and three-factor authentication. These additional forms of authentication add "something you have" and "something you are" factors to the "something you know".

"Something you have" would be technology such as a token with an additional PIN or pass-code to validate that you are the person using your credentials, while "something you are" uses things such as a fingerprint or iris scan.

There are numerous solutions in the strong authentication market. For our review, we focused on solutions that addressed ide.ntification and authentication. We were impressed with both the traditional and unique approaches we found among the products we tested. We were also surprised at the number of identity and authentication options offered. We found: soft and hard token offerings (that is, certificate-based or agent-based as examples of software; and key fob, proximity cards or USB keys as examples of hardware); biometric, PIN-based solutions; out-of-band solutions that would change your mobile phone or PDA into a hard token for a one-time password (OTP); and knowledge-based solutions.

All the solutions provided an added layer of security. The plethora of such options today provides organisations with a great amount of deployment and management flexibility, as well as various cost structures to fit most budgets. I did, however, find myself coming back to the traditional definition of strong authentication and asking myself if authentication forms, such as certificates or agents on computers, machine authentication or even knowledge-based solutions, truly qualified as either "something I have" or "something I am". I came to the conclusion that any additional level of security is a good thing - I was being somewhat facetious earlier in my statement about how well we protect our credentials. We just need to understand that if a notebook or portable device with a soft token install is stolen and the traditional username and password are cracked, then that device is compromised.

There will always be challenges in the deployment of client software across a large enterprise. There are logistical and support challenges with distributing, enrolling and supporting hard token technologies. We evaluated solutions that were a near-zero footprint from an end-user deployment perspective. We also evaluated solutions that required deploying software and/or hardware for each system to be secured. Even more secure solutions providing a one-time, token-based authentication system have come a long way in their ability to manage and distribute the tokens to a large enterprise.

The server-based solutions, however, required quite a bit of effort and time to install, configure and manage. For those solutions that provided server-side management solutions, we were pleased with their management interfaces and their ability to integrate with directory services such as Active Directory and LDAP. We evaluated solutions that were software-based, standalone endpoint ones and appliance-based.

There are numerous choices for adding stronger authentication into your name-and-password authentication model. Ultimately, you must balance risk, cost (both of acquisition and of ownership) and ease of use when choosing the right solution for you or your organisation.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US