Buried By The Authentication Avalanche
With identity theft on the rampage, network managers are being hit by an increasing barrage of software, hardware and services for user authentication. Organizations are implementing technologies ranging from traditional passwords/PINs to PKI and SSL certificates, tokens, fingerprint readers, and even voiceprints. Each solution carries its own infrastructure, along with its own technical ins-and-outs.
Observers agree that the authentication market is highly fractionalized. "Everybody and his brother is getting into authentication," contended Steven Hunt, VP of Research at Giga Information Group.
"Companies are recognizing that these products are using multiple and overlapping infrastructures. Passwords, for instance, have a whole help desk infrastructure behind them. The entire thing can be very confusing for administrators. The pressure is on for vendors to come up with a single shared process for authentication," he added
"Everyone has been thinking they can do authentication is a slightly better way. The market is still very, very immature," concurred Scott Blake, president of information security at BindView Corporation.
A recent report from IDC characterized the hardware authentication market, at least, as "a loose confederation of clones."
"Although similar technologies are being used among token, smart card, and biometrics vendors, the applications for which they are being used vary dramatically depending on the type of market, whether for commercial/corporate or government markets. The overall hardware authentication market remains highly fragmented, with many applications," summed up the IDC analysts.
In fact, the market is so fractionalized that the analysts decided against apples-to-apples comparison. "For this report, IDC has placed such vendors into markets according to their lowest common denominator technologies. However, comparisons among vendors within each of these submarkets, especially for biometrics, cannot be directly made."
Attempts are being made, though, to categorize the market. "Multifactor authentication is best to use, combining 'something you know' with 'something you are' and 'something you have,'" pointed out Andrew R. Rolfe, VP of development at Authentify.
As Rolfe sees it, user identify should be proven through "first-time" as well as "recurring" authentication solutions. Recurring authentication solutions include user ID with password/PIN; digital certificates; tokens; and biometric solutions.
"First-time" solutions include in-person proofing; sending out PINs via snailmail; data comparison information; (when the user supplies social security number or mother's maiden name, for example, for later comparison); and e-mail activation (when the user must respond to an e-mail in order to finish opening an account.).
PINs can enter the scene again during transactions. Notifications either by e-mail, fax, or snailmail can come into play at that point, too.
More and more, applications are coming with their own built-in authentication mechanisms. This, in fact, sometimes gives administrators no choice over what types of authentication to use, observed Patrick Hinojosa, CTO at Panda Software.
Meanwhile, products available for separate purchase range from PKI management packages to smart card readers, and beyond.
Ironically, though, despite the plethora of products and services, authentication remains a glaring security gap at many organizations, according to industry statistics. On the FBI's most recent list of "top 20 most critical Internet security vulnerabilities," the following problem landed in seventh place for Microsoft Windows security: "General Windows Authentication Accounts with No Passwords or Weak Passwords."
Similarly, on the Unix side of the house, vulnerability number ten was as follows: "General Unix Authentication Accounts with No Passwords or Weak Passwords."
To get better security, while avoiding costs associated with integration, some systems administrators are turning to outsourcing. Practitioners of "managed authentication services" range from Authentify, a specialist in voice verification, to AT&T, now a purveyor of token authentication services.
Authentify is now delivering voice verification services to 15 customers, including Hewlett-Packard and the US Social Security Administration, according to Rolfe. Authentify's services range from password reset via voicemail to voiceprint verification, for instance.
In terms of achieving a broader overall authentication framework, Hunt sees a few bright lights ahead. "Novell, iPlanet, and Entrust all seem to be moving toward consolidation. Microsoft also has a vision for authentication. I'd like to give Microsoft the benefit of the doubt. When they focus on an issue, they do seem to come up with a solution eventually," he maintained.
Smart cards may hold promise, too, according to Hunt. "Smart cards have already been used for physical access to buildings. They fit in well with our whole plastic card- carrying culture."
When administrators do have a choice over which kinds of authentication to use, Rolfe suggests using a risk management approach, balancing the strength of the authentication solution against the costs and other drawbacks involved.