Mass-Market Authentication: the Gateway to Access-Hungry Consumers
by Tim Pickard - Director of Strategic Marketing for RSA Security - Tuesday, 8 April 2003.

Whether you're at the cash machine, online to your bank or credit card company or on the phone to your insurance or mortgage provider, until now, the need for greater security has meant added complexity and cost for user and provider alike.

In future, this problem is sure to grow. Consumer-facing organisations want the efficiencies to be gained from e-commerce technologies, and are moving inexorably towards a Web-based interface with their customers.

That could mean asking consumers to navigate increasingly complex layers of password-based authentication, which discourages them from trusting the security of online transactions -- only 10 per cent of consumers bank online for this reason. They could also be faced with remembering growing numbers of passwords, enterprises will need to divert scarce resources to helping users recall those passwords, and will continue to have to bear the costs of theft or mistakes following authentication failures.

Yet it doesn't have to be like that. Security technology can ensure that you keep what's yours while enabling you to get on with life, letting technology take care of the details. Strong authentication of users that is both easy to use and cost-effective is the answer.

Authentication in a complex world

Consumers in today's world spend a growing amount of time authenticating their identities to banks, insurance companies, utilities and phone companies, for instance. Before such organisations can process any transactions or information, they need to know that users are who they say they are. In other words, authentication of identity is critical or no trust can exist between the two parties.

Right now, that process consists of what you know -- almost invariably a user name and password combination -- and, where stronger authentication is required, what you have. This usually takes the form of a hardware or software that generates a second code or PIN, and is known as two-factor authentication.

Names and passwords have a long tradition, going back centuries. They worked well when the numbers to be dealt with were small and a person's identity could be confirmed by looking at them. In today's world, that's not practical, yet reliance continues to be placed in this method, despite its well-publicised weaknesses.

The key problem is that passwords are too easily discovered or guessed -- they are often found written down on sticky notes stuck to monitors, for instance. Even when they're not, passwords can often be derived from well-known information about the user such as their birthday, or spouse, partner or pet's name. Further, because it's hard to remember passwords that aren't standard words -- especially as the number of passwords required increases -- the average password can often be discovered by a computer attack. This can be achieved using a dictionary or, more time-consuming but ultimately effective, a brute-force lookup that checks every possible combination of characters.

In a corporate environment, end user education as a cornerstone of company security policy can often be the answer to this problem, along with forcing users to update their passwords regularly, and checking the strength of passwords using cracking programs. For consumer applications however, none of these options is realistic. Give customers what they perceive to be a hard time, and a business risks driving them into the arms of the competition.

The mobile future secured

Passwords on their own are too weak to enable full trust, but the alternative is two-factor authentication, which has proven to be both close to unbreakable and is the strongest form of authentication available. Its drawbacks in a consumer application are that it's also not realistic to expect consumers to carry an additional, special device whose sole function is authentication.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th