SlideShare a Scribd company logo

A Better Method of Authentication

Osterman Research, Inc.
Osterman Research, Inc.

Organizations need highly secure authentication under IT’s control, coupled with an access method that is very easy for users – especially users on mobile devices. This executive brief discusses the problems with current authentication systems and offers an overview of a more advanced and more secure system of authentication.

BusinessTechnology
1 of 7
Download to read offline
EXECUTIVE BRIEF A Better Method of Authentication SPON An Osterman Research Executive Brief Published June 2012 sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com www.ostermanresearch.com • twitter.com/mosterman
A Better Method of Authentication EXECUTIVE SUMMARY Conventional authentication using passwords based on alphanumeric characters and punctuation is fraught with difficulties and security risks: • Users often will write down passwords and/or use the same password on multiple systems, increasing the risk to corporate application and data security. • When left to determine their own level of password strength, users often will opt for short or simple passwords that are easy to remember, increasing the likelihood that systems can be hacked. • Users forget passwords, prompting them to call a help desk or use password- reset systems, which can increase support costs and reduce user productivity. • The Bring-Your-Own-Device (BYOD) phenomenon is making the problem worse Conventional because IT has even less control over access to corporate systems and data – and the authentication methods used to access them. authentication using passwords Organizations need highly secure authentication under IT’s control, coupled with an access method that is very easy for users – especially users on mobile devices. This based on brief discusses the problem with current authentication systems and offers an alphanumeric overview of a more advanced and more secure system of authentication. characters and/or punctuation is THE NEED FOR IMPROVED AUTHENTICATION fraught with TRADITIONAL AUTHENTICATION WORKS REASONABLY WELL difficulties and FOR TRADITIONAL SYSTEMS security risks. The wide range of authentication methods currently used in most organizations runs the gamut from simple, inexpensive and relatively insecure to complex, expensive and highly secure: • Usernames and passwords are the most common approach and often used for relatively low-security systems. Although inexpensive to deploy and familiar for users, this method provides a fairly low level of security. This executive • Challenge/response systems that require answers to security questions that have brief offers an been previously populated in the system are often used as a second layer of authentication or for a higher level of access. overview of a more advanced • Even more secure systems may use one-time password tokens, out-of-band authentication, seals, and certificate-based authentication. and more secure system of • The highest security solutions may employ multiple factor or biometric authentication, such as a user’s fingerprint, face, iris, or some other physical authentication. attribute to grant access. The level of security that an organization selects for a particular system or application will depend on several factors, including the sensitivity or confidentiality of the data being accessed, the trustworthiness of the individual accessing the information, the venue from which the accessor is attempting to enter the system, the device from which the user is accessing a system, and other factors. For traditional access of a corporate system from a desktop or laptop computer from behind a corporate firewall using a standard keyboard, these access methods work reasonably well. ©2012 Osterman Research, Inc. 1
A Better Method of Authentication EVEN SO, THERE ARE PROBLEMS Despite the relative ease with which users can access traditional systems using these authentication methods, there are problems with them: • Users often forget passwords and need to contact a help desk or automated system for a password reset, which increases support costs within the organization. • Users will typically employ the same passwords on multiple systems so they do not have to remember a unique username/password combination for each system they access, thereby degrading the overall security of access to corporate data. • Users will often remain permanently logged in to various systems to avoid the difficulties associated with traditional login procedures. • Many users write down passwords because they are too difficult or too numerous to remember. • Static, text passwords are susceptible to keylogger malware and dictionary style brute-force attacks. • Finally, a perennial problem is that users employ passwords that are far too Although users simple so that they can remember them more easily, making life for hackers that much less difficult. of traditional authentication DATA BREACHES ARE A SERIOUS PROBLEM find passwords to There have been numerous data breaches in which usernames and passwords have been stolen. According to the 2011 Data Breach Investigations Report by the US be a burden Secret Service and Verizon, the exploitation of default or guessable authentication when using credentials is one of the most common causes of corporate data breaches and was a factor in nearly 35% of the data breaches investigated in the report.i For example, desktop LinkedIn suffered a breach of 6.5 million passwords in mid-2012, hackers computers or compromised the account credentials and information for 24 million Zappos customers in early 2012ii, and in mid-2011 Sony suffered a leak of more than 100 laptops, the million user passwords and account information in a series of data breaches. It’s problems are estimated that the data breach cost Sony at least $171 million to clean up and users did not have access to their accounts for more than one month. much worse for mobile users. The Sony password breach, in particular, underscored one of the fundamental problems with a large proportion of current login credentials: weak passwords that are easy for hackers to guess. For example, an analysis of the Sony breachiii revealed that among the most commonly used passwords were “123456”, “password”, “seinfeld”, “winner” and “michael”. Moreover, the analysis found that some of the breached passwords had as few as four characters, with the two most common passwords lengths being six and eight characters. THE PROBLEMS ARE MUCH WORSE FOR MOBILE DEVICES Although users of traditional authentication find passwords to be a burden when using desktop computers or laptops, the problems are much worse for mobile users. Entering long strings of text and numbers using a mobile keyboard is not easy, particularly when a combination of upper and lower case characters must be entered. When “strong” passwords are required – involving eight or more characters including upper and lower case letters, numbers and symbols -- the problems for mobile users multiply, including mistakes entering characters that may lock users out after a limited number of retries. When authentication becomes too burdensome, users opt instead for weak passwords or they leave their devices permanently logged in, which puts data security at risk. ©2012 Osterman Research, Inc. 2
