Industry View

Password Seeks Partner For Long-Term, Secure Relationship

Forrester looks beyond the password to key trends in strong authentication

By Bill Nagel, Forrester Research

May 04, 2009CSO

Passwords have been standing guard over our computer user accounts seemingly forever; for a long while, and for most purposes, they could go it alone.

But it's no secret that passwords are no longer sufficient as the sole means of granting access to critical networks, applications, and data, particularly as the number of applications requiring passwords at any given firm has skyrocketed. Either passwords are too weak, not changed regularly enough, or users write them down in a publicly accessible (read: not very secure) place, or they're long enough, complex enough, and changed regularly, and thus impossible to remember.

Organizations have been enacting more stringent measures to protect corporate and customer data from external and internal threats, comply with regulations, and manage information risks. One result is that enterprise security strategies have focused more sharply on managing user identities, access rights, and entitlements, driving a broader movement toward identity and access management (IAM). One of the first things firms recognize is that single-factor authentication (passwords alone) is a weak link in the security chain.

Firms looking to improve their IAM posture and clear the way to implement processes and technologies, like account and credential provisioning and life-cycle management, authorization and entitlement management, single sign-on (SSO), privileged user management, and federation, look to strong authentication as a starting point.

If IAM is analogous to allowing only those people you trust to enter your house, then strong authentication is the first step in the process: putting a lock on your door.

Deciding on a strong authentication solution is basically determining what combination of locks and keys will work best in a particular environment. But this is far from a trivial exercise: Dozens of distinct types of second-factor credentials, such as tokens, smart cards, and biometrics, dot today's marketplace; most of them provide a similar level of security.

But the main question driving the strong authentication marketplace today is not security, it's usability. Users don't like complexity, and they don't like to do something extra that affects their productivity. Companies mandating strong authentication found that employees would circumvent this burden whenever and however possible (like sharing credentials). This poses a problem for vendors and buyers alike: What will end users actually use?

With that in mind, here are three of the trends in the strong authentication market.

A broader range of authentication options. Different users have different needs, depending on whether theyre inside or outside the company network and/or its physical premises and what kinds of sensitive information they're allowed to access. Mobile, IT-savvy users needing to access IT resources via remote VPN have different demands, desires, and capabilities than office-bound administrative staff, for example. And buyers want a one-stop shop where they can get everything they need for all of their users, including a credential management back end that handles multiple credential types seamlessly.

Passwords

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors