“Security authentication, authorization and administration (3A) is the largest and fastest-growing segment of Internet security software… with revenues expected to increase at a 2000 to 2005 compound annual growth rate (CAGR) of 28% to more than $9.5 billion.” – International Data Corporation, August 2001

Introduction

Knowing whom you are doing business with - i.e., authenticating their identity - is the foundation for doing business securely in the digital world. Reliable authentication is the basis for protecting financial data, valuable assets, and confidential information from theft, misuse, and fraud. A recent Gartner report said it well: “identification and authentication services are crucial to authorization, auditing, and nonrepudiation services. If users are not properly identified, and if that identification is not verified through authentication, an organization has no assurance that access to resources and services is properly controlled . . . everything hinges on the true identity of the user” ("Identification and Authentication: Perspective", by Allan Ant, in Gartner Technology Overview, 15 March 2001, p. 3.)

In addition to protecting assets, however, a technology solution must also be easy to use and maintain, and must be cost-efficient in order to meet business requirements. Any solution a company implements must provide more value than it requires to implement and run, because there is no business benefit to using a solution for which the expenditure outweighs the value of the data it protects. There is also no sense in implementing a solution that is so tedious and complex for end-users that they cannot - or will not - utilize it.

This article outlines the reasons why authentication is critical for a successful business, along with a discussion of the two main security methods it can be applied to. Additionally, this article will discuss authentication methods that are currently available, along with some factors that businesses must take into account to ensure they choose an authentication system that makes the most sense for them.

Importance of Authentication

Secure Business Transactions

All business – on-line and off-line – is based on the principle of knowing whom you are entering into a transaction with. This “trust factor” is fairly easy to understand: not maintaining that trust can be very costly to businesses. According to a February 2001 report from Meridien Research, online payment fraud will increase from $1.6 billion worldwide in 2000 to $15.5 billion in 2005. Additionally, there are justified and relevant consumer concerns about identity theft. A recent Jupiter Media Metrix survey found that 81 percent of consumers who had security concerns about shopping online cited interception of credit card as their primary concern (see On-line Fraud: an E-Commerce Image Problem by Michael Pastore.) It seems that one cannot turn on the television or read a newspaper without a new case of “cybercrime” being discussed – whether it is Oprah’s online identity that has been compromised, or an online payments system that allows hackers to easily steal credit card numbers and other personal information. Without the trust and confidence of its customers, a business has no chance of succeeding.

Secure Access

Authentication is not only critical for transactions, it is also necessary to protect data assets. Authentication’s importance can be seen when looking at how the Internet has effected access security. When giving access to internal assets and systems, organizations now need to look at how users are authenticated with a new perspective. Prior to the dawn of the “virtual office,” this was often done on a person by person basis: physical security to a company’s site, where the data was held, was handled by what some call the “three Gs” – gates, guns, and guards. Before being allowed onto a site, a person would be stopped by a gate – usually a reception desk or locked door – where they would need to provide some sort of authentication credential. This authentication could be as simple as being recognized by the receptionist or having the key to unlock the door, or as complex as needing a pass card and security code.

With the rise of the Internet, those days are gone. The Internet has opened a virtual office that’s open 24/7 to a variety of users, as companies increasingly look to make electronic-based information accessible to trading partners, remote workers, off-site consultants and customers. IDC has estimated that the number of U.S. mobile and remote employees – those spending more than 20% of their time away from the office – will reach 55.4 million by 2004. To maintain a secure online working environment, it is vital that a company authenticates users from the moment they attempt to log into a system and throughout the entire time that the user is accessing data.

Transactional vs. Continuous Authentication

Which brings us to another critical aspect of authentication, transactional (or one time) vs. continuous. Transactional authentication takes place once, to authenticate a particular transaction such as one-time access to a file server or approval of a payment. Continuous authentication occurs during the first attempt to access a site or data store and continues throughout the entire duration of that user’s connection.

Let’s say, for example, that a user wishes to trade stocks using an on-line brokerage house. The brokerage could authenticate the user with either mode. If the brokerage is only concerned with protecting the transaction but does not care what else the customer does at the site, it may wish to use transaction mode authentication. In transaction mode, the user could use the site without authenticating until he or she wishes to execute an actual trade. On the other hand, if the brokerage perceives a business benefit to tracking the user’s actions on the site, continuous mode may be more beneficial. In continuous mode the brokerage would authenticate the user at the first attempt to access the site and then track the user continuously during the length of time they spend there.

Current Authentication Technologies

We have established that authentication is critical to a successful business and discussed two modes of authentication, transaction and continuous, but what are the technologies that can supply authentication in the digital environment? First, it’s important to understand that authentication is a two-fold process, going hand in hand with identification. Identification is accomplished by asking the question, ‘who are you?’ Most of us are familiar with this process, which is enacted when we are prompted to enter a login name. Authentication occurs when a user is asked to prove that they are who they claim to be – commonly done with a password that is tied to the identifying login name.

