« Digital Infrastructure Is The Next Frontier | Main | Why FIDO Will Be Man's Best Friend »

February 20, 2015

The Way Forward: Stronger Authentication

Posted by Dr. Ashutosh Saxena (View Profile | View All Posts) at 8:23 AM

Strong authentication is the first pillar of trusted networks

Strong authentication is the first pillar of trusted networks

Weren't computers supposed to save us time and add convenience to our lives? Technology was supposed to liberate us. Rather, it appears as though we're becoming beholden to the devices around us because of the pesky password.

Recent findings about passwords and online security certainly indicate that we're trapped in our own devices. Consider these sobering statistics: The average computer user has 25 accounts, uses 6.5 passwords, and logs in eight times a day. So say researchers at Microsoft. Add to this rosy scenario the fact that these days there are so many new types of gadgets. From the perspective of storing and remembering passwords, things aren't so rosy.

A respected technology consultancy, Burnett, conducted an analysis in 2011 that discovered that some 8 million accounts had 10,000 common passwords. A cyber criminal would have have access to 99.8 percent of the accounts, which infers that just 0.2 percent of the users chose strong passwords. Yet in another case, when looking at passwords for banking accounts only, researchers found that 73 percent of users shared their online banking password with at least one non-financial site. So when the non-banking site is hacked, the banking account is threatened, too.

The Burnett study tells us that account hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities have been around of a while and they still continue to prosper. What absolutely scares me is the fact that a teenage hacker in some eastern European country armed with a run-of-the-mill desktop computer can in theory bring down powerful, multinational companies. It's been done before and, unfortunately, it can happen again.

The culprits? We have ourselves largely to blame for this mess. The plethora of personal digital devices has made us slightly lazy when it comes to doing our part: that is, keeping a tally of many strong passwords. Credentials and passwords are often re-used, which amplifies the impact of such attacks. Another study by Trusteer revealed that more than 45 percent of online transactions fail 'very frequently' or 'frequently' because of authentication problems.

Strong authentication is the first pillar of trusted networks. Identities must be trusted by independent partners. It is the foundation for a more secure network, where all users and all devices are strongly and mutually authenticated in an open, interoperable, and federated environment.

The Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop open reference architecture by leveraging existing open standards for the universal adoption of strong authentication. Besides the OATH Reference Architecture, the industry is busy publishing standards regarding robust protocols and algorithms in the fight against ID theft and cyber-crimes. For example, if an user has authenticated to the first relying party (typically called Identity Provider, IdP), the same authentication can be federated to other relying parties. Popular federation protocols include SAML, OpenID, and OpenID Connect, some of which are concerned with authenticating the so-called first mile, while others concern themselves with the second mile and beyond.

In order to drive adoption of strong authentication across the entire user community -- from corporate employees to Internet users accessing healthcare records to government services -- the industry must collaborate to lower the complexity and the financial barriers of strong authentication. The answer, I think is that open technical standards and deployment profiles that promote interoperable components can go a long way towards becoming powerful tools for lowering complexity and cost. The development of an open and royalty-free specification for strong authentication should be the focus, without compromising security. It's a tough job, but the entire world needs better standards to take us into the next, safe Internet Age (which, I hope, will be more liberating than the one that currently exists).

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Search InfyTalk

+1 and Like InfyTalk

Subscribe to InfyTalk feed

InfyTalk VBlogs: Watch Now

Infosys on Twitter