The shift in security attacks from technology vulnerabilities onto human weaknesses is putting the spotlight on user authentication. Where a single memorised password was once enough to get into your bank account, work PC or network, organisations are realising they are no longer adequate to fight cyber crime.
Security breaches destroying password reliability include brute password forcing, more sophisticated cracking tools, spyware, keystroke monitoring and phishing. The rise in remote workforces also poses a dilemma about how to ensure information going across the airwaves is received by an appropriate user.
In a bid to improve individual security, an array of authentication technologies has come to the fore. Solutions available today extend from traditional physical tokens, public key infrastructure (PKI) certificates and smartcard products, through to biometrics tools that scan anything from a user's eyes to their fingertips.
These are being taken up in various fields - as a login tool for notebooks (fingerprint scanners); in national passports (facial recognition); to identify government agency staff (smartcards); or to validate customers (bank tokens and digital certificates).
Authentication technology is broken into two camps: single sign-on and two/multi-factor authentication. The latter, which is also called strong authentication, consists of something the user has (such as a physical token), as well as something the user is (biometrics) or what the user knows (password).
RSA Security country manager, Mark Pullen, said there had been a significant shift over the last 18 months towards variable two-factor authentication. While a token, digital certificate or smartcard was traditionally the extent of choice, people had realised one size doesn't fit all.
"There's been a change in the market - customers are looking for variance, and don't just need a token," he said. "You need a range of options and to balance the cost of security with the convenience of use for the end user."
One of the major reasons for this is the rise in remote user access. As an example, Pullen said RSA had noticed several larger enterprises now employing its SecurID tokens on mobile devices as a way of securing mobile users. Another driver for strong authentication is the Australian security policy standard AS17799.
This security best practices guideline requires a company to maintain two-factor authentication for users connecting via a VPN. The AS17799 standard is used by several institutions, including the NSW government.
Pullen said many enterprises had taken the standard on-board as a way of measuring their own security policies.
In cases where all employees needed these authentication checks, it was often too expensive to give them a token, he said. RSA has introduced a digital certificate within the VPN application toolbar in an effort to make this process more cost-effective.
Users were also increasingly looking for multifactor authentication within a single device, such as a USB key, Pullen said. This would allow them to carry more credentials, such as digital certifications for specific transactional types, as well as one-time passwords.
"We have the SD800 which is a USB, token and smartcard together. They can still use a token but get the best of both worlds. There's been significant increase this year in take-up as it can give you three factors potentially," he said.