Online User Authentication – One Size Does Not Fit All
By Mark Kelly
October 30, 2003

Summary: Mark Kelly reviews some of the primary authentication options available to financial institutions bringing business processes online, and discusses their merits and limitations in the context of a fully functional e-business environment.

Full Text (Page 1 of 3)  

Before making a purchase decision with regard to e-security, managers must first evaluate their own specific business environment, associated risks/liabilities, and broader e-business plans going forward. Only then can a ‘best fit’ technology be chosen to meet the particular situation.

Assessing your e-security requirement
e-Security is a broad computing category with a diverse range of technologies providing different levels of assurance and protection. In common with standard ‘real world’ security, the level of protection employed should be commensurate with the environment, parties, and overall risk involved.

Unfortunately, many companies still see e-security as a ‘tick box’ item and deploy a cookie-cut security model across a range of different business systems and processes. Should an online book club have the same underlying security model as a web-based banking operation? Should all users be treated equally irrespective of the process or risk involved? Hardly.

Before evaluating any authentication technology, managers must objectively assess their underlying security requirement. Some relevant questions include:

* Is valuable/sensitive information involved?
* What’s the real liability? What risk are you looking to mitigate against?
* What could happen if the system/process was compromised?
* Are purely internal parties (employees) involved?
* In time, will large numbers of users/applications be involved?
* Do you need to cater for different external user groups?
* Do you need to treat these groups differently (in terms of entitlements etc.)?
* How is the process managed today?
* What is the general e-business plan – today and going forward?
* Is/will non-repudiation be a requirement?
* Current/future need for digital signatures?

The password ‘risk ceiling’
To calculate the overall return on investment of an authentication technology, one must factor in the processes which can now be brought online (not just the direct cost of the technology itself). Passwords are the default authentication control for computing, and are the cheapest to deploy. If technology cost is the overriding issue, passwords will win out every time. However, will an IT manager really expose core business processes to the Web using just passwords?

Passwords are popular because they are cheap and can be scaled to cover large numbers of users in an open IT environment. Unfortunately, this security model is notoriously weak and susceptible to a range of well-known attacks - such as dictionary attacks, brute force hacking of central password repositories and social engineering. In addition, the password-based security model becomes unwieldy, unmanageable and extremely limited (in terms of what you can facilitate) when a large number of user groups are involved. Given this reality, passwords are unlikely to be employed beyond ‘base level’ e-business processes and communications. It is also worth noting that while passwords require minimal upfront technology investment, they are notoriously expensive to administer. A report published by Aberdeen Group in May 2003 found that labor costs for configuring and maintaining password systems average between $100 and $300 per user – annually!