How the threat landscape challenges authentication - old and new

The growing cyber-threat landscape poses some awkward questions for present and future authentication methods, argues Barry Scott.

How the threat landscape challenges authentication - old and new
How the threat landscape challenges authentication - old and new

Cyber-crime, malicious activity and user error, are all methods by which sensitive data and personal information can be breached. The prevalence of mobile devices, tablets and cloud services have only served to intensify the issue, and the management of these resources and other services has become a major concern for those tasked with keeping data secure.

With these increasing threats, protecting corporate and sensitive data is a growing concern. Numerous heterogeneous systems lead to ‘identity silos', resulting in inefficiency, reduced productivity and a less secure environment. Whilst security processes, such as antivirus and encryption, go some way to ensuring data is secure, traditional password login is ultimately the process that most rely on for security purposes, and its longevity is proof of its value to security.

Authentication is the process of determining if a user is who they claim to be. Authentication is established by something you know (eg a password), something you have (eg a security token), or something you are  (eg a fingerprint/ biometrics). Unfortunately, none of these processes is 100 percent secure.

Passwords

Passwords are not a new method of security, using word and character sequences for authentication purposes is common practice. We all have passwords that we use on a daily basis, with numerous accounts and information to memorise. Chances are, the more passwords you have (and most users have several), the more you‘re likely to forget them, use the same one over and over again, or resort to writing them down.  All of these increase the chance of a potential security breach.

Tokens and cards

For many, passwords are not enough, and having some additional security running in parallel helps remove the issue of having the ‘something we know' stolen (passwords). Using a security token or card reduces the risks. For example, a bank/credit/debit card represents what we have, the pin or security password represents what we know.

This method of two factor authentication - relying on two authentication processes – is a step towards stronger security measures, but the time and resources involved in managing these processes can far outweigh the positives.

Biometrics

Biometrics is becoming a more widely used form of securing information, and theoretically it is an ideal way to authenticate users and keep confidential data safe. A fingerprint or retina scan are not likely to be replicated by another user, are almost impossible to lose, and not easy to forget (like you can a password). Unfortunately, the technology, although increasingly popular, is still relatively expensive and not always completely reliable.

Zero Sign-on, Single Sign-on – One password fits all

Without question we need a more modern way of being able to convey our identity to a server. Security Assertion Markup Language (SAML) allows you to log into a website without a password, using instead a system that knows who you are and generates a one-off message or token in order to validate your identity and send this to the server.

Known as Zero Sign-on (ZSO) it provides instant access to the service and delivers a seamless user experience. However, the website needs to support SAML technology in order for ZSO to work. Though widespread adoption of SAML is a little slow, Single Sign-on (SSO) has been around for years and has adapted significantly along the way.

SSO permits a user to enter one name and password in order to access multiple applications. The process eliminates the need for on-going prompts for passwords and login credentials every time you log in to an application/resource. It will authenticate the user for all the applications they have been given rights to.

SSO simplifies the end user experience and enhances IT security and control.  Users only have to remember one username and password to access all of their applications whether in the Cloud, on-premises, or via mobile devices. IT can also control user access to applications, mitigating the risks associated with unauthorised user access.

So, whilst passwords alone may not live up to their reputation, resorting to fingerprint technology and face recognition to merely access corporate email is certainly not practical just yet. Incorporating an SSO or ZSO authentication process will help avert the risks associated with traditional password security. A one-time secure login reduces the chances of losing or forgetting passwords, and, in turn, reduces the risk of falling foul of a potential data breach.

Contributed by Barry Scott, CTO EMEA, Centrify