The discipline of Identity and Access Management has continuously evolved to accommodate changes in mainstream information system architecture, most recently Web 2.0 and social media brought in the OpenID and OAuth protocols to enable mash-ups built on personal information. The latest trend to mobile and cloud computing will, likewise, bring about new approaches to IAM design.
Each new information system architecture development introduces its own set of security vulnerabilities against which attackers quickly develop tactics and tools. Identity and Access Management solutions must anticipate those tactics and exhibit the resilience necessary to thwart them.
The password has been a mainstay of Identity and Access Management solutions from the very beginning. But, its effectiveness has been eroded over time by data breaches resulting from SQL injection, spear phishing, key-logging, password-reuse and similar practices. Those who set the security standards for government and financial information systems have recognized the inadequacy of passwords as a means for authenticating end-users and have demanded that system designers augment their password-based authentication solutions.
But, until the smart phone became nearly ubiquitous in the developed world, available alternatives had a detrimental impact on user experience and system deployment that disqualified them for all but the most sensitive applications. Therefore, designers were forced to augment passwords with “detective-style” safeguards such as Anti-Virus, Intrusion Detection and Prevention, Security Incident and Event Management and behavioral transaction monitoring. Requiring users to carry and authenticate by means of a strong authentication token was generally unpalatable for reasons of cost and poor user acceptance.
Detective-style safeguards can be deployed with no impact on the user and comparatively little impact on deployed systems. However, they are reactive and probabilistic, some estimates place the effectiveness of anti-virus solutions at around 25%, because viruses evolve rapidly and unpatched vulnerabilities are commonplace.
By contrast, a strong authentication solution can be proactive and deterministic, ensuring that a user and her transactions are reliably authenticated even in the face of weaknesses in the design and implementation of the information system. Historically, though, strong authentication solutions have placed a burden on the user and on system developers that each found difficult to accept.
Meanwhile, the cost associated with passwords for both users and system operators has grown. Users are encouraged to choose random passwords, unique to each site, change them periodically and commit them to memory. This ignores the fact that this formula is so clearly unrealistic and system operators have to pick up the significant cost of repeatedly resetting user passwords in a secure way.
One-Time Password tokens became accepted as a way of addressing some of the shortcomings of passwords, certainly in enterprise VPN applications and in some high-value financial settings. Nevertheless, OTPs remain susceptible to Man-In-The-Middle and session-riding attacks. So, they too are starting to reach the limits of their ability to protect against identity theft.
On the other hand, the smart phone provides a secure container for cryptographic credentials with a trusted interface for user input and output. These features can provide the support necessary for strong authentication of both users and transactions.
The economics of authentication are getting shaken up. As the smart phone becomes as ubiquitous in the developed world as the wallet or purse, the opportunity emerges for users to authenticate and authorize strongly in financial services and other sensitive applications requiring the exchange of personal information, with no incremental per-user cost and in a way that is convenient and even fun to use.
Moore’s Law still has many more surprises up its sleeve for us. The next ten years will bring a further 50-fold increase in computing density. While it would be foolhardy to predict precisely how we will take advantage of the improvements in power consumption and functional integration that this will enable, what is clear is that user authentication is approaching a crisis, and mobile technology offers our best hope of overcoming the Identity and Access Management challenges of the present day.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of January, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews, ContactlessNews, CR80News, NFCNews, DigitalIDNews, ThirdFactor, RFIDNews, EnterpriseIDNews, FinancialIDNews, GovernmentIDNews, HealthIDNews, FIPS201.com, IDNoticias es.