Authentication can be accomplished using one of the following three things, or a combination thereof:

• What you have: login name, smart card, token, digital hardware fingerprint;
• What you know: password, PIN; and or,
• What you are: biometrics such as fingerprints and voice

Single-factor authentication, which commonly utilizes a combination of a user ID and password, is one of the most common authentication methods. When another factor is added, such as a smart card, the authentication is referred to as two- or multi-factor authentication. Two-factor authentication is considered to be more secure simply because a thief would have to steal more credentials in order to commit fraud. Unfortunately, two-factor authentication is often more expensive for a company to implement and more complicated for the end-user to use.

Single-Factor Authentication

The traditional form of single-factor authentication is the use of a standard user ID and password pair. While there is nothing inherently wrong with IDs and passwords, they do not provide very strong security when used as the only form of authentication. Passwords are often re-used and easy to decipher, in which case they can be easily stolen and reused by attackers. In fact, according to the July 2001 “Authentication in an Electronic Banking Environment” report by the Federal Financial Institutions Examination Council, “single-factor authentication alone may not be commercially reasonable or adequate for high-risk applications and transactions . . . Instead, multi-factor techniques may be necessary.”

Multi-Factor Authentication

Recognizing the importance of multi-factor authentication, there are a variety of technologies currently available to businesses looking to protect themselves and their customers. These range from PKI (public key infrastructure, a system of digital certificates or Certificate Authorities that verify and authenticate the validity of each party involved in an Internet transaction) to tokens, smart cards, biometric devices and authentication systems tied to hardware signatures, all of which provide a second factor of authentication that makes them stronger than the simple user ID/password method. When choosing which authentication system to implement, businesses must make sure that they do not implement a “cool” technology that ends up costing more to install and deploy than it saves the company in additional productivity or risk management.

The problems associated with the failure to do a realistic cost/benefit analysis were illustrated by many organizations that adopted PKI. While PKI is a wonderful technology and works very well in some business cases it is not the answer for every one. When PKI was first being discussed, many proponents described the vision of a fully global PKI, where entities from around the globe could enter into high-value business transactions using a single set of pre-certified and registered credentials. In this scenario, a trusted universal certification authority, or “CA-in-the-sky” would administer these credentials. This approach is similar to the way passports are used in the physical world – as a set of credentials that is recognized and trusted internationally. While there are certainly some powerful potential benefits to this model, it has not yet proven feasible in real-world implementations.

On a smaller scale, such as within a single enterprise, PKI solutions can provide useful solutions. This is particularly true if an organization has requires employees carry an authentication card to gain access to physical areas, and to the network, via a smart card reader on a PC, and to digitally sign certain documents such as expense reports and time sheets. In this scenario a smart card loaded with a company-issued digital certificate can fulfill the requirements. These credentials do not transfer to other companies, nor do they need to. But, it’s important to note that smart card readers will need to be fitted on each door and in each PC. The additional hardware necessary for strong security is a significant shortcoming of smart cards as a viable authentication solution for e-commerce. Card readers are expensive to purchase and maintain and greatly increases the overall cost of the solution. Additionally, these solutions – like tokens – require users to carry around another device that can be lost or misplaced. The company needs to consider these additional costs so that it does not end up spending more spend time and money to implement and maintain a complex system without providing any additional business benefit.

When a company needs to provide strong authentication either within a closed environment, such as to their own network, or to a large number of users – such as on-line consumers – a lightweight authentication solution that does not require additional hardware can be an attractive option. Systems that authenticate a user to a “digital hardware fingerprint” that is unique to his or her PC, laptop or wireless device, for example, can save cost by not requiring any token or reader, and be taken advantage of by businesses that wish to authenticate small to large user-bases, as long as the system is transparent, simple and secure.

Conclusion

“The value of financial services and payment transactions on the net are growing rapidly. As this happens, it becomes increasingly dangerous for companies not to take steps to reduce the risk to themselves and their customers,” according to analyst Jeanne Capachin of Meridien Research. “Using strong authentication products and practices is one of the most important ways that companies can protect themselves from loss.”

Strong authentication is the foundation of successful business. This has been true in the physical world and is becoming even more critical in the online one. It’s been said that “on the Internet nobody knows you’re a dog”, which sounds funny, but is of little comfort to the enterprise that needs to determine who they are doing business with, who they are allowing to complete transactions, and to whom they are providing access to confidential data stores. Although there are a number of two-factor authentication products on the market, many of them are costly to implement and increase difficulty of use for the end user.

To meet their business objectives, companies must implement authentication systems that best suits their needs – this means a system that is cost-efficient for an enterprise, that provides an acceptable level of security, is easy to implement and maintain, and is as user-friendly as possible to the end-user.