| The Future of Authentication We’ve been saying it for a while – static passwords are on the verge of extinction – so where will business go for its future authentication solutions? According to Gartner …
The Gartner Group predicts that in the next two years alone, two million US consumers will be using two-factor authentication at a few major ISPs and online communities. They further predict that this practice will become mainstream for securing Web application access across the majority of service providers within the next five years. This huge organic growth will come about as the broader market takes its lead from the ISP/portals, online banks, brokerages and gaming organizations who are already successfully incorporating strong authentication into their core offerings. It’s not just one technology
Businesses are finally starting to discover that they can open up their networks and begin working with customers and partners in ways that would currently be giving them security nightmares without the foundation of strong authentication. And though they won’t all take the same approach, with a strong authentication solution at their network core, they can create, trust and engage in circles in ways that are comfortable not just to them, but also to their partners and customers. Some will look to federated identity management, others to specific I&AM solutions, others to new virtual federation approaches – and maybe some combinations. Slowly at first, then at a much greater rate, the early single networks will spread to become an overlapping network of networks, all able to accept the same trusted identities. We are fully aware that no single technology or approach will optimally address all scenarios. In fact there will continue to be a vast diversity of authentication technologies, such as current options that include hardware and software tokens, smart cards, digital certificates and biometric methods. In the quest to provide even greater protection, ease of use and convenience, here are some of the additional paths that industry is exploring. Knowledge-based authentication
Users authenticate based on what they know and what they’re able to do. They can present data elements based on personal preferences and history, such as data from their transaction history on a personal account. The key is that they need to be able to access some out-of-band mechanism — or memory — to which an impostor is presumed not to have access. Authentication with connected devices
The notion of connected authenticators will expand from USB-based tokens to include wireless connections based on proximity technologies such as Bluetooth® wireless technology, Infrared, Radio-Frequency Identification (RFID), even sound. Widely-deployed devices such as mobile phones and PDAs hold the potential to serve as the authentication device working within these wireless personal area networks. The introduction of e-passports and drivers’ licenses incorporating RFID also holds tremendous promise to provide strong authentication in a wide range of personal and business scenarios. Mutual authentication
This will combat such attack methods as phishing by requiring that the business authenticates to the user as well as the user to the business. This solution will keep an illegitimate site from soliciting password data. It will also give users a more trustworthy interface for entering passwords and other personal information, ensuring that better security protocols such as zero-knowledge password authentication or password hashing are automatically employed. Authenticating the device
While authenticating the user is critical, it is not sufficient. Future users will need to authenticate through trusted computing platforms that will in turn represent the user to the network. Today there is no easy way of identifying what types of devices can connect to the network and when an organization cannot identify or manage a device it weakens the entire network. In order to create a fully-trusted environment, the organization needs to control not only the individuals but also the devices that are given access to the network. One day in the future…
Not too long from now you’ll enter your corporate building and take the lift to your office, never having to unlock a door or present any ID – the RFID-enabled employee badge in your pocket does all that for you. Its credentials are also recognized by your PC as you walk in, so with a single password you gain access to your email, applications, online corporate resources, even your partners’ extranets. To download e-tickets for your next business trip you log-in to your external travel office and authenticate by selecting the three cities you are most likely to visit, not those you have most frequently visited. On leaving the office for your car, your Bluetooth-equipped keyless entry system identifies you as you approach it. When you arrive home your alarm system automatically disarms at the sound of your voice and the lights come on in welcome. These approaches to authentication are just a few examples of where our industry is going, but many others are also in development. Precisely which methods come out on top and for which purposes remain to be seen, but one thing is for sure — our pedigree in strong authentication solutions will put us and our partners among the winners in these dynamic developments. from RSA newsletter |