Who Are You?

You just can’t trust a username/password combo to verify user identity. It’s time for two-factor.


In any transaction—purchase of goods, exchange of information, transfer of funds—it is valuable to verify the identity of the party with whom you are conducting business. In face-to-face transactions, a photo ID is used to verify the identity of a party cashing a check or purchasing a product with a credit card. Obviously there is some risk in this, since photo IDs can be readily counterfeited, but a photo ID combined with the security features on checks and credit cards helps to ensure the security of the transaction. Identity authentication provides a greater level of trust in conducting business.

Why Username/Password Doesn’t Work
We generally use a simple form of authentication—a username combined with either a password or a PIN—to log into our computers or corporate networks. This form of authentication is extremely weak. Users regularly share accounts and passwords; they use simple, generic words as their passwords; and if they use complex passwords they forget them, or worse yet, write them down.

In addition, the numerous effective password cracking tools have made passwords nearly obsolete. Keystroke capture programs and devices, which are easy to use and readily available, will capture any username/password combination entered into a computer. Because of this, many businesses, especially those that offer online financial services or e-commerce solutions, are looking for more robust authentication.

The username/password combination is called single-factor authentication and is only useful for keeping honest people honest. Businesses are now trying to evaluate the effectiveness of using an additional layer of authentication. Such two-factor authentication often combines something a user knows (username/password) with something he or she has, such as a token, smart card or personal asset (biometric).

Authenticators and More
There are numerous two-factor authentication options. Arguably one of the best known is RSA Security’s SecureID. This device, or authenticator, uses a time synchronization technology whereby the authenticator displays a one-time code that changes every 60 seconds. It requires a user to simply enter a unique PIN along with the code displayed on the authenticator. If a back-end system verifies that the code is correct, the user is authenticated. The attraction of this system is that it does not require the installation of hardware or software on the user’s system.

Challenge/response tokens work slightly differently. When a user attempts to log in, the system provides a character string that the user then enters into a hardware or software token. The token creates a response that the user then enters into the system. If the response is correct, the user is authenticated and granted access to the network.

Another popular option is the A-Key® by Authenex. This USB-enabled device offers secure digital certificate storage, one-time passwords and challenge/response capabilities. The attraction of this product is its flexibility.

The devices and methodologies mentioned above are all excellent and robust solutions for two-factor authentication in the enterprise. Mechanisms can be put in place to cost-effectively manage these devices and the back-end equipment that supports them. However, as with all security implementations, there are hangups to consider. Perhaps one of the greatest issues is that some of these devices are small and can easily be lost or misplaced. Many two-factor authentication options also provide the opportunity for user error, such as mistyping a one-time code or response.

The Biometric Be-All
Biometrics, the option that was believed to be the be-all and end-all of two-factor authentication, has not been widely embraced for several reasons. User acceptance has been lukewarm at best due to privacy concerns. This point is driven home by a June 28, 2005 posting by Nick Owen on his Thinking WiKID Thoughts blog: “As people now are starting to realize that hardly anyone can be trusted with an unchangeable identifier such as a social security number, why do they want to give them their fingerprint?”

This content continues onto the next page...