Home >  Articles >

•  
•  
•  
•  

Last session, we counselled you not to panic when a stranger whipped out a tiny device with a constantly changing number on it in a crowded internet café; it’s most likely not a bomb, merely a device to allow said stranger to prove their identity via the internet.

Today we consider a future in which users are flattened by a flood of authentication tokens, and take a look at which of your peers are using two-factor authentication systems already.

Doodad overload

VeriSign's director of identity authentication services, Ed Elliff, tells us that “While [two-factor authentication] is not appropriate for every type of online application, any site you visit where you could lose something valuable (if someone were able to impersonate you) is a candidate for this service.”

While this is all very nice and secure, it does seem to predict some sort of ‘doodad overload’. With more and more important transactions taking place online, won’t users end up swamped by tokens: one for their bank, one for their company’s VPN, one for their hotel and one for booking a haircut with Boris the barber down the road?

Potentially, yes, says Robin Balean, solutions architect for VeriSign Australia. And that’s why the vendor’s platform allows people to use a single token to authenticate their identity with many companies.

So instead of having a unique token for each company you interact with online, users have only a single token to authenticate for all of them — so long as each company they deal with uses VeriSign’s platform for authentication.

In the more likely case that these disparate organisations have not all signed up for the same solution from the same vendor, a user would in fact need one token for each login, leading us back to token overload.

But the problem goes beyond mere user frustration. One industry survey from as far back as 2005 found that users who are required to remember several passwords often engage in risky password practices, such as recording all their passwords in a spreadsheet or writing them on Post-it notes conveniently stuck to their monitor.

So as users are inundated with more tokens, the laws of bad password practices would suggest users become similarly risky with their tokens.

Federation

Of course, wherever there’s a problem, there’s a vendor-supplied solution. And in the case of a flood of tokens, it’s known as federated identity management (FIM) – or, more simply, federation.

Federation allows for two or more organisations to agree that if one of them says a user is who they claim to be, the other will accept that establishment of identity.

Greg Singh, principal consultant for RSA, explains: “The user experience is simply one of logging on using two-factor authentication at a website, then via a link on that site moving over to another website while still being logged on as themselves, and not being challenged to re-authenticate.”

For example, a user could use their two-factor authentication token to sign in to an airline’s website and book a flight. Once the flight’s booked the user could follow a link from the airline’s site to a hotel’s site and book a room — without having to log in again.

Federation often involves vendor input to set up, Singh says, but they are not involved in the day-to-day handling of user credentials; the heart of federation is simply one company deciding to accept another’s verification.

As such, there’s no problem if two organisations use different vendors for their two-factor authentication. As Singh says, “The federated identity simply states who the user is and how it was established. The party that receives this information can choose to accept the credential or not.”

While this won’t chop the number of tokens a user has to take care of down to one, it does have the potential to reduce the burden on users.

Security issues

Two-factor authentication undeniably improves security, but is open to man-in-the-middle attacks, where a phisher swindles a user’s login details and uses their details immediately, impersonating them in real time.

But since federation groups logins, couldn’t a successful man-in-the-middle attack compromise all a user’s linked accounts in one go?

Singh says no.

“The security around the passing of federated identity from one party to another is very strong, including both digitally encrypted and signed communications. On top of this, the communication can also be encapsulated in SSL, so the chance of a man-in-the-middle attack is next to impossible,” he says.

Strong users

Given Elliff’s observation that strong authentication is appropriate for any application where something of value is at stake, the companies using it are pretty much those you’d expect: lots of banks, credit unions, as well as a few hospitals, government departments and private enterprises.

PayPal and eBay are the most visible members of VeriSign’s VIP scheme, with some Australian credit unions signing up just recently as well.

Users of Secure Computing’s SafeWord offering are generally of a similar ilk: Citibank, American Express and Boeing, as well as vendors Cisco and Sun Microsystems.

New Zealand Police, Rio Tinto, Westmead Children’s Hospital and the Department of Justice in Qld have all signed up with RSA’s SecureID system.

You’ll have noticed almost all these organisations lie somewhere between merely big and unconscionably big. However, Stuart Rauch, director of product marketing at Secure Computing, maintains that two-factor authentication is also “a great fit” for small and medium-sized companies.

 

• Share this Article:
• digg this
• add to del.icio.us
• StumbleUpon
• RSS Feeds