Multifactor Authentication`s Many Options

By Doug Bartholomew  |  Posted 2008-01-30 Email Print this article Print
 
 
 
 
 
 
 

Username and passwords remain the most common means of authentication in use on enterprise networks and systems.

Username and passwords remain the most common means of authentication in use on enterprise networks and systems. While many security experts have considered passwords insufficient for some time, they survive because of user familiarity, ease of use and large deployment base.

The biggest problems with passwords are users and management. Unless forced, users will often pick weak password combinations and won’t frequently change passwords. Likewise, most enterprise users have eight to 12 unique identities for different systems and applications, meaning they have to remember unique passwords for each. Human nature and memory being what it is, most users write their passwords in notebooks and on Post-it notes, which leads to compromises.

Technically, username-and-password is a two-factor authentication—something you are (yourself) and something you know (password). Adding a third or fourth layer of authentication increases security, especially since higher level authentication methods involve something you have (tokens, certificates, smart cards) or something you are (biometrics, such as iris scanners, fingerprint and palm readers, voice recognition).

Few disagree that multifactor authentication provides stronger security. What has hindered adoption and deployment is often the associated cost. Despite the advancement in biometrics and tokens, their costs remain significantly higher compared with just passwords.

Alternative authentication methods have found their way into limited usage. BioPassword’s “Fist of Sender” method associates a user with unique typing patterns. Other schemes use visual recognition cues and puzzle solving to augment or replace conventional passwords. While these methods have shown promise, they’ve failed to capture significant market share, likely because of the lack of user familiarity and high false-negative rates (people getting locked out of their systems because they cannot remember the correct picture combination).

Regardless of cost, enterprises have adopted limited forms of multifactor authentication for controlling access to sensitive areas, such as data centers, and confidential data. Some online payment and commerce services, such as PayPal, are experimenting with low-cost tokens and digital certificates, believing the public is ready for multifactor authentication to protect their identity and financial data. Perhaps, but previous efforts at driving multifactor authentication adoption have failed. Until the day comes when multifactor authentication is mandated, username-and-password will reign supreme.



 
 
 
 
Doug Bartholomew is a career journalist who has covered information technology for more than 15 years. A former senior editor at IndustryWeek and InformationWeek, his freelance features have appeared in New York magazine and the Los Angeles Times Magazine. He has a B.S. in Journalism from Northwestern University.
 
 
 
 
 
 

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters



















 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date