member sign-in
Forgot password? Create new account Close

User / Strong Authentication

Definition

Strong authentication is a two-factor authentication or multifactor sign-on authentication process that creates a higher level of security for granting privileges to an application. Strong authentication combines two or more independent factors of identification, such as password (something the user knows), a token (something the user has), or voice or fingerprint verification (something the use is). Strong authentication is also sometimes called “strong security.”

User Benefits

Basic Security Benefits

There are a number of inherent security benefits that arise from use of strong authentication and asymmetric cryptography:

  • Key distribution is avoided. Because there is only one private key, it is straightforward to give this to the one entity that needs to hold it, or have the entity generate the private key. Getting the same secret key to both parties generally poses both security and administrative problems.
  • Key strength is controlled by administrative decision. This avoids the security problems that arise from common situations where poor secret keys are chosen.
  • Protocols that transmit passwords in the clear and the associated security risks are avoided. This includes simple authentication for the X.400 and X.500 protocols, and login/plain choices for LDAP, POP and IMAP.
  • For client/server protocols such as LDAP, strong authentication avoids the trade-off between protocol choices that transmit plain passwords and allow a hash to be stored on the server for verification versus protocols that avoid transmitting the plain password, but require the password to be held in the clear on the server.

Benefits of Private Key Storage

There are a number of benefits to storing the private key in a file or on hardware:

  • For a client, use of smart card can be a very convenient way to handle authentication.
  • By requiring possession of a smart card, or that the user operate from a machine with the private key installed, a two factor authentication mechanism is provided (where a PIN is used) that increases overall security.

Administrative Benefits of Strong Authentication

One might expect that something called “strong authentication” would be very complex to set up and administer, however, the opposite is the case in many situations. Once the private key is installed, things are (or should be) very easy indeed. For example, when setting up an X.500 DISP replication agreement between two directory servers using simple aut­­­­hentication, passwords need to be assigned for each direction of replication. This is avoided with strong authentication.

There are some significant generic security and administrative benefits to using strong authentication. These generic benefits need to be considered in the context of the application being deployed, and the details of the deployment configuration.

Business Impact

In today’s environment, the need for organizations to enable secure remote access to corporate networks, enhance their online services, and open new opportunities for e-commerce is bringing ever-growing attention to the importance of securing user access and validating identities. In addition, the recent barrage of identity theft and corporate fraud cases has brought corporate responsibility and the protection of sensitive data to the spotlight.

Consumer demands and compliance pressures bring organizations and institutions to search for new ways to strengthen their internal controls, authentication methods, and identity management practices. The message is clear – action is needed to stay ahead in the fast-changing, security-conscious market.

The weakness of passwords can no longer be tolerated, and organizations are increasingly moving from password-centric to strong authentication solutions. This enables organizations to securely authenticate identified users and gain one of the most crucial elements of any business relationship – trust. Organizations are realizing that security is vital for enabling business, cutting costs, complying with regulations, establishing a productive work environment, and attracting customers. Meanwhile, strong authentication solutions are developing to answer organizations’ needs by providing easy-to-use solutions with numerous benefits to both users and organizations.

For organizations wishing to enable more business, reduce security vulnerabilities, comply with regulations mandating data privacy and protection, save costs, and attract security-conscious customers, a strong and robust authentication system can lead the way to achieving their goals.

Enable business – by implementing strong authentication solutions, organizations can allow legitimate users to access sensitive data anytime, anywhere.

Comply with regulations – strong authentication constitutes a basis for compliance with many regulations (FFIEC), (HIPAA), (SOX), (E-SIGN), (FDA), ETC.

Increase productivity – providing users with widespread access to necessary business data and applications in the office, at home, or on the road, improves communication among employees, shortens the response times to clients and customers, and in short – increases productivity.

Save cost, increase ROI – strong authentication enables organizations to provide increased connectivity and secure access to  digital data and applications.

Attract customers – organizations are now viewing security as a marketing differentiator, attracting customers, increasing sales, increasing brand loyalty, and improving their reputation by positioning themselves as security-minded. Customers are dictating to the market that the better product is also the safer product.


