9-vendor authentication roundup: The good, the bad and the ugly

New ‘smart’ tokens and risk-based factors deliver tighter security, but setups remain complex and user interfaces need a facelift.

1 2 3 4 5 Page 5
Page 5 of 5

Voice Biometrics Group Verification Services Platform: Voiceprint-based authentication

Voice Biometrics Group (VBG) has been involved in the voiceprint security field since 2009, and has some of the largest voice-related installations, some of which comprise more than a million individual voiceprints. The company has been involved in some interesting applications, such as being used in double-blind clinical medical trials, where the clinician doesn’t know the subjects yet needs to validate their identity through their voiceprints.

Voice as an additional authentication factor has a lot of subtleties and will require some careful implementations. Unlike an OTP, verifying a voice is a matter of statistics and not a yes/no decision: your system needs to collect enough information to match the recorded voiceprint attached to a particular speaker. How the audio is recorded – whether the speaker is in a quiet or noisy room, using a cell phone or land line, and speaking a particular language – are all key elements of whether the match will be made by a voiceprint system.

Also, having a database of voiceprints ups the ante on its security: imagine if such a database were hacked or compromised. Once a voiceprint has been stolen, you can’t assign another voice to one of your employees. This is an overall issue with any biometric factor and one of the reasons why this hasn’t become as popular as the other authentication methods used in this review. This is why voice should be just one of several other authentication factors and needs to be supplemented with SMS or phone calls to be more secure. No one uses a voiceprint system as the sole authentication factor, mainly because voices can be recorded and played back to defeat such simple use cases.

However, everyone has a unique voice, so that has appeal if you are trying to deploy a system around the world where sending a hardware token could be an issue.

VBG has put together a series of demonstrations of its system that can be accessed via a Web portal. This can be used to set up and record the voiceprints and show how they can be used as part of a typical interactive voice response phone application. There is a second Web-based portal that is its main administrative and management console. This has menu options to download a transactions report, show the status of voice records, and is used to classify voices as either male or female speakers.

VBG also has a series of HTMLv5 applications that can be used to start your own development effort that are included as part of the resources. Their systems are based on a RESTful API that is fairly simple, with less than a dozen different commands.

The dashboard and reports are very simplistic, although the company is working on improving their UI in the near future.

What isn’t included is any support for SAML or OAuth or other typical authentication protocols. This is more intended for custom-built applications that typically would be combined with a voice-response system in a call center.

VBG is a subscription-based managed service with a minimum fee of $500 per month. Pricing is based either on transactions or individual voiceprints stored on their system, and typical engagements will make use of their professional services organization, with minimum fees there starting at $10,000. A 60-day free trial is available, provided you sign a non-disclosure agreement.

Yubico Yubikey 4: USB-based keys

Yubico has been a leader in USB-based keys for many years; its tokens have a very interesting form factor: it fits into the USB slot on your computer and has a variety of keys to support dozens of applications and identity providers. The fourth generation of their keys came out last November. These keys don’t require any additional driver to work with most Windows, Mac and Linux systems.

+ ALSO: 9 security gadgets for mobile devices  +

One example is that the YubiKey 4 can be used to digitally sign GitHub and Docker code during initial development and through subsequent updates to ensure the integrity of the developed applications. This “touch-to-sign” feature has many different applications besides signing code: you could implement it for testing for “proof of life” situations too.

Yubico tokens can be found in hundreds of applications and the company was an early supporter of FIDO’s U2F standards. This means that the same Yubikey can be used to authenticate yourself with several applications: currently these include Google Docs, Dropbox, password managers like Dashlane single sign-on tools such as Centrify and several other systems via plug-ins to Wordpress and Django content management systems. One indication of their popularity is that every Google and Facebook employee makes use of their keys to secure their logins.

Regardless of U2F support or not, their keys don’t store any cryptographic information: instead, they contain a long string of alphanumeric sequences that are used as complex passwords.

You easily can setup the keys to act as a second factor for all of these accounts, using the security settings screens for each application or plug-in. Once you do so, you have to press a small gold button on one side of the key to send the key sequence to your application as part of the login process. It certainly beats typing in a complex password sequence. Note that this isn’t a OTP application: the same numeric sequence is used repeatedly.

In addition to the USB-based keys, Yubico has also a newer YubiKey NEO device that supports sending keys via near-field communications protocols. These can be used with smartphones and other devices supporting this method.

Yubico has a long list of API libraries that support its keys, including code in C, Java and PHP. There is extensive documentation that can be used by corporate developers to build their own Yubikey-based authentication system, numerous code snippets, and detailed instructions on how to put everything together. The documentation is freely available at their developer portal and there is no charge to become part of its program. The amount and quality of this documentation and code samples and breadth of programming language support should be a model for the other MFA vendors.

Enterprise developers make use of their Management and Personalization Software utility, which runs on Windows, Mac OS X and several Linux operating systems to assign and revoke keys to users.

Tokens can be purchased for $50 or less in quantities of 100.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis. 

This story, "9-vendor authentication roundup: The good, the bad and the ugly" was originally published by Network World.

1 2 3 4 5 Page 5
Page 5 of 5
SUBSCRIBE! Get the best of CSO delivered to your email inbox.