Product Group Tests

Authentication (2013)

by Peter Stephenson January 21, 2013
products

GROUP SUMMARY:

Best Buy: Digipass Go 7 and Identikey Authentication Server from Vasco Recommended: Deepnet DualShield

There was a time when strong multi-factor authentication was expensive and hard to deploy. Those days appear to be far behind us, at least judging from the crop of tools we looked at this month in the labs.

There are varying levels of user interaction with the enterprise. Some are casual users; some are customers accessing accounts where money or personal identifiable information (PII) resides; and some users are privileged users such as system administrators. There are aspects of each of these user communities that help define the appropriate level of authentication.

Conventional wisdom - although today we might question how much wisdom this actually is - is that if you have a large community of users then you should stick to passwords because they are free and multi-factor authentication costs money. If you Google 'password breach' and 'statistics' the first page that comes up lists LinkedIn, Twitter, Yahoo and Dropbox. Dig a bit deeper and you will find half a dozen more big names and concomitant, big password breaches. All of these breaches were in the hundreds of thousands to the low millions of passwords lost. These are not just employees; these are customers falling prey to the 'let's save money and let them use passwords' syndrome.

This is in spite of studies that have shown that most people reuse passwords on multiple accounts and pick very weak passwords to begin with. Taking this approach does a couple of things that can potentially hurt the company seriously. Firstly, no matter how secure the customer interface to the rest of the enterprise is, by allowing weak authentication you have just stripped away the first layer of your defence in-depth. Secondly, you have, arguably, opened up a lot of other organisations to compromise because if the attacker gets in and gets your clear text password files he or she probably has the keys to lots of kingdoms, since people tend to reuse passwords.

Clear text passwords? Nobody does that. Wrong, wrong, wrong! There are many organisations - some very large - that keep all passwords in clear text, and there goes the second layer of protection. Let us assume for a moment that the attacker doesn't really care about harvesting the 650,000 clear text passwords you are storing. This hacker is more interested in those credit card numbers you are holding. Or maybe he or she just wants to get in and drop a rotten egg (Trojan horse or rootkit) in your system and leave. The Trojan will roam around your network harvesting whatever it is created to harvest, and then will send it home to the hacker. All of this chaos because of a weak password.

Now, let's up the ante a bit. Suppose that person with the simplistic password was an employee. In fact, it doesn't even need to be too simplistic given the password cracking tools available today. If that employee is a privileged user you may be in for a really ugly surprise. So, even if you don't want to foot the bill for your hundreds of thousands of customers, you should at least pony up for your own remote users, especially the privileged ones such as system administrators.

That brings us to this month's group test, which deals, predictably, with strong authentication tools. Some of these are simple solutions to the tough problem of strong authentication. Some are a bit pricier and a bit more complicated, but all of them have good application in the various ways you can protect your valuable data. A few are biometric and you will note that the cost of biometrics has started to come down. We used to think of biometrics as only good for the highest security operations. Today there are biometric tools that are affordable and effective.

When it is shown in several research reports that the most popular password is '123456' with 'password' a close second, we can pretty much take it as a given that the age of strong authentication is upon us. When the cost of strong authentication meets the risks from the types of architectures that we are seeing increasingly - those that let the customer get closer than ever to the internal enterprise - we can justify spending a little more to keep our information safe. A serious breach because of careless authentication policy could cost a whole of a lot more than the strong authentication would have. You'll see that and a lot more in this month's reviews.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US