A Better Method of Authentication The BYOD phenomenon that is prevalent in just about every organization today is exacerbating the problem. Because users often employ their own devices to access corporate data, IT has less control over the devices and, in some cases, the authentication methods that are used for access. Among the problems introduced by the BYOD phenomenon are: • Few users – only about 30% according to a Sophos studyiv – employ passwords on their mobile devices because typing multiple, non-alphanumeric characters on a miniature keyboard introduces yet another difficulty when using the device. • A large number of mobile devices are lost or stolen – two million per year according to one sourcev. Adding to the problem of lost devices is the propensity of those who find lost devices to search through them. For example, the Symantec Smartphone Honey Stick Project found that when a phone is lost, 89% of those recovering it will search through the phone for the owner’s personal informationvi. Tablets, in particular, represent another problem because these devices are • increasingly becoming multi-user devices, often shared among the employee’s Organizations family members. This emphasizes the critical importance of protecting corporate need a better way applications or data using password protection to ensure that family members do not inadvertently access, delete or modify important information or unknowingly to authenticate introduce spyware or key loggers onto the device. users to corp- orate systems. THE RISKS OF POOR AUTHENTICATION ARE SIGNIFICANT Cumbersome authentication methods for mobile access tempt users to choose weak They need an passwords or stay logged into corporate systems. This creates some potentially approach that is serious consequences, including a greater likelihood of losing intellectual property if someone loses a device or if a hacker can determine one’s username/password much easier for combination. Data breaches can also result, triggering expensive mitigation efforts users to as a result of statutory notification requirements: 46 of the 50 US states now have data breach notification laws that require notification of affected parties in the event remember than personal data is lost or stolen. traditional passwords, and A NEW APPROACH TO AUTHENTICATION easier to enter on Organizations need a better way to authenticate users to corporate systems and mobile devices, applications in order to protect against the problems discussed above. They need an one that is approach that is much easier for users to remember than traditional passwords, and easier to enter on mobile devices, one that is inherently more secure than text inherently more passwords, and one that will motivate users to follow best practices for strong secure than text authentication on every device and for every application. passwords. One way to do this is to use dynamic, image-based authentication instead of static alphanumeric characters. Confident Technologies offers a unique authentication technology in which users pre-select authorization categories that will be used to generate a one-time password. For example, a user may select “dogs”, “fish” and “cars” as the categories they will have to identify. When a user needs to authenticate – on a mobile phone, in a desktop application or on an iPad, for example – a randomly generated grid of images is presented to the user. The user simply selects the appropriate images that correspond to his or her pre-determined categories, which only he or she knows, and access is granted as if a conventional password had been entered. The specific pictures presented to the user are different every time, which allows the technology to create a unique, one-time access code. Although the pictures are different every time, the user will always look for their same categories (dogs, fish and cars, in this example). THE BENEFITS OF USING IMAGES Using dynamic, image-based authentication offers a number of advantages over the use of conventional passwords: ©2012 Osterman Research, Inc. 3
A Better Method of Authentication • Because humans think in pictures, it is far easier for people to remember categories and recognize images than remember passwords, particularly complex passwords consisting of long strings of alphanumeric characters and symbols. For example, one studyvii found that image-based authentication resulted in 100% recall even after 16 weeks, compared to lower recall for Personal Identification Numbers (PINs) or passwords after the same length of time. This reduces password resets and eliminates the motivation for people to choose weak passwords or use the same password on multiple systems. • When users are presented with a grid of images, the display can jog users’ memories of which categories they initially selected as their authentication categories. In essence, the authentication secret is hidden in plain sight and only the user knows how to recognize it. • Authentication using images is much easier than entering characters on a mobile device keyboard, particularly a smartphone. With images, the user can simply tap a few pictures – no need to type on a tiny keypad or switch back and forth among multiple keypads. • The level of authentication required can easily be matched to the security or sensitivity of the application or data being accessed without the problems inherent in making users remember multiple passwords. For example, a system or data repository that requires minimal security might present a user with a grid of nine images from which he or she must identify two of their predetermined categories. A more secure system