Improving Confidence in Online Security with Strong Authentication
By Souheil Badran, VP VeriSign EMEA
[Also Read: "Double lasts longer" | "Enhancing PKI Security"]
With more and more businesses connecting external employees, customers and business partners to their corporate networks via the internet, today's fundamental authentication mechanism to protect personal information online - the password has become easy to hack. Furthermore, if an outsider gets hold of a user's password , organisations have almost no way of knowing who has accessed their network.
Fraudulent online activities , particularly identity theft, are also on the rise and one only has to refer to examples such as the foiled £220m heist against Sumitomo Bank in March to realise the potential aftermath of phishing attacks.
In this more open' business environment, many organisations are finding that the username and static password are no longer sufficient means of authenticating users onto their network. Instead, they're turning to two-factor authentication or "strong" authentication to protect critical business, financial and customer data against unauthorised access.
By integrating strong authentication into security systems, organisations can practically eliminate the risk of passwords being stolen or cracked. This is by virtue of the fact that strong authentication extends the "knowledge" factor in other words the password to the "ownership" principle mostly in the form of a security token or a smart card. Strong authentication is based on a principle similar to cash-point cards used at ATMs: card plus PIN code equals ownership plus knowledge.
Typical uses of strong authentication include securing mobile access to corporate data via a Virtual Private Network (VPN) or Wi-Fi hotspots and protecting the network/Windows logon and web applications.
However, strong authentication can be applied in different ways, namely the "one-time password" (OTP) and digital certificates, which can be saved either to small hardware devices, called "tokens", or directly to the user's desktop. Finding the right option will depend on an organisation's business needs.
Authentication using one-time passwords
The one-time password (OTP) is usually stored on a security token, with the user granted access to network if the numeric code generated by the token matches the code served by a special authentication server. As the numeric code is only valid for a brief period of time, usually expiring after 20 seconds, the information is useless to any potential eavesdroppers.
Authentication with digital certificates
Personal digital X.509 certificates are more secure than OTPs, and function like a digital ID card by confirming the user's identity and verifying the integrity of the data sent via the web. A digital certificate also contains a public key, and a second secret key known only to the owner and stored by the certification authority. Stored on a USB-compatible token or a conventional smart card, the digital certificate and public key are verified by the authentication authority via the internet when users log on to the corporate network. Digital certificates are especially valuable to security-conscious businesses such as banks and financial service providers.
PKI
The next level of strong authentication involves implementing a Public Key Infrastructure (PKI) that provides the foundation for securely processing all transactions via internet. It issues digital certificates for (web) servers and time stamping and also enables services like digital signatures and data encryption.
Multipurpose tokens for all cases
The "all-in-one", USB-compatible token can be connected to the computer's USB port and offer organisations more flexibility in strong authentication. The tokens offer both OTPs and PKI authentication, and can also save information onto a smart card. If a user doesn't have a USB port or card reader on-hand, the OTP can be used for authentication.
Conclusion: Intelligent Strong Authentication
With so many options, businesses looking towards strong authentication to conduct commerce, communication and information-sharing online in a secure environment should work with a trusted third party provider to determine which solution will be most cost-effective and suited to their business needs.
[Also Read: "Double lasts longer" | "Enhancing PKI Security"]