This week Mark Kelly, PKI product marketing manager at Baltimore Technologies, reviews some of the primary authentication options available to financial institutions, and considers their merits and limitations.
E-security is a broad computing category with a diverse range of technologies providing different levels of assurance and protection.
In common with standard real-world security, the level of protection employed should be commensurate with the environment, parties, and overall risk involved.
To calculate the overall return on investment (ROI) of an authentication technology you must count the processes which can now be brought online, not just the direct cost of the technology itself.
Passwords are the default authentication control for computing, and are the cheapest to deploy. If technology cost is the overriding issue, passwords will win out every time.
But would you really expose core business processes to the web using just passwords?
Passwords are popular because they are cheap and can be scaled to cover large numbers of users in an open IT environment.
Unfortunately, this security model is notoriously weak and susceptible to a range of well-known threats, such as dictionary attacks, brute force hacking of central password repositories and social engineering.
The password-based security model also becomes unwieldy, unmanageable and extremely limited when a large number of user groups are involved.
As a result, passwords are unlikely to be employed beyond base level e-business processes and communications.
It's also worth noting that despite requiring minimal upfront technology investment, passwords are notoriously expensive to administer.
A fully functional e-security platform requires significant investment; far more than the time and money required to issue passwords to individuals.
However, once in place, a comprehensive trust environment provides managers with the confidence to move a multitude of core business processes online and thus drive new revenue streams, reduce internal operating costs, comply with third-party legislation and mitigate risk.
True ROI can only be gauged in this broader context. Unfortunately, this may be a tougher business case challenge in the current commercial environment, where the lowest upfront number tends to be the most appealing.
Dynamic password tokens directly address the security problems raised by username/passwords by bringing a second authentication control into the equation.
In addition to what you know (username/password), this mechanism also mandates a 'what you have' factor before authentication can be established.
Dynamic tokens are generally keyring devices (or similar) that display a password that changes every 60 seconds upon entry of a Pin. Users must input both pieces of data to authenticate themselves.
This 'two-factor' authentication is much more difficult to crack.
Unfortunately, dynamic tokens can become expensive to deploy, especially to large user groups. They often require an additional desktop component, and they can only effectively be used for authentication - no native digital signature capabilities exist.
Organisations that are truly engaged in e-business require a more holistic security model than authentication alone.
If your company wants to move core business processes onto the web it will need strong authentication controls, an ability to manage a disparate range of risk profiles, and an ability to uniquely link specific data exchanged between specific individuals.
New cable will connect Virginia to France
Loon's balloons will bring the internet to remote areas of the country
New clues into the biosphere on Earth in the lead up to the emergence of animal life
Planetary collision might shed light on the chaotic processes behind a star's early development