AuthenticationWorld.com

Authentication Strength

The enterprise needs to create a set of approved authentication strengths.  What this means is the creation of a sliding scale of enterprise trust of the authentication mechanism with the weakest mechanism being given a low rating and the strongest authentication a high rating of trust.

Remember that a biometric is NOT A SECRET.  Therefore, while a biometric can be used, it should not be used alone since it does not guarantee that the digital representation being given of the identity is the actual identity.  A biometric is built upon the trust between the biometric reader and the authentication system.  If the reader or the connection is breached, then the biometric itself can become compromised.

Mulit-Factor Authentication

Best practice is to use multi-factor authentication mechanisms. By using two or more different authentication types (something you know, something you have or something you are), the level of enterprise trust rises.

Assign Levels of Authentication Strength

For example, you may assign a numerical number rating against different type of authentication:
Password - 10
Digital Certificate - 15
Security Token - 25
Smart Card - 30
Biometric - a range of values depending on the type of biometric used (e.g. fingerscan 25 to a retina scan of 40)

Then you need to assign a numerical value to enterprise risk.  For example:
No risk - 0
Low risk - 10
Medium risk - 30
High risk - 70

You would apply these enterprise policies to the security policy engines and enforcement points throughout the enterprise. 

An Example

For example, consider the case of a user who logs on to the enterprise systems first thing in the morning:

Logon = low risk since only generalized access to the enterprise portal is given.  Therefore, the single sign on system will accept a password as a successful authentication mechanism.

The user then access some general PDF documents. Since General PDF access = low risk.  Therefore no additional authentication is required.

Next the user tries to access the payroll system.  Payroll system = medium risk.  The single sign on system will therefore accept any combination of authentication methods equal or exceeding to 30 points.  The user may use their smart card in addition to their user id and password in order to gain access to the payroll system.

Finally the user tries to access a top secret PDF document.  Risk = High.  Therefore, the document management and security policy system will require an authentication strength equal or exceeding 70 points.  The user may use their smart card, plus their password plus a biometric in order to access the document.

Keyboardless Authentication

There are other ways of strengthening authentication.  A good alternative to the use of keyboard entered passwords in keyboard less authentication.

THE USE OF THE KEYBOARD TO ENTER IN ID AND PASSWORD IS NO LONGER SECURE!  The use of hardware and software keyboard loggers makes USE OF THE KEYBOARD VERY INSECURE.

A good alternative is to use keyboard less authentication.  Companies like Bharosa and RSA produce software that is very effective against phishing, over the shoulder attacks and key board loggers.  Information is usually entered in using arrow keys and mouse clicks.  Some the software is also resistant to mouse logging on the screen. Please review the next section on Transaction Authentication for more details.

Transaction Authentication

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing