Strong Authentication Myths Debunked – Part 1
For years and years I have heard that something better than username and password are needed for authentication. Yet not much has changed when solutions are presented to people, the response is that it costs too much or that it is too complex. Many solutions have been offered: One-Time Password (OTP), Biometrics, PKI with certificates and keys on the disk, PKI with certificates and keys on Smart Cards, PKI with keys on the TPM and certificates on the disk. There are other variations of these approaches I will not try and cover all possible approaches in this blog. In this and my coming blogs I will take a deeper dive into each approach and assess the security, usability and cost trade offs for each one of the approaches. You may say that I am biased towards smart cards and in some cases I am. I also recognize that there is no one size fits all solution for corporations.
Now to my original thought. There is a myth that is perpetuated about the cost and complexity of smart cards. The first item that scares most people off is PKI and certainly anything that involves PKI is not trivial. We as security professionals have done a lot to enforce the idea that PKI must be done a certain way to be of any value. Early PKI deployments were nightmares that were overkill for most organizations. We now have approaches to PKI that greatly simplify deployments and offer better than good enough security. What do I mean by good enough security? It enables true 2 factor authentication and replaces most if not all passwords. In addition to authentication it also enables encryption and signing. Yes some tradeoffs are made but they are not issues except for the most secure environments.
Now to smart cards. In the past, getting the right drivers for the cards and readers have been a huge issue. The new cards with mini-drivers make deployments much easier as all the necessary drivers can be downloaded as part of a Microsoft Update. While this is not a perfect solution it eliminates the majority of deployment issues. The rest of the components for card management can be deployed as zero footprint web browser controls.
What about the cost of the card and the fact that I am carrying an additional device? I agree some of the cards are overpriced. The high cost is due to more storage and faster processors. While cool these are not really needed for authentication. We are working with vendors to address that issue and offer different levels of cards that better meet the needs of customers. To the issue of carrying an additional device, that is not really true if a company is using cards for physical access or even just as a photo identity. That means everyone is already carrying a card so there is really nothing additional for them to carry. Smart cards can be phased in as old badges are replaced if a full rollout is impractical from a budgetary standpoint.
In future blogs I will explore more about the costs and benefits of different strong authentication methods. This will include some new ideas for mobile devices as well and showing how strong authentication can be cost effective and actually be more usable than current username/password solutions.
View All 
