Industry View

Password Seeks Partner For Long-Term, Secure Relationship

Forrester looks beyond the password to key trends in strong authentication

By Bill Nagel, Forrester Research

May 04, 2009 — CSO —

Passwords have been standing guard over our computer user accounts seemingly forever; for a long while, and for most purposes, they could go it alone.

But it's no secret that passwords are no longer sufficient as the sole means of granting access to critical networks, applications, and data, particularly as the number of applications requiring passwords at any given firm has skyrocketed. Either passwords are too weak, not changed regularly enough, or users write them down in a publicly accessible (read: not very secure) place, or they're long enough, complex enough, and changed regularly, and thus impossible to remember.

Organizations have been enacting more stringent measures to protect corporate and customer data from external and internal threats, comply with regulations, and manage information risks. One result is that enterprise security strategies have focused more sharply on managing user identities, access rights, and entitlements, driving a broader movement toward identity and access management (IAM). One of the first things firms recognize is that single-factor authentication (passwords alone) is a weak link in the security chain.

Firms looking to improve their IAM posture and clear the way to implement processes and technologies, like account and credential provisioning and life-cycle management, authorization and entitlement management, single sign-on (SSO), privileged user management, and federation, look to strong authentication as a starting point.

If IAM is analogous to allowing only those people you trust to enter your house, then strong authentication is the first step in the process: putting a lock on your door.

Deciding on a strong authentication solution is basically determining what combination of locks and keys will work best in a particular environment. But this is far from a trivial exercise: Dozens of distinct types of second-factor credentials, such as tokens, smart cards, and biometrics, dot today's marketplace; most of them provide a similar level of security.

But the main question driving the strong authentication marketplace today is not security, it's usability. Users don't like complexity, and they don't like to do something extra that affects their productivity. Companies mandating strong authentication found that employees would circumvent this burden whenever and however possible (like sharing credentials). This poses a problem for vendors and buyers alike: What will end users actually use?

With that in mind, here are three of the trends in the strong authentication market.

A broader range of authentication options. Different users have different needs, depending on whether theyre inside or outside the company network and/or its physical premises and what kinds of sensitive information they're allowed to access. Mobile, IT-savvy users needing to access IT resources via remote VPN have different demands, desires, and capabilities than office-bound administrative staff, for example. And buyers want a one-stop shop where they can get everything they need for all of their users, including a credential management back end that handles multiple credential types seamlessly.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Strong Authentication for Online Banking: Success Factors
• The Strong Authentication Battle
• How to Do Password Resets Right