In an apprehensive society, we'll be more identified and authenticated than ever before. We'll be carded, asked for our personal identification number and inspected using a bevy of new technologies. But whether these efforts prove effective in creating real security depends on how companies implement their identity management basics.
Strong authentication means adding more authentication factors. To the trusty password or PIN, add a smart card, token generator or biometric device. Consider an expanding array of newer options. Multiple vendors now can use cell phones as authentication tokens, sending instant messages with a one-time number to the phone. Other products generate unique signatures from your PC or other hardware. One biometric system requires users to call a toll-free number, which verifies their voice and issues a logon PIN. SchlumbergerSema sells a smart card/fingerprint reader. RSA Security Inc.'s Smart Badging offers a smart card that also functions as building badge, SecurID token generator and stores personal passwords for multiple Web sites.
But there are conflicts between security and convenience that make strong authentication challenging. Smart cards still require the right PC driver to be installed. Users dislike carrying around a plethora of cards and other authentication devices. How do you authenticate employees who've forgotten to bring their cards to work? Cell phones are equally forgettable and must have wireless network coverage to operate.
Biometrics promise the ultimate convenience. But what if you're disabled, have laryngitis and can't produce the desired voice print, or are too paranoid to trust Big Brother with your most personal data? Biometrics has unleashed many issues.
Some say the smart card as national ID card holds the answer. Throw out the fat wallet - you just need one card. In time, our state-issued driver's license could be made into smart cards. But who is to say fake cards won't be readily available on the black market?
Which brings us to authentication, which must get smarter. Systems that authenticate users must be sensitive to context: If Joe forgets his card, he still should be able to log on with a password, but shouldn't be allowed to access sensitive applications. Single sign-on might be a nice dream; graded, context-sensitive authentication should be the reality.
The basic identity management processes must get better. Make sure your systems for vetting the user's identity before issuing credentials are bulletproof. Invest in user training and password provisioning to ensure better password quality. When planning smart cards or other strong authentication approaches, tie them to your directory and Web access-management infrastructure.
Authentication technologies are getting stronger, but so are hackers. You can't afford to sit this game out. Look to the basics and innovative technologies to make authentication stronger, smarter and better.
David Blum is senior vice president and research director with Burton Group, a research, consulting and advisory service. >