might require the user to identify three of their categories on a grid of 16 images, while a highly secure system might Authentication require identification of four categories on a grid of 25 images. using images is • An image-based authentication system is more resistant against dictionary much easier than attacks and keystroke-logging malware. Because the specific images and their entering location on the grid are different each time, keystroke-logging malware is not useful to potential hackers, and because text passwords are not used, dictionary characters on a attacks simply don’t apply. mobile device • The creation of a one-time password – more difficult in conventional password keyboard, schemes, but much easier with an image-based system – provides a greater level particularly a of security than any static password. smartphone. • As with conventional authentication systems, a lockout feature can be enabled if the user enters the wrong images in a certain number of attempts. A “KillSwitch” feature can also be enabled, where a user can designate a specific image category as an automatic lockout. If a hacker or a bot selects an image associated with the KillSwitch category, the account would be immediately locked and/or it would trigger a security alert. These features prevent brute-force attacks and can dramatically reduce the impact of losing a mobile device or having an unauthorized user attempt to hack into the corporate network to steal data. USE CASES There are a number of use cases for image-based authentication of the type discussed above. For example: • Physicians and clinicians can use image-based authentication as a secondary form of authentication for single sign-on systems when accessing patient records or hospital records on their personal iPads or other mobile devices they bring into the organization. This is much easier and faster than using passwords on mobile devices and allows access to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Because a physician or clinician may need to log into patient or other records 50 or more times per day as they make their rounds, the speed and convenience offered by image-based authentication is very beneficial. ©2012 Osterman Research, Inc. 4
A Better Method of Authentication • Users who must access corporate systems frequently – salespeople, police officers, warehouse managers, etc. – can use image-based authentication as their primary authentication system, as a secondary method for single sign-on systems, or as a means of easily regaining access to a system after it has timed out. • Corporate IT departments could partition employee-owned mobile devices in order to separate corporate applications and data from personal apps and data, granting access to the former using image-based authentication. This would allow IT to manage access to the corporate partition and remotely wipe it if the device was lost, eliminating most of the consequences of a data breach. • The use of image-based authentication can be integrated with geolocation data, triggering the use of an image grid for authentication only when a user was in an insecure location, such as when accessing a corporate application via a public Wi-Fi hotspot or elsewhere beyond the corporate firewall. • Looking down the road a bit, image-based authentication could also be an effective method of preventing unauthorized purchases from a mobile device when used as an “e-wallet”, a practice increasingly common in Scandinavia and elsewhere. The use of WHO SHOULD BE THINKING ABOUT THIS? Better authentication benefits everyone: image-based authentication • Users, who will find it easier to access corporate systems without having to remember complicated, strong passwords; and who will be more motivated not can be integrated to bypass secure access to corporate systems and data. with geolocation • Their employers, who will run less risk of users bypassing authentication data, triggering methods for the sake of convenience or otherwise engaging in poor security the use of an practices, such as choosing weak passwords, writing down passwords or using the same password on multiple systems. Stronger authentication practices help image grid for businesses to reduce the risk of security breaches, data loss, privacy violations, authentication etc. only when a user • Mobile application developers, who can build greater security into their was in an applications without imposing burdensome authentication processes on end users. insecure location. ABOUT CONFIDENT TECHNOLOGIES Confident Technologies, Inc. provides intuitive and secure, image-based authentication solutions for websites, Web applications, mobile applications and mobile devices. The company’s image-based authentication solutions enable organizations to increase security without sacrificing ease-of-use. Using patented, image-based authentication technology, Confident Technologies helps organizations: • Improve the ease-of-use for user authentication on websites, applications and enterprise systems. • Protect confidential data and online accounts. • Improve the customer's online experience, driving loyalty and increased revenue. • Decrease IT costs and support costs related to authentication and password issues. ©2012 Osterman Research, Inc. 5
A Better Method of Authentication • Meet compliance with regulatory requirements for strong authentication Image- based authentication can be used as a stand-alone replacement for traditional authentication methods including as passwords, tokens, smart cards and security challenge questions. Confident Technologies' solutions can also be used in conjunction with other authentication tools to provide a layer of strong, multifactor authentication and out-of-band authentication. © 2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report- 2011_en_xg.pdf ii http://www.usatoday.com/tech/news/story/2012-01-16/mark-smith-zappos- breach-tips/52593484/1 iii http://flowingdata.com/2011/06/13/analysis-of-passwords-in-sony-pictures-security-breach/ iv http://www.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1 v http://www.infosecisland.com/blogview/13078-The-Rise-of-Smartphones-and- Related-Security-Issues.html vi http://www.symantec.com/content/en/us/about/presskits/b-symantec-smartphone- honey-stick-project.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_ linkedin_2012Mar_worldwide_honeystick vii http://www.netaro.info/~zetaka/publications/papers/awasee-UBICOMP2005.pdf ©2012 Osterman Research, Inc. 6