Products supporting this technology

Gemalto

Strong authentication solutions enable organizations to ensure that a user is indeed who he or she claims to be. They increase the security of the authentication process beyond passwords by requiring two or more of the following forms of authentication:

Something you know – something the user needs to remember, such as a password, a PIN, or an answer to a personal question

Something you have – something the user needs to physically carry, such as a token or a card

Something you are – a biometric feature, such as a fingerprint or facial characteristic

Strong authentication solutions commonly involve a physical device, (e.g. token), used together with a password to prove the owner’s identity. A wide variety of strong authentication token technologies and form factors are available in the market. The following are descriptions of the key form factors available today:

USB Tokens

USB tokens are small handheld devices that users connect to their computers’ USB ports to authenticate. Users are granted access upon plugging the token into the USB port and entering

the token password. The physical connection between the token and the computer enables these tokens to be used for multiple security applications such as secure local and remote network access, web access, laptop and PC protection, file encryption, user credential management, and secure transactions.

Smart Cards

Smart cards are credit card sized devices that contain highly secure microprocessor chips dedicated for cryptographic operations. To authenticate, users must insert their smart cards into their readers and enter a password. Smart cards provide highly secure storage of user credentials and keys. They also secure PKI implementation by generating keys and performing cryptographic operations on-board, without ever exposing the user’s private key to the computer environment. While providing extensive functionality and high security, smart cards lack mobility. Using a smart card requires a separate reader for every machine in which the smart card will be used.

Smart-card-based USB Tokens

Smart-card-based USB tokens, which contain a smart card chip leverage the advantages of both USB tokens and smart cards to provide the greatest level of security, versatility, and they enable a broad range of security solutions and provide all of the benefits of a traditional smart card and reader – without requiring the separate reader.

One-time Password (OTP) Tokens

OTP tokens are small handheld devices that allow authentication using onetime passwords generated by the device, based on a secret key shared by the device and an authentication server. A user wishing to authenticate enters the one-time password appearing on the token, and this value is compared to the value generated by the authentication server. While OTP tokens are highly portable, they do not provide the same level of support for multiple security applications that USB tokens and smart cards offer.

Hybrid Tokens

Hybrid tokens provide multiple types of functionality, which increases flexibility. Hybrid USB and OTP tokens allow full USB-based strong authentication and security solutions, as well as OTP- based strong authentication in detached mode when needed. Smart-card-based hybrid tokens that use the smart card chip for both USB and OTP functionalities provide maximum security.

SoftwareTokens

Software tokens enable strong authentication without a dedicated physical device.These tokens are software programs that can be stored on a user’s computer, or on mobile devices such as a cellular phone or PDA. Based on a secret key, the token generates a one-time password that is displayed on the computer or mobile device. Software OTP tokens are also available for use with mobile devices.

Strong Authentication Solutions Are Evolving

As market sophistication and experience with strong authentication increases, and as the level of threats resulting from ever more sophisticated cyber-crime grows, authentication solutions are evolving to meet market demands. Organizations are looking for broad, open solutions that enable them to incorporate many capabilities using a single system and which allow them to adjust as their business needs evolve. At the same time, they are looking for solutions that are easy to implement and use, to ensure user acceptance and maximize return on their investment. The following are some recent trends in strong authentication:

Software Authentication on Mobile Phones

Mobile phones are ubiquitious, so it makes sense using the device that most people carry around with them as the “what you have” factor in two-factor authentication. Mobile phones can support a range of authentication methods, from OTP passcodes generated by an OTP application that is installed on the phone, to certificate-based tokens in software format–also installed on the phone- and SMS passcode delivery. In the latter case, the SMS passcode is delivered to the phone via regular cellular channels.

Out of Band Authentication

OOB Authentication requires that separate information channels are used for communication. In other words, the passcode that is entered into the website is delivered to the user on a separate device from the device being used for logging into the application. One of the more common forms of OOB authentication is sending the passcode to users’ mobile phones via SMS. Another form of OOB Authentication is automatic call-back, either to a mobile number of a regular land line.

Transaction Verification and Signing

Transaction verification and signing is intended to reduce the risk of financial fraud which has become much more sophisticated over the past few years.Trasnaction verification adds another level of security to the authentication process by utilizing separate channel store confirm the details of a given transaction. Transaction verification can utlizie some to the methods already mentioned above, including Out of Band SMS delivery, where the SMS message contains the actual transaction details, in addition to a passcode that the user has to enter into the website. Another way of implementing transaction verification is through Interactive Voice Response (IVR), or with an OTP authentication device that has the added functionality of challenge response and transaction data display.

  • manufacturer