Authentication: the token question

Identity and access management (I&AM) has never been such a hot topic around the boardroom table. With widespread reports of identity theft and misuse of online identities, concerns about the security and privacy of doing business online and increased pressure on organisations to meet compliance regulations, all indicate a shift in the role of security. It is now paramount for businesses to find secure, efficient and flexible ways to manage user identities and access privileges but with a wealth of options to choose from, finding the best security solution can be a challenge.

Password protection

The password has long been relied upon to secure corporate information because it is cost-effective, easy to use and secure. In fact 60 percent of security professionals and IT managers use single passwords as their only form of user authentication, according to research conducted for RSA Security.

However, as businesses protect more and more applications with individual passwords, users find themselves with four or five different codes to remember and every forgotten password leads to time-consuming calls to the helpdesk.

One solution is to use directory management to format all existing user identities into a single identity and password, through which a user can access multiple applications. Using this form of centralised identity management, it is easier to automate and enforce secure password practices consistently across the organization. Users simply need to be encouraged to create strong passwords incorporating non-alpha-numeric characters, change their passwords on a regular basis and by requiring them to only memorise one strong password, there are far less calls to the helpdesk.

Strong authentication

But no matter how much time is invested in educating employees on password protection, a single password alone is no match for the latest hacking tools that use brute force and exhaustive dictionary techniques to test possible password combinations.

With this in mind, many organisations have looked to stronger authentication methods to secure their applications, requiring employees to present multiple forms of identification such as passwords and PINs, a token or smart card or even biometrics that are unique to the individual such as retinal or fingerprint scans.

HSBC and Lloyds TSB are just two large organisations that have turned to token authentication to protect their online applications. 30,000 TSB customers have been given a key-ring sized device that generates a unique number which the customer must enter in order to log into their account. This obviously overcomes the problem of remembering a password but this form of strong authentication can often prove expensive, difficult to manage and a source of frustration for end-users. Which explains why relatively few banks with online facilities are following the same route.

Instead, many banks and other organisations considering strong authentication, prefer an approach that balances both security and usability by using passwords and PINs. The user is familiar with this method and where the traditional password is not strong enough to fend off today’s hackers, clever techniques are now employed to increase security through the way in which the password is entered with sophisticated back-end systems to detect system abuse.

The password – not so passé

Strong security is a must in today’s business and consumer environments, but this has to be tempered with ease-of-use. The password has been around since the dawn of computing, which means every user is familiar with the concept. Perhaps this is why many businesses continue to use it – concentrating efforts on improving the security around the mechanisms used to distribute and protect passwords, rather than reinventing the wheel with new authentication concepts that are often both costly and difficult to use.

Encryption and prompts for specific password character sequences prevent both interception and eavesdropping of passwords and more complex authentication systems are constantly being introduced which generate time-limited or one-time-use passwords that minimise the possibility of ‘the bad guys’ stealing and re-using passwords. The password, it seems, is here to stay.