Recommended

Enterprise Mobile Security for PeopleSoft
Enterprise Mobile Security for PeopleSoftEnterprise Mobile Security for PeopleSoft
Enterprise Mobile Security for PeopleSoft
Hendrix Bodden
 
Justice Federal Credit Union Success Story
Justice Federal Credit Union Success StoryJustice Federal Credit Union Success Story
Justice Federal Credit Union Success Story
Imprivata
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
itforum-roundtable
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
Sukanya Ben
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
4514ijmnct01
4514ijmnct014514ijmnct01
4514ijmnct01
ijmnct
 
Review on Quantum Watermarking Techniques
Review on Quantum Watermarking TechniquesReview on Quantum Watermarking Techniques
Review on Quantum Watermarking Techniques
IRJET Journal
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 

Recommended

Enterprise Mobile Security for PeopleSoft
Enterprise Mobile Security for PeopleSoftEnterprise Mobile Security for PeopleSoft
Enterprise Mobile Security for PeopleSoft
Hendrix Bodden
 
Justice Federal Credit Union Success Story
Justice Federal Credit Union Success StoryJustice Federal Credit Union Success Story
Justice Federal Credit Union Success Story
Imprivata
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
itforum-roundtable
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
Sukanya Ben
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
4514ijmnct01
4514ijmnct014514ijmnct01
4514ijmnct01
ijmnct
 
Review on Quantum Watermarking Techniques
Review on Quantum Watermarking TechniquesReview on Quantum Watermarking Techniques
Review on Quantum Watermarking Techniques
IRJET Journal
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
IJCSIS Research Publications
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
Charles McNeil
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
STO STRATEGY
 
