How to Implement a More Secure Identity Authentication Solution (Part 2)
In my last identity authentication article, I offered a number of reasons why organizations and citizens should think about changing their approach to password protection. So what are the alternatives to username + password and why haven't they been adopted en masse already? Here’s a rundown of the different identity authentication services available today and the benefits and challenges inherent with each solution.
Patrick Coomans, Sr Identity Strategist, Verizon
Hardware tokens: For many years, banks and enterprises relied on combining username and password with a one-time number generated by a hardware token, and until recently, this had proven to be one of the most secure and convenient ways of authenticating user identity securely. However, the high cost of the tokens and the need to physical distribute them made this technology economically unviable for widespread consumer use. When you add to the equation the fact that people lose their tokens, leave them in their pockets when they wash their clothes or the token’s batteries die, it is no wonder that we have seen a steep decline in the use of hardware tokens overall. The cost and logistics are too much of a burden for universal adoption.
Knowledge-based questions and answers (KBA): Knowledge-based authentication is often used as a way to “unlock” yourself from a situation where you have forgotten your password. However, many people don’t want to provide honest answers to personal questions like "Who was your first partner?" and often fill in fake details, which they promptly forget. For those who do answer the questions correctly, there is also bad news — data breaches at KBA providers have weakened the system severely by revealing “personal knowledge” information to cyberattackers. While a well-designed KBA-based system can be helpful in some specific situations, it is not a good alternative for strengthening everyday website authentication.
Username + a one-time password via SMS: A two-factor authentication method that is becoming more accepted by consumers is to send a one-time password via SMS (text message) to a pre-registered phone number of a mobile device. The biggest problem with this method is time lag — often the SMS arrives too late for the user, or sometimes not at all. Successful SMS delivery is reliant on many factors, including good reception, service availability (with your own and intermediate telecom providers) and usage peaks (think of New Years’ Eve). Also, when people change phone numbers that change is often not logged in the registration portal, resulting in many cases of the user being permanently locked out of the website. Finally, but perhaps most importantly, it is very difficult for website owners to predict the cost associated with this type of authentication. For all these reasons, SMS is a good complementary solution, but is not a good standalone authentication option.
Biometrics: Biometric verification is becoming increasingly popular as an authentication method, thanks to high-end smart devices now including support for fingerprint scanning as a valid authentication method. This is a very positive trend, as it allows people to start thinking differently about identity authentication. The introduction of biometrics in smartphones is a first step in easing the path towards general acceptance of biometrics. While biometric technology has technical and privacy-related challenges, there is nothing wrong with using biometrics locally to unlock your own device. That being said, we still have a long way to go before websites will accept a hand palm or iris scan as a standard second factor for authentication.
Using the smartphone: More and more functionality is converging onto our smartphones — the device is now a camera, shopping list, voice recorder, alarm clock, timer, social interaction device, gaming console and so much more. A very logical next step is to make the smartphone an authentication device. A concern is the variety of operating systems available that applications would have to be written for — some of which are more prone to being hacked than others. However, the real barrier to smartphone implementation is usability. Every major website will want to develop its own authentication application, which users would have to install on their smartphone to access each site. For consumers to have to wade through hundreds of different authentication apps and work out which one they need for each website they use, will be too cumbersome to be practical.
So those are the leading identity authentication options. Next time, I’ll give you Verizon’s view, including a next-generation authentication solution that really focuses on usability.
Visit "How to Implement a More Secure Identity Authentication Solution (Part 1)" to read the first article in this three-part security series.
