Identity Trend 2: Authentication
By identity on Oct 02, 2009
This post is the second in a series of eleven articles I am writing about trends in the Identity Management industry.
After all is said and done, Authentication continues to be right at the heart of Identity Management. Determining whether the correct set of Identity credentials is presented, so a person or process can be granted access to the correct system, application or data, is critical to the integrity of the online experience. Authentication is like the gatekeeper or enforcer who determines who gets in the door.
- Demand for strong authentication is accelerating as the sophistication and sheer numbers of people who would defraud or damage online systems continue to grow. More effort is being focused on just how to economically, but securely, implement strong authentication methods to protect confidential information.
- As the need for strong authentication grows, there has been considerable conversation about whether the pervasive use of passwords is headed for extinction. Is the password really on its deathbed? In a Network World column posted earlier this year, Dave Kearns equated passwords to buggy whips. In my response entitled Passwords and Buggy Whips, I challenged “Replace username/password with what?" Until we get wide acceptance of alternate methods, it is unlikely that passwords will join buggy whips in the dustbin of history.
- In a subsequent post entitled, Seat Belts and Passwords ... and Buggy Whips, I proposed that “until ease of use makes passwords irrelevant, people will continue to use buggy whips or drive without seat belts.” The key issue dogging the industry is how to provide identity credentials that are so easy to use that the technical unsavvy majority can easily use them while providing a level of security commensurate with the rising tide of online threats.
- Assess what level of security is needed for different areas of your enterprise. In some cases, authentication must protect high value information. In other cases, less strong authentication may be appropriate.
- Seek to understand what your users need. What methods are both secure and easy to use for them?
- Is the cost of strong authentication commensurate with the risk of data loss or compromised system access?
- What is the best combination of authentication methods to serve my user community and protect my business interests?
Many years ago, while involved in a large physical security project, we joked that you need to invest enough in your security system so it is cheaper to bribe the guard than to breach the electronic system. The same principle may be true with Identity Authentication.