Token resistance

Complex biometrics and hardware tokens fail to win widespread acceptance; less obtrusive, behind-the-scenes authentication schemes gain traction

The need for strong authentication to protect online transactions and to comply with new regulations spawned a host of start-ups over the past couple of years offering exotic types of two-factor authentication.

Watch a slideshow of the many faces of authentication.

Listen to a podcast about single sign-on in a Web 2.0 world.

Last year, we profiled several of those companies, who used techniques like fingerprint scanners, facial recognition, biometric authentication based on your typing patterns, and so-called "cognitive biometrics" that relies on your memories of unique events in your life.

But, those complex authentication methods failed to gain broad adoption and many of those companies are no longer around. Hardware-based tokens, which have been around forever, have failed to win many converts. And plain old user-name and password, once thought to be an endangered species, is very much alive.

So, what happened?

Apparently, banks and other online companies decided that upsetting their customers with convoluted authentication schemes was a price they weren't willing to pay. So, from a customer perspective, very little has changed.

"If they experience anything besides passwords – and many don't – consumers typically encounter knowledge-based authentication," says Mark Diodati, senior analyst of identity and privacy strategies for the Burton Group. Examples would be asking a consumer the name of their favorite pet or the high school they attended.

Authentication goes undercover

But online companies are doing more to make sure people are who they say they are – they're just doing it behind the scenes. The most common tool is device recognition, usually a combination of a cookie or Flash object and other device specifics, such as IP address, time zone settings, and your operating system and browser. In theory, these provide a second factor in the something-you-know, something-you-have, something-you-are authentication matrix.

Your computer's settings are something you have, while the challenge questions cover something you know.

Other behind-the-scenes protections, while not technically authentication factors, include geolocation and transaction monitoring. Geolocation restricts online activities to geographical locations where customers typically conduct business. Combined with proxy detection, this is a strong form of fraud protection. That bank transfer to (or from) Kenya or Uzbekistan will be tagged as very high-risk and may be blocked

Transaction monitoring, at its most basic, simply targets activities that are known to be typical of fraud. More sophisticated systems, such as those from RSA, VeriSign, Arcot and Entrust, develop profiles over time for how individual users behave.

"The classic manifestation of risk analytics is passive from the consumer's perspective," Diodati says. "What gets flagged are anomalies."

Most people have established banking patterns. You log in from specific devices and locations. You make withdrawals within a certain dollar range. You pay the same bills each month. You take out large chunks of money a couple of times a year for vacations. It's predictable. If you break your normal patterns, you'll be asked to further authentication yourself.

Bank of America's SafePass

This is exactly what Bank of America is doing with SafePass, an optional multifactor authentication program. Customers who sign up for SafePass get a one-time passcode (OTP) texted to their mobile phones.

Bank of America is the top online banking site, with 22 million subscribers and 11.6 million people paying bills online. Their SiteKey system is the de facto industry standard for front-door online banking authentication. The system combines standard user names and passwords with an image you see at login to prevent phishing, plus challenge questions and device authentication.

Why mobile phones as an additional authentication factor? "Our retail customers are resistant to being forced to keep track of yet another thing," says Jamie Ashfield, Bank of America's senior vice president of e-commerce security strategy and development. "The big message we got over and over again was to put any additional security layers into something people already have."

The mobile phone was an obvious choice, and most security experts consider out-of-band authentication as a strong additional factor. In September, Bank of America began offering a second OTP option, a credit-card-sized OTP generator. For now, the OTP card is indeed "yet another thing," but expect to see these integrated with automated teller machine and credit cards soon. (Bank of America declined to name the vendors it uses for its security solutions.)

Today, SafePass is optional. However, higher-risk activities are being used to drive adoption. Logging in from a new device, adding new payees or transferring large sums of money can't be executed immediately without OTP. "SafePass interacts with SiteKey. Instead of using two-factor for every sign-in, we've learned that most transactions are low risk, so we tie stronger authentication to high-risk activities," Ashfield says.

David Shroyer, senior vice president, Product Manager, Online Security & Enrollment at BofA, argues that two-factor authentication is a small piece of the security puzzle. It's effective against some types of fraud but not others. "Nothing is bulletproof, but the foundation of our approach is the ability to learn. Something might slip through today, but it won't happen again because we've seen it before," he says. "The real beauty of this approach is applying what you learned from transactional and operational risk-detection strategies back to the front door."

Two-factor lags outside of the banking industry

The financial sector is far and away the most aggressive industry segment when it comes to adopting two-factor authentication. FFIEC regulations have accelerated adoption, as have the relatively large risks that financial institutions face.

The rest of the world is a much different story. Aside from online banking, instances where end users encounter two-factor authentication are few and far between, and the general enterprise (beyond the financial sector) has a very slow adoption pace.

There is one other sector where two-factor authentication is alive and well: the federal government. "One of the recommendations that came out of the 9/11 Commission was for federal agencies to strengthen the identity credentialing process and eliminate weak credentials for sensitive systems," says Randy Vanderhoof, executive director of the Smart Card Alliance.

