Buried By The Authentication Avalanche

With identity theft on the rampage, network managers are being hit by an increasing
barrage of software, hardware and services for user authentication. Organizations are
implementing technologies ranging from traditional passwords/PINs to PKI and SSL
certificates, tokens, fingerprint readers, and even voiceprints. Each solution carries its
own infrastructure, along with its own technical ins-and-outs.

Observers agree that the authentication market is highly fractionalized. “Everybody and
his brother is getting into authentication,” contended Steven Hunt, VP of Research at
Giga Information Group.

“Companies are recognizing that these products are using multiple and overlapping
infrastructures. Passwords, for instance, have a whole help desk infrastructure behind
them. The entire thing can be very confusing for administrators. The pressure is on for
vendors to come up with a single shared process for authentication,” he added

“Everyone has been thinking they can do authentication is a slightly better way. The
market is still very, very immature,” concurred Scott Blake, president of information
security at BindView Corporation.

A recent report from IDC characterized the hardware authentication market, at least, as “a
loose confederation of clones.”

“Although similar technologies are being used among token, smart card, and biometrics
vendors, the applications for which they are being used vary dramatically depending on
the type of market, whether for commercial/corporate or government markets. The
overall hardware authentication market remains highly fragmented, with many
applications,” summed up the IDC analysts.

In fact, the market is so fractionalized that the analysts decided against apples-to-apples
comparison. “For this report, IDC has placed such vendors into markets according to
their lowest common denominator technologies. However, comparisons among vendors
within each of these submarkets, especially for biometrics, cannot be directly made.”

Attempts are being made, though, to categorize the market. “Multifactor authentication is
best to use, combining ‘something you know’ with ‘something you are’ and ‘something
you have,'” pointed out Andrew R. Rolfe, VP of development at Authentify.

As Rolfe sees it, user identify should be proven through “first-time” as well as “recurring”
authentication solutions. Recurring authentication solutions include user ID with
password/PIN; digital certificates; tokens; and biometric solutions.

“First-time” solutions include in-person proofing; sending out PINs via snailmail; data
comparison information; (when the user supplies social security number or mother’s
maiden name, for example, for later comparison); and e-mail activation (when the user
must respond to an e-mail in order to finish opening an account.).

PINs can enter the scene again during transactions. Notifications either by e-mail, fax,
or snailmail can come into play at that point, too.

More and more, applications are coming with their own built-in authentication
mechanisms. This, in fact, sometimes gives administrators no choice over what types of
authentication to use, observed Patrick Hinojosa, CTO at Panda Software.

Meanwhile, products available for separate purchase range from PKI management
packages to smart card readers, and beyond.

Ironically, though, despite the plethora of products and services, authentication remains a
glaring security gap at many organizations, according to industry statistics. On the FBI’s
most recent list of “top 20 most critical Internet security vulnerabilities,” the following
problem landed in seventh place for Microsoft Windows security: “General Windows
Authentication Accounts with No Passwords or Weak Passwords.”

Similarly, on the Unix side of the house, vulnerability number ten was as follows:
“General Unix Authentication Accounts with No Passwords or Weak Passwords.”

To get better security, while avoiding costs associated with integration, some systems
administrators are turning to outsourcing. Practitioners of “managed authentication
services” range from Authentify, a specialist in voice verification, to AT&T, now a
purveyor of token authentication services.

Authentify is now delivering voice verification services to 15 customers, including
Hewlett-Packard and the US Social Security Administration, according to Rolfe.
Authentify’s services range from password reset via voicemail to voiceprint verification,
for instance.

In terms of achieving a broader overall authentication framework, Hunt sees a few bright
lights ahead. “Novell, iPlanet, and Entrust all seem to be moving toward consolidation.
Microsoft also has a vision for authentication. I’d like to give Microsoft the benefit of the
doubt. When they focus on an issue, they do seem to come up with a solution eventually,”
he maintained.

Smart cards may hold promise, too, according to Hunt. “Smart cards have already been
used for physical access to buildings. They fit in well with our whole plastic card-
carrying culture.”

When administrators do have a choice over which kinds of authentication to use, Rolfe
suggests using a risk management approach, balancing the strength of the authentication
solution against the costs and other drawbacks involved.


»


See All Articles by Columnist
Jacqueline Emigh

Latest Articles

Follow Us On Social Media

Explore More