The Pros and Cons of Advanced Authentication
Isn't it time to move beyond the infinitely-hackable name and password combo?
The cornerstone of any reliable security system is authentication, the way of confirming the truth of something or the identity of a person. To protect data and/or control access to data, many organizations still rely on the simplest and most common form of authentication: the password. Not surprisingly, the basic password is too often breached or copied or shared, thereby exposing data to theft or malicious intrusions.
Savvy organizations have moved beyond the password to implement more advanced authentication methods such as biometrics, one-time passwords, and smart cards. Fingerprint biometrics are probably the most widely used advanced authentication methods because they are very reliable and very inexpensive. Other forms of biometrics include facial recognition and retinal scanning.
Increasingly built into laptop computers, fingerprint readers have become popular as a secure method for identification. Biometrics not only deal with static patterns but action as well. Thus, the dynamics of writing one's signature as well as typing on the keyboard can be analyzed.
Pros: biometrics are a very secure form of authentication. The systems are generally low-cost, easy-to-use, and non-intrusive.
Cons: These systems don’t work accurately on people with few minutia points on their fingers -- such as surgeons who wash their hands with strong soaps on a regular basis, people with skin diseases, and manual laborers who put a lot of wear and tear on their fingers. In addition, results can also be hampered by false minutia points (areas of confusion caused by poor imaging or fuzzy fingerprint ridge details).
As with most technologies, fingerprint biometric systems can be scammed. For example, as was pointed out on an episode of Mythbusters a couple of years back, fingerprints captured from a water glass can fool scanners.
As their name implies, one-time passwords (OTPs) delivered by software or hardware tokens, are passwords that are valid for only one login session or transaction. OTPs are generated by algorithms that rely on randomness. This is necessary because otherwise it would be easy to predict future OTPs by observing previous ones.
Common methods of distributing OTPs are text messaging, mobile phones, proprietary hardware tokens such as the recently breached SecurID token from RSA, the Web, and good ol’ paper.
Pros: OTPs avoid a number of the shortcomings of traditional static passwords. Chiefly, they are not vulnerable to replay attacks, meaning intruders cannot abuse OTPs to log into a service or to conduct a transaction because the OTPs will no longer be valid.
OTPs can be very inexpensive, especially if they are delivered on paper or generated electronically.
Cons: Cost can be an issue, especially with SMS messaging and hardware tokens. Other issues with hardware tokens are: they can get lost, damaged, or stolen. Additionally, users will be inconvenienced when batteries die. Some of these batteries cannot be recharged -- forcing users to replace them and, in worse-case scenarios, buy new tokens.
Electronic tokens are not problem-free. Algorithm-based OTPs must deal with drifts out-of-sync with the server if the system requires the OTP to be entered by a deadline. Time-synchronized systems, in contrast, avoid this problem at the expense of having to maintain a clock in the electronic tokens.
A smart card, typically a type of chip on a card, is (as we all know by now) a piece of plastic with an embedded computer chip that stores and transacts data. This data is usually associated with either value, information, or both, and is stored and processed within the card's chip. The data is transacted via a reader that is part of a computing system.
Pros: Smart cards offer both a high level of security and convenience. They provide tamper-proof storage of user and account identity. Smart card systems have proven to be more reliable than other machine-readable cards such as magnetic stripe and barcode.
In addition, smart cards also provide vital components of system security for exchanging data throughout almost any type of network. Businesses, government agencies and universities use smart cards for controlling access to data, equipment, and physical locations.
Cons: Even the "smartest" cards can be lost, stolen, easily damaged and, yes, even hacked.
Herman Mehling has been writing about technology for more than 25 years, and has written hundreds of articles for leading technology publications and websites. He was an editor and reporter at Computer Reseller News, and a PR executive at a number of agencies in the San Francisco area. Mehling has edited three books, including How To Select A Vendor For Web Development (written by Salim Lakhani); and has written numerous articles, press releases, and white papers for corporations. Currently, he contributes regularly to: www.devx.com, www.ecrmguide.com and www.esecurityplanet.com. Before working in technology, Mehling was the editor of a grocery trade magazine in Dublin, Ireland, and a reporter for a Dublin weekly newspaper.