Are we heading for Identity Management Federation? (Part 1)

by [Published on 23 Oct. 2013 / Last Updated on 23 Oct. 2013]

There are now more authentication methods than ever before, hardware has progressed to a point that can facilitate complex authentication processes. Are we on the verge of a federated era in the cloud? This article will explore the authentication possibilities and the possible outcomes of what may happen over the next five years in this space.

If you would like to be notified of when Ricky Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

Introduction

The way in which we authenticate online has stayed essentially unchanged for years. Every time a user registers to gain access to a website, they create user names and passwords to prove their identity when logging in. The process is easy to use but problematic and insecure. The forces dominating our lives today, mobile devices (smart phones and tablets), social media, and our permanent online connection to the World Wide Web continue to initiative changes in authentication and access management. We continue to pursue a more secure yet convenient approach to authentication and access management. The global move to cloud computing also contributes to the rapid evolving of authentication methods as cloud based applications and solutions require more effective authentication to the cloud resources thus leading to the assumption that we are increasing the requirement for identity federation technologies. It is predicted that by 2017 over half of businesses will choose cloud based services as the delivery option for user authentication, an increase of more than 40% on today’s figures.

Authentication methods familiar to us

  1. Password–based authentication

Password-based authentication is limited and not as strong as it should be. In order for passwords to remain effective they need to remain secret. Not only is it simple these days for a hacker to gain access to sources of passwords, but users voluntarily hand there password over to friends, family and colleagues. The tendency for users to reuse the same passwords across various sites makes the use of passwords even more problematic. We have all done this and recent studies show that the tendency to use the same password for the majority of accounts we hold is very high.

Leaders in security have always swayed away from passwords as a form of effective authentication but to find an acceptable alternative has proven to be difficult. The alternative would need to be affordable, ubiquitous and uncomplicated. Passwords can no longer sufficiently safeguard today’s measure of users connected through the cloud as well as by alternate means. Additionally what we are now protecting with a password has grown significantly in value over the past 7 years and will continue to grow in future.

A brief example of things we protect that attract value are: Bank accounts, corporate access, personal and company tax information, trade secrets and personal information and many more things that could have a significant impact on the individual and corporate if breached.

  1. Strong or two factor authentication

The conundrum is solved by adding other elements that get factored into the authentication process.

The easiest way to remember the solution is the following: two factor or 2FA is the use of any two of the following in combination.

  • Something you know (PIN, Password, Passphrase)
  • Something you have (A token, OTP, Phone, Certificate on a device)
  • Something you are (Your voice, your fingerprint, any unique characteristics that apply only to you)
  • * A new authentication factor that is emerging, is something you do.
  1. Hardware token authentication methods

The thought of hardware gadgets that we take around wherever we go in order to authenticate and the inconvenience of typing in a password every time is a challenge for some. This method is based on the assumption that the tokens could not be stolen or that the algorithmic information could not be compromised. History tells us that the likelihood of the algorithmic information being compromised is low, but possible, but the 2FA vendors are now putting strong measures in place to avoid future compromises. I have been involved in this industry for about 15 years and my advice is it’s better and stronger to use 2FA than just a password, passwords to many determined attackers are just time delays.

This form of authentication works in a business environment and has become pervasive, however it becomes more challenging and inconvenient for personal use, especially as many adopt this method, and for online use as the device would need to be kept with the individual at all times, imagine having 20 online accounts and having to carry a token for ten of these accounts.

  1. Challenge and Response authentication systems

The user establishes questions and answers for authenticating. The method is based on the idea that only the user would know the correct answer to the established question. However in the world of social media that we throw ourselves into today many of these answers are very easily found.

  1. Multifactor authentication

Authentication which comprises many authentication methods. A number of authentication methods are used in combination with password based authentication. Additional methods may include:

  • Challenge and response questions
  • Biometric readers (fingerprints, retinal image and voice recognition)
  • Hardware tokens
  • Context based authentication mechanisms…

What we require from authentication

Users are looking for an authentication method that is secure and private, flexible, convenient and easy to use.

Many online businesses choose to stay away from the more expensive multifactor authentication method as the cost and inconvenience is not justified. For many of these businesses the accounts they protect are not worth the amount it would cost them to authenticate in this manner.

Mobile devices are helping to aid multifactor authentication. Because everyone carries a mobile phone. Adding software tokens to mobile phones eradicates the need to carry around a hardware token device and it becomes more convenient for the user, the mobile device doubles up as the hardware token device. The mobile phone is carried around everywhere we go anyway. The problem still remains that this form of authentication is only as secure as the mobile device. When the mobile device is compromised, so is the token.

Due to the global spread of mobile device usage, authentication by hardware form factor is no longer the only option. Out-of-Band authentication and software implementation are moving into the place of traditional hardware device authentication. The step to use the mobile phone as the token is a marked progress, users are better-off and cost is reduced.

Another approach is to use asymmetric cryptography on your mobile device. The authentication is made possible through digital signatures which rely on encryption keys held on the mobile device. This method alleviates the issues of in-band methods presented through the software tokens on mobile devices as the key information is located on separate device to the device that is being used to log in with. With the mobile device also holding the token, the device that holds the token is also the device being used to log in with.

Mobile devices could also be used for biometric authentication through the integration of biometric apps and functionalities.

Cloud technologies enable delivery of authentication from the cloud. This cloud authentication service model strengthens authentication with increased flexibility.

Looking into the future of authentication it’s necessary for the following to be addressed:

  • Use of contextual authentication methods
  • Transparent recognition and behavioural approaches
  • Authentication which is a Combination of diverse authentication with contextual authentication achieving the positive attributes of both methods
  • Authentication delivered with agility at cloud promptness

Conclusion

It is evident that passwords have reached the end of their useful life and that they are now trivial to bypass. Stronger authentication is growing and as this happens users are having to carry more and more token types with them so the convergence of these tokens into one authentication solution is becoming more important as convenience intersects security. In the next article we will explore what is emerging in this area and how federation is promising to make things simpler and more convenient whilst maintaining a high and acceptable level of security.

If you would like to be notified of when Ricky Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

The Author — Ricky M. Magalhaes

Ricky M. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Ricky has over 16 years of experience in the security arena covering all ten domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, to many blue chip entities and forms part of the advisory boards to many organisations worldwide.

Latest Contributions

Advertisement

Featured Links