14/11/2014

By Girish Bhat, Wave Systems


Authentication plays a vital role in our daily routine. For example, most of us start our day by either logging into a laptop/tablet or unlocking a smartphone to access email, voicemail or other information. In fact, much of our day-to-day processes require some form of authentication — whether it’s securing your house when you head off to work, unlocking your vehicle and even entering your work office via security badge, keys or otherwise.

The bottom-line is that we use various forms of authentication for both IT and non-IT applications while ignoring the ease of use and technology advancements. A key problem is that the authentication schemes used by the majority of enterprises today were developed more than 30 years ago; some have improved over the years, yet many are in dire need of an overhaul.

An ongoing critical challenge for CEOs and CIOs is to minimize the onslaught of attacks against enterprises that so often lead to data breaches. The industry typically reacts to these attacks by improving assessment and detection time, which is helpful, but does not minimize the problem. Invariably, existing password authentication schemes have been targeted, making passwords easy to crack and expensive to manage. The security vulnerability of passwords is omnipresent and has become a very real problem in our day-to-day lives. More and more we see reputable news outlets covering stories and publishing articles relating to authentication and data breaches, such as a recent article in the Wall Street Journal, titled, [nurl=http://online.wsj.com/articles/the-password-is-finally-dying-heres-mine-1405298376]“The Password Is Finally Dying. Here's Mine”[/nurl.

Currently, the IT and security community informally labels the various authentication schemes as such: weak authentication, two-factor authentication and strong authentication. And yet there is no standard way of qualifying these terms. Just because you support two-factor authentication does not mean that you use strong authentication. It depends on the strength of the factors, the context and acceptance, which in itself is a huge problem.

Enterprise IT has numerous options to upgrade the existing legacy authentication solution. In addition to the physical form, shouldn’t we consider the cost of ownership, ease of use and lifecycle management capability?

To address these industry problems, consider a standards-based authentication solution such as a virtual smart card. Virtual smart cards emulate functionality provided by conventional physical smart cards, but don’t require maintenance of external physical hardware, lowering total cost of ownership.

Standards-based virtual smart cards use a hardware-root-of-trust, the trusted platform module (TPM), which is embedded within most business class PCs and tablets. Users do not have to carry a separate token that may be lost or stolen. The TPM securely stores credentials that can be used for a variety of common use cases. By starting the authentication process with the users’ tamper-proof secure hardware, authentication is less susceptible to break-ins and offers built-in protection against dictionary attacks.

Using virtual smart cards is easy — there is nothing to carry. The virtual smart card is the first factor and the PIN used to access it is the second factor. i.e., virtual smart cards provide standards-based strong two-factor authentication.

Enterprises now have a better option to deploy modern authentication — it’s time now for IT to place their trust in strong two-factor user authentication.