Graphical Password Authentication using Images Sequence
Graphical Password Authentication using Images SequenceGraphical Password Authentication using Images Sequence
Graphical Password Authentication using Images Sequence
IRJET Journal
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
MobiWee
 
Sms based otp
Sms based otpSms based otp
Sms based otp
Hai Nguyen
 
Database Security Two Way Authentication Using Graphical Password
Database Security Two Way Authentication Using Graphical PasswordDatabase Security Two Way Authentication Using Graphical Password
Database Security Two Way Authentication Using Graphical Password
IJERA Editor
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
Sharpe Smith
 
Cellopoint Email UTM
Cellopoint Email UTMCellopoint Email UTM
Cellopoint Email UTM
Allyssa Yang
 
Smart Protection Network
Smart Protection NetworkSmart Protection Network
Smart Protection Network
kevin liao
 
Webroot Construction sector datasheet
Webroot Construction sector datasheetWebroot Construction sector datasheet
Webroot Construction sector datasheet
Paul Tompsett
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
leahg118
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and security
ijsptm
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011
SecutecGroup Baudewijns
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
gueste69f645
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
GFI Software
 
Ldc
LdcLdc
Ldc
Akosenko
 
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Editor IJMTER
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
ecarrow
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
lapao2014
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model
Micro Focus
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
SafeNet
 

More Related Content

What's hot

DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
IJCSIS Research Publications
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
Charles McNeil
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
STO STRATEGY
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
MobiWee
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
Sharpe Smith
 
Smart Protection Network
Smart Protection NetworkSmart Protection Network
Smart Protection Network
kevin liao
 
Webroot Construction sector datasheet
Webroot Construction sector datasheetWebroot Construction sector datasheet
Webroot Construction sector datasheet
Paul Tompsett
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
leahg118
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and security
ijsptm
 
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Editor IJMTER
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
ecarrow
 

What's hot (19)

DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
 
Graphical Password Authentication using Images Sequence
Graphical Password Authentication using Images SequenceGraphical Password Authentication using Images Sequence
Graphical Password Authentication using Images Sequence
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Database Security Two Way Authentication Using Graphical Password
Database Security Two Way Authentication Using Graphical PasswordDatabase Security Two Way Authentication Using Graphical Password
Database Security Two Way Authentication Using Graphical Password
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
 
Cellopoint Email UTM
Cellopoint Email UTMCellopoint Email UTM
Cellopoint Email UTM
 
Smart Protection Network
Smart Protection NetworkSmart Protection Network
Smart Protection Network
 
Webroot Construction sector datasheet
Webroot Construction sector datasheetWebroot Construction sector datasheet
Webroot Construction sector datasheet
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and security
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
 
Ldc
LdcLdc
Ldc
 
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
 

Similar to A Better Method of Authentication

Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
SafeNet
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Hai Nguyen
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
Hai Nguyen
 

Similar to A Better Method of Authentication (20)

Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
How To Make Mobile Apps Secure - Mobile login multifactor authentication.
How To Make Mobile Apps Secure - Mobile login multifactor authentication.How To Make Mobile Apps Secure - Mobile login multifactor authentication.
How To Make Mobile Apps Secure - Mobile login multifactor authentication.
 
Enhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open EnterpriseEnhancing Authentication to Secure the Open Enterprise
Enhancing Authentication to Secure the Open Enterprise
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity Challenge
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 

More from Osterman Research, Inc.

How the Cloud Can Make Government Archiving More Secure and Less Expensive
How the Cloud Can Make Government Archiving More Secure and Less ExpensiveHow the Cloud Can Make Government Archiving More Secure and Less Expensive
How the Cloud Can Make Government Archiving More Secure and Less Expensive
Osterman Research, Inc.
 
Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...
Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...
Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...
Osterman Research, Inc.
 
Putting IT Back in Control of BYOD
Putting IT Back in Control of BYODPutting IT Back in Control of BYOD
Putting IT Back in Control of BYOD
Osterman Research, Inc.
 
Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...
Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...
Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...
Osterman Research, Inc.
 
Cloud vs. Cloud: Comparing the TCO of Office 365 and Private Clouds
Cloud vs. Cloud: Comparing the TCO of Office 365 and Private CloudsCloud vs. Cloud: Comparing the TCO of Office 365 and Private Clouds
Cloud vs. Cloud: Comparing the TCO of Office 365 and Private Clouds
Osterman Research, Inc.
 
Why You Need to Consider Cloud-Based Security in 2012
Why You Need to Consider Cloud-Based Security in 2012Why You Need to Consider Cloud-Based Security in 2012
Why You Need to Consider Cloud-Based Security in 2012
Osterman Research, Inc.
 

More from Osterman Research, Inc. (20)

Best Practices for Managing Archive Migrations
Best Practices for Managing Archive MigrationsBest Practices for Managing Archive Migrations
Best Practices for Managing Archive Migrations
 
Using Email, File, Social Media and Mobile Archiving to Grow Your Business
Using Email, File, Social Media and Mobile Archiving to Grow Your BusinessUsing Email, File, Social Media and Mobile Archiving to Grow Your Business
Using Email, File, Social Media and Mobile Archiving to Grow Your Business
 
Best Practices for File Sharing
Best Practices for File SharingBest Practices for File Sharing
Best Practices for File Sharing
 
The Need for Third-Party Security, Compliance and Other Capabilities in Micro...
The Need for Third-Party Security, Compliance and Other Capabilities in Micro...The Need for Third-Party Security, Compliance and Other Capabilities in Micro...
The Need for Third-Party Security, Compliance and Other Capabilities in Micro...
 
Managing BYOD in Corporate Environments
Managing BYOD in Corporate EnvironmentsManaging BYOD in Corporate Environments
Managing BYOD in Corporate Environments
 
Survey Report: Managing BYOD in Corporate Environments
Survey Report: Managing BYOD in Corporate EnvironmentsSurvey Report: Managing BYOD in Corporate Environments
Survey Report: Managing BYOD in Corporate Environments
 
Survey Report: Results of a Survey on Microsoft Office 365
Survey Report: Results of a Survey on Microsoft Office 365Survey Report: Results of a Survey on Microsoft Office 365
Survey Report: Results of a Survey on Microsoft Office 365
 
How the Cloud Can Make Government Archiving More Secure and Less Expensive
How the Cloud Can Make Government Archiving More Secure and Less ExpensiveHow the Cloud Can Make Government Archiving More Secure and Less Expensive
How the Cloud Can Make Government Archiving More Secure and Less Expensive
 
Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...
Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...
Secure, Reliable and Compliant: How the Cloud Can Make Archiving Profitable f...
 
Putting IT Back in Control of BYOD
Putting IT Back in Control of BYODPutting IT Back in Control of BYOD
Putting IT Back in Control of BYOD
 
Mobile Devices in the Enterprise: MDM Usage and Adoption Trends
Mobile Devices in the Enterprise: MDM Usage and Adoption TrendsMobile Devices in the Enterprise: MDM Usage and Adoption Trends
Mobile Devices in the Enterprise: MDM Usage and Adoption Trends
 
Key Issues in eDiscovery
Key Issues in eDiscoveryKey Issues in eDiscovery
Key Issues in eDiscovery
 
Why Third-Party Archiving is Still Necessary in Exchange 2010
Why Third-Party Archiving is Still Necessary in Exchange 2010Why Third-Party Archiving is Still Necessary in Exchange 2010
Why Third-Party Archiving is Still Necessary in Exchange 2010
 
Why All Organizations Need to Manage and Archive Social Media
Why All Organizations Need to Manage and Archive Social MediaWhy All Organizations Need to Manage and Archive Social Media
Why All Organizations Need to Manage and Archive Social Media
 
What is the Total Value of Ownership for a Hosted PBX?
What is the Total Value of Ownership for a Hosted PBX?What is the Total Value of Ownership for a Hosted PBX?
What is the Total Value of Ownership for a Hosted PBX