One-time Passcodes: the user presents a different passcode everytime they login, which means that even if a user’s session is snooped, the copied passcode cannot be reused. OTP’s can be sent on request to a user’s mobile phone or PDA by SMS or e-mail. They are ideal for Anywhere Access because the user is not tied to logging in from any specific PC.
Tokens: typically tokens (eg RSA SecurID) are used, in combination with a secret PIN, as the most secure and convenient to generate One-time Passcodes. They are ideal for any form of corporate remote access - whether VPN, Web or RAS based.
Smartcards & USB smartkeys: used to securely store a user’s PKI digital certificate, these devices can be used to ‘digitally sign’ documents and most appropriate for corporate ‘Single Sign-On’ and hotdesking projects where the users will always be logging in from a corporate-controlled PC or laptop.
Biometrics: despite generating many column inches, fingerprint, iris and other forms of biometric authentication are mostly used for physical access security rather than as a digital ID for network access. Again, the user is tied to a using a computer with an appropriate scanner, so most biometrics are not suitable for ‘Anywhere Access’. The exception is voice authentication which has significant promise in this area.
No-one system fits all
The reality is that each of these forms of authentication is appropriate for different users and in different applications. There’s no one perfect system that fits all needs and budgets. Larger organisations often find that they need to implement several different authentication systems to support travelling staff, teleworkers, supply chain and consumer access.
This can end up in an Identity Managment nightmare where people find they have to carry different digital ID’s and authentication credentials to access different systems and applications.
Identity Management takes more than just technology
Whatever form of authentication that you choose to implement, you will find that secure identity management cannot be delivered by technology alone. To handle the roll out of devices, PIN’s and passwords to a widespread user base you need well integrated policies, procedures and logistics, and then you need to provide your users with 24x7 support to ensure your that their digital ID’s are secure and can be trusted at all times.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.