The Federal Information Processing Standards Publication 201 standard "specifies the architecture and technical requirements for a common identification standard." This standard is commonly referred to as the Personal Identity Verification standard.

Oct. 27, 2008 was the compliance deadline. "The results of the Office of Management and Budget audit haven't been released, so I don't know how successful agencies were at meeting the deadline," Vanderhoof says. "What has been reported is that 1.2 million smart cards have been issued as of September, out of about 2 million federal employees."

Of course, the definition of a "smart card" is very broad. It could be a card, or it could be a secure e-credential on a USB token or a chip embedded into an ID badge. In fact, the ID badge could end up being the go-to form factor for strong authentication in the government, since it represents an easy way to combine credentials for physical access to buildings and other secure areas with logical access to electronic systems.

In the enterprise, there's the power of leverage

The enterprise has followed a much slower adoption path. Yes, there is an alphabet soup of regulations out there, but few address authentication directly.

However, the enterprise has a key advantage over consumer-facing applications: leverage. "It's not a big deal if your employer asks you to carry an authentication device, be it a USB token or a badge," Diodati says. The difference is ownership. Consumers may balk at having to carry tokens to get at their money, or having to install yet more software onto their computers. In the enterprise, though, the building, the computers and often even mobile devices are company owned. The enterprise sets the policies.

The trouble is that those policies are all over the map, as are the various types of authentication being deployed.

Large CPA firm deploys USB tokens

Virchow Krause & Company is the 15th-largest certified public accounting and consulting firm in the United States. With more than 1,300 associates and offices in Michigan, Illinois, Minnesota and Wisconsin, Virchow Krause investigated the most cost-effective way to improve security and concluded that doing away with passwords would deliver the most value.

"Our associates are highly mobile, and we're in an industry that must comply with numerous regulations," says Matt Jennings, senior manager for Virchow Krause's IT group. "We needed a two-factor solution that would have as small of a footprint as possible."

Virchow Krause adopted Gemalto's .Net dual USB tokens. The tokens provide two authentication options, an OTP generator (and display) and built-in smart card technology to store public-key infrastructure certificates. These eliminate passwords, but users still must remember a PIN to access the device. Gemalto's tokens also integrate with Windows Vista and XP without any middleware requirements.

Associates now have a secure way to remotely access VK applications on the road, at public terminals or behind client firewalls. The cost per user, about $150 per seat, is competitive with passwords alone, which require a lot of help desk support for resets. "The cost is a tiny sliver of our overall security and user-support costs," Jennings says.

Yet another regulation in the mix

Arise Virtual Solutions provides virtual call center services to clients in such industries as retail, transportation and computer technology. Arise's 8,000 call center representatives all work from remote or home locations, and because many operators collect personal information, such as credit card data, over the telephone, Arise must achieve Payment Card Industry (PCI) compliance.

The PCI Data Security Standard applies to retail merchants and online service providers transmitting consumer credit card information.

With such a large, dispersed workforce, Arise needed something that would be easy for IT to manage and convenient for workers to use. Based on these criteria, they deployed RSA's SecureID, which can be delivered via USB tokens, a software interface or a browser toolbar.

"We're trying to move as many agents as possible to software-based authenticators," says James Walkers, CTO of Arise. "Software is more cost-effective and it solves a lot of administrative problems, while delivering security on par with hardware-based solutions."

Crawling towards standards

Because the definition and deployment of strong authentication is so varied, a number of organizations are advocating standards. These include OASIS, the OpenID Foundation, the Smart Card Alliance and the Liberty Alliance.

To help make sense of the many authentication options on the market, the Liberty Alliance has developed the Identity Assurance Framework. It rates the level of certainty that the people presenting themselves in electronic transactions are who they say they are. The certainty varies from one (low) for something like passwords to four (high) for something like biometrics or an out-of-band second factor of authentication.

"There's more than just technology involved in the ratings," says Roger Sullivan, president of the Liberty Alliance. "You must also consider the business relationship. Business partners must audit each other to see if they're trustworthy, and you need increasingly higher levels of trust as the dollar amounts in transactions get higher."

Sullivan also believes that the current economic crisis could pave the way for stricter identity requirements. "We're already hearing the drumbeat for increased regulations as a backlash to the Wall Street bailout. If regulations start restricting access to various types of information based on roles, identity will have to be addressed. You can't create role-based restrictions without identity management at the core, and industry-wide identity management can only be accomplished through a standards-based approach," he says.

Will standards lead to some kind of Holy Grail of authentication, a simple, unified form of strong authentication? "There's a vision of that," Vanderhoof of the Smart Card Alliance says. "Microsoft has made plenty of announcements around CardSpace, and there is a lot of investment at the operating system and server level." (Microsoft, predictably, advocates its own uber-plan, CardSpace, and just as predictably competitors such as Google and IBM advocate a different approach, Higgins.) "What will probably happen is that smart cards will become transportable, possibly able to move from one form of ID to another. I'd say that's more likely than a single super ID."

Vance is a freelance writer. He can be reached at

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.