Network professionals face the perennial job of deciding what type of authentication to have corporate employees and trading partners use for access to corporate resources. Many view passwords as the least secure type of authentication, but find the cost of using better authentication methods, such as handheld tokens or digital certificates, still too high for general use.

But in terms of corporate strategy for authentication management, IT professionals and the vendors they look to for products seem to agree on a basic point: Every company should mix and match authentication technologies based on the level of sensitivity of the data, never depending on passwords alone.

Importantly, there's an ongoing effort within large organizations to centralize authentication management to quickly issue and revoke access to the network based on all authentication "credentials," or what security professionals call any means granted to the user for online access.

And ideally, IT managers want a way to centrally control what servers or databases each user is authorized to access. This is known as the process of authorization and administration.

Computer Associates, IBM, Secure Computing, RSA Security, Netegrity and several start-ups, including WaveSet Technologies, Access360 and Business Layers, are each in their own fashion tackling the challenge associated with what market research firm IDC calls the three A's - authentication, authorization and administration.

Controlling access

These types of products often involve controlling access to corporate servers by adding agent software to them that can be controlled by the central server. Some products let a manager set up complex workflow routines that tie into other applications, such as SAP or PeopleSoft databases used by the human resources department, which maintains essential employee data.

In fact, at $3 billion in sales each year, the market for authentication, authorization and administration products is considerably larger than that for either firewall, encryption or antivirus product sales (see graphic).

But with some of these software products for managing the three A's costing a half-million dollars, many organizations still prefer to write their own applications in-house, especially when they don't see exactly what they need on the market.

"There are many products to choose from, but many of them are tactical solutions trying to command strategic prices," says Terry McFadden, associate director of directory services at Proctor & Gamble, which wrote its own application to centrally manage passwords and digital certificates for employees. Proctor & Gamble's home-grown application uses a Critical Path directory server as the central repository for data, including user profiles and digital certificates.

As part of the effort, the Proctor & Gamble IT department had to work closely with HR to link into HR's SAP database to get user information quickly, McFadden says.

Proctor & Gamble allocates to users simple passwords or Entrust digital certificates, depending on the security requirements. The company's pharmaceutical divisions, in particular, use digital certificates for signing and encrypting documents, McFadden says.

Security costs

Digital certificates, which link a user's identity to a set of encryption keys for signing and encrypting, provide far better security than simple passwords.

However, digital certificates cost at least $40 per user, according to Gartner. Although IT managers are all too aware that simple passwords are a weak form of authentication, the costs for stronger authentication keep passwords dominant. Only 4% of online transactions use methods other than simple passwords, according to Gartner.

Because they're repeatedly used and easy to share, reusable "static" passwords are widely considered less secure than dynamic, variable "one-time" passwords. "One-time" passwords are generated via handheld hardware tokens, such as those sold by RSA Security, Secure Computing and Vasco. These typically cost at least $25 per person.

Art Eichmann, manager of corporate information security at Universal Studios in Los Angeles, is a big fan of handheld tokens and plans to use more of them in place of simple passwords as the price for tokens drops.

Universal Studios uses the RSA Security SecurID token, which works with RSA's ACE Server to recognize the variable password. About 4,000 remote employees at Universal have been given the SecurID token to identify themselves for remote access into the Universal Studios corporate network.

However, the cost for the handheld tokens has kept Universal from having employees use methods other than simple passwords to authenticate inside the LAN to the mainframe, AS/400, NT boxes or their PCs, Eichmann says. As the cost drops for the tokens, the argument can more easily be made to give them to all employees for all authentication needs.

"Four years ago, I paid $90 per token for three years for SecurID," Eichmann says. "Now I just signed up four-year token use for under $90. That's $15 per year per person."

Universal Studios also wants to centralize the authorization and administration process, and is looking at the IBM Tivoli SecureWay and other products, but will probably not decide on a purchase until Universal's merger with Vivendi is completed.

"We'd like to centralize our administration as much as possible, but we still have multiple people keeping track of this, whether it's for our AS/400, RISC systems or NT-based boxes and PCs," Eichmann says.

There seems to be a shared sentiment that despite the management headaches of juggling multiple authentication technologies, it's critical not to depend exclusively on simple passwords.

"Passwords are good enough for some things, but what about the mergers and acquisitions department?" notes Barry Keyes, vice president of the eTrust Solutions product line sold by Computer Associates, which is ranked the top vendor in the three A's market by IDC. "Or someone executing a very valuable order? Or from accounting or pharmaceuticals research? This is a variation in the degree of security requests, and a good system should be able to handle multiple types of authentication."

Keyes adds that Computer Associates' eTrust Admin product also includes a way to provision access not only to networks but to buildings, cell phones and credit cards. "A provisioning system should include any number of things a new employee may need," Keyes says.

Sometimes users are tempted to think of simple passwords as free, but "that's not really true," notes Willy Leichter, Secure Computing's product manager for the SafeWord product line used to centralize management of a variety of authentication, including password, handheld token, digital certificates, remote-access authentication via VPNs or Remote Authentication Dial-In Service servers.

"You have to give users a password for every system. That can be a lot of work for the help desk," he says.