Strong authentication to see wider adoption in 2006

As January nears its close, the issues and challenges that will impact enterprise management in 2006 are taking shape. One such challenge is IT security management, which in the past year was driven by a number of factors. Among the more newsworthy were regulatory compliance and repeated breaches of the security of personal information. These two areas have affected each other directly, as phishing attacks, identity theft, and the loss of control of sensitive personal data have precipitated incident disclosures mandated by laws such as California Senate Bill 1386. These events, in turn, have increased demands for stronger protection of personal data and stronger controls on access to that information. In 2006, these factors will converge in the increased penetration of technologies for strong authentication.

Strong authentication focuses on increasing the reliability of authentication and access controls through techniques such as cryptography or the use of multiple factors for authenticating an IT user. In a single-factor system, a user is only required to provide something they know by which they can be identified, such as a password. So-called “two-factor” authentication requires a user to additionally provide something they have, such as a one-time password token, which generates and displays to the holder a password valid for only a short period of time.

The use of stronger authentication has recently become an issue in online banking, thanks in part to guidance issued last October by the Federal Financial Institutions Examination Council (FFIEC) – the entity that coordinates standards for government agencies that govern banks and financial institutions, including the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC). The FFIEC’s guidance on “Authentication in an Internet Banking Environment” advises banks to perform risk assessments appropriate specific transaction types, and apply controls accordingly. Among the highlights of this guidance: a statement that FFIEC agencies do not consider the use of single-factor authentication adequate when used as the sole control mechanism “for high-risk transactions involving access to customer information or the movement of funds to other parties.”

This guidance is producing a wave of multi-factor authentication implementations in online banking and financial services, such as Bank of America’s SiteKey system, which was rolled out to its customers nationwide in late 2005. Produced in cooperation with PassMark Security, SiteKey collects information from a customer’s computer, effectively turning the customer’s system into the second authentication factor. In addition, SiteKey provides the user with an image the user initially recognized when signing up for the SiteKey service, along with a phrase associated with that image which the user created themselves. When the customer uses a different computer, SiteKey may ask the user one of three questions, which only the user should be able to answer.

These techniques are not without their shortcomings, but they are an improvement over using passwords alone and have been long in coming, particularly in financial services. Thanks to the exploits as well as the regulatory trends of earlier years, strong authentication is at last likely to become a significant market driver in key security and IT risk management verticals in 2006.

**** For more about authentication and Web site security issues, check out Network World’s twice-weekly Identity Management newsletter (click here to view the archives of the Identity Management newsletter and to sign up to receive it in your inbox).