Securing Authentication With Identity Management – Are You Strong Enough?

I’ve been in the IT Security industry for many years. I, and the industry of identity management, have always been well aware that passwords are a necessary evil, and that they are not the best method for ensuring users secure access to systems and data. Modern day processing power has allowed age old password crackers to now unravel even the most complex passwords in a matter of minutes, if not seconds.

What this means is that if someone wants to gain access, and passwords are used as the key, then they probably can. We’re also acutely aware that these tools are freely available on the internet. I’ve just typed ‘password cracker’ into Google and received about 20,000,000 results, scary indeed.

Now providing secure authentication has always been hindered by cost, complex deployments and complicated requirements. Many organizations use a mixture of soft, hard and SMS based token systems, all with different levels of security for remote access. This has, in part, been driven by compliance. What we are also seeing is the need to extend secure authentication across a multitude of applications, expanding the user base and being able to do it using any device, anywhere. With more and more data being gathered and stored digitally, the need to secure access to this data increases.

Google Authenticator, an open-source software based two-step authentication token, that has versions available for iOS, Blackberry and Android, has allowed organizations wanting to secure access, a more cost effective way of achieving this (its free!). Integrating this OATH compliant solution with OATH compliant products means organizations can now extend strong authentication beyond the limitations of existing systems without incurring expensive hardware token costs. Using free 2FA means once untouched users bases can be reached, teachers, nurses, students and the general public can now be more confident that the data they are accessing is accessed more securely if 2FA can be used, and gives information providers expanded opportunities for data provision. Strong authentication providers also need to look at their licensing models, we can’t simply roll out strong authentication to 100,000 users if the proprietary solutions licensing model proves too costly.

Obviously users accessing applications that require stronger security than what Google Authenticator can provide can still use physical tokens, and in no way does Google Authenticator replace traditional tokens. For a start Google Authenticator sits on a mobile phone, which is always connected to the internet and shares an OS with other software applications, but its certainly a huge leap.

So still much work to be done but hopefully we’ll slowly see the demise of the password and embrace secure authentication across our systems.

Find out more at www.verisec.com

Click here for more information about Whitehall Media’s Identity Management conference.