Authentication is a basic element of software and service deployment that is commonly taken for granted. Sure, we log in to various sites and applications 20 times a day, but how many of us truly contemplate the importance of secure authentication?
Security admins, that's who. That's because they know that strong identification and authentication forms a solid layer within a larger defense-in-depth strategy. Most of us are familiar with single-factor authentication--user name and password--and adding more authentication factors is becoming more widely implemented.
Providing a user name as identification and a password as authentication assumes that knowledge of the password proves the user is who he says he is. Typically, a user registers, or is registered by someone else, and uses an assigned or self-created password. On each successive use, the user must know and use the previously stored password. The weakness in this system is that passwords can often be stolen, revealed, forgotten, or guessed.
In order to strengthen this weakness, many Internet facing systems require a second authentication factor, such as a token, digital certificate, or other out-of-band method, in addition to the password. Authentication factors are usually grouped into "something you know" (typically a password), "something you have" (for instance, a token), and "something you are" (probably a biometric). Combining factors makes breaking into an account more difficult than any single factor, unless users try to subvert these measures--for example, by writing their passwords on the back of a token.
An interesting development is SMS-based authentication codes. SMS can be used to send a one-time passcode to a phone. The advantages to using this authentication factor are that the phone is something the user already has and that the passcode travels out of band. Because the user already has a phone, the website doesn't have to purchase tokens and ship them to each new user, and the phone by definition serves as "something you have." This is important because the high cost of provisioning, replacing, revoking, and managing physical tokens has been a barrier to widespread implementation.
A pioneer in this field is PhoneFactor. The PhoneFactor system allows users to choose the authentication method they prefer, such as phone call, text message, or smartphone app, all with the same level of out-of-band security and convenience. Additional security features, such as PIN, voice recognition, and transaction verification, can be implemented for particular users or groups. For example, PhoneFactor would send an automated phone call to the user's trusted device, and the user would answer and press '#' or a button to authenticate. The image below shows such a prompt.
Another solution is Trustwave's MyIdentity. Similar to PhoneFactor, a user logs in with their existing user name and password, and the system provides a number of additional authentication options. MyIdentity can be configured to use digital certificates, SMS-based authenticator codes, voice callback, or a smartphone app to supply an additional authentication method. Trustwave MyIdentity offers a free trial.
Security professionals generally agree that a username/password combination is not serious security. Additional factors are a huge improvement, and mobile devices--even simple feature phones--can be the universal device to make authentication stronger.