- Versatile approach that supports standard protocols and facilitates integration with multi-platform architectures.
- Extends beyond conventional “userID” & “password” and supports a range of authentication methods in securing would be user access to a secure informational system of any kind.
- Incorporates artificial intelligence (AI) concepts into the security-accessing and authorization inputs.
- Monitors user access behavior and questionable transaction values.
In Internet security there is a consistent lack of taxonomy due to competing technologies and regulations.(74) Many of the challenges articulated in the case studies provided in my prior post demonstrate the wide range in types of data and organizations that experience cyber crime. Another case study example, it was announced today in a regulatory filing that over the summer of 2014 JP Morgan Bank was hacked which affected 76 million accounts and 10 million small business accounts.(75) The hackers gained deep access to the banks servers however they have found zero proof of any money being stolen.(76) Additionally, username and password security as a stand alone security solution does not provide a sufficient amount of security for it is too easy for account information to be stolen and then published on the internet.(77) This level of security has several limitations.
The Limitations of Single Factor Authentication
Authentication in the form of a standard login including (username and password), also known as “single factor” or “first factor” authentication is still being widely used by many governments and corporations.(78) As demonstrated in the case studies evaluated, this type of security practice continues despite providing very little in the way of security when usernames and passwords are widely stolen, shared, or copied.(79) Users ultimately carry the burden when the reliance of passwords and subsequent policies require what is generally known as “strong passwords”.(80) “Strong” password can be defined as a requirement to have a minimum of eight characters, with upper and lower case letters, numbers, and sometimes special characters.(81) It is strongly suggested that users never write down their usernames and passwords, which may have seemed reasonable in the past. It has been found that people have approximately 25 password accounts on average and recommendations strongly suggest changing passwords every ninety-days.(82) With these types of requirements users typically ignore these suggestions and use the same user name and password combination for all their login requirements from banking to social media.(83)
Single factor Authentication also does very little in solving the attribution problem.(84) Attribution is the process of assigning specific biological characteristics or behaviors to a specific person.(85) Traveling internationally, people are required to present a number of credentials, presented in person in order to gain approval for entry or exit to a country.(86) The challenge with the Internet is that these types of credentials and travel in the form of data over high-speed networks.(87)
Attempting to verify the identity of a person over a network limits attribution capabilities in this environment.(88) One could argue that fingerprint scanning, facial recognition, retinal scan, and other biometric type devices would suffice but these are both elaborate and expensive pieces of hardware.(89) In the absence of this capability, it becomes incredibly difficult to surmise who or what is at the other end of an Internet connection that is requesting access to a data sensitive system.(90)
Given the limitations of single factor authentication previously discussed the question remains; why is single factor still so commonly being used to answer the question of are you who you say you are?(91) There is a simple answer to this question: Complexity and Cost.(92) As discussed in the case study on RSA, there are a number of technologies like RSA SecureID available in the markets that extend past the person (Something you know – i.e. password, phrase, pin).(93) These advanced second factor systems incorporate a technological element (something you have – i.e. an ID proximity card, or security token) or a human element (something you are – i.e. fingerprint, retinal scan, or other biometric identifiers) to increase the probability that the “person” who is requesting access to a system is “real”.(94) These second factor authentication systems are expensive to purchase and administrate, and also ask for users to change their behavior, bringing about more complexity.(95)
In my next post we will discuss the core challenges to security: Cost and Complexity.