The recent LinkedIn password breach was yet another reminder of how weak the simple password method of authentication has become.
The base login name and password system is weak for two primary reasons: First, most people reuse their password on multiple sites, making it easier for hackers to get into a number of accounts. Two, most people use passwords easy to remember – so easy that the password is used by hundreds of other people, too. In one recent breach, it was discovered that the most common password was Red Sox or some variation of the baseball team’s name.
This is why experts recommend other methods of authentication to access sites that store sensitive information. However, as Steve Jensen, principal consultant for managed security solutions with BT Global Services, pointed out, there isn’t really a “best” option for authentication yet. Here are some of the authentication methods that security experts prefer.
A Secure Token
Jensen likes the implementation of the RSA SecurID token, but he does point out that it is expensive and may not be an easy option for a company on a tight IT budget. Thee method consists of a token, either hardware or software, that is assigned to a computer user. The token creates a new authentication code at regular intervals (say every 60 seconds). This authentication code is often also used with a user PIN if accessing the network from a remote location. It isn’t foolproof, however, as RSA was breached in 2011, with the hackers using the tokens to gain access into defense and government business networks.
Two-Factor SMS Authentication.
In general, two-factor authentication involves two important things: something the user knows, like a password, and something user has, like a cellphone. The user logs-on a site with a password. A simple example would be using a debit card that requires a PIN – two layers to get the information. The two-factor SMS authentication uses the security of having the two necessary components, as well as the extra security layer found in the token but without the added costs. Popular with the banking industry, when a customer wants to make a change to his account, he is sent a text message with a one-time password, for example.
Biometric verification can provide an effective complement to an existing strong authentication system that uses some combination of username, password, and physical token (such as a smart card). Alternatively, it can streamline strong authentication by replacing traditional means of verification. According to Joey Pritikin, director of product marketing at AOptix Technologies compared to passwords, which are often forgotten and easily transferred from one individual to another, and physical tokens, which can be lost, stolen, transferred, or broken, biometric traits are inherent to the individual, always carried, and never forgotten.
“Among various biometric modalities, iris recognition is emerging as the leading option for authentication applications requiring the utmost accuracy and consistency of performance,” Pritikin said. Iris recognition is non-contact, respecting concerns of hygiene and personal space while eliminating the deterioration of accuracy that comes with dirty surfaces. It also tends to be more accurate, repeatable, and stable.
Graphical and Image-Based Authentication
For those of us who can’t remember multiple passwords, images may be a better option. According to Bill Goldbach, executive vice president at Confident Technologies, his company’s technology generates temporary, one-time passwords simply by asking the user to identify pictures that match their previously-chosen, secret categories. “When a user first registers, they pick a few categories of things – such as dogs, flowers and cars. Each time authentication is needed, they are presented with a grid of random pictures. They must pick out which pictures fit into their secret categories. When they identify the correct images, the technology generates a one-time password for logging in,” he explained.
In this case, the user provides various pieces of information they know, such as username, password, security questions, and whatever else the site decides to use. It can be a little cumbersome for many layers, but it is also an easy way for a company to up security. For example, my bank recently added two security questions to the layers that included a user name, a photo, a keyword, and a password.
In the end, the best authentication options enable organizations to establish trust in their users’ identities while meeting security and cost requirements along with user expectations. “The bottom line,” said Julian Lovelock, vp of product marketing at HID Global Identity Assurance, “is that strong authentication serves as the foundation for an effective identity assurance solution that can be used to secure access to enterprise resources, networks and cloud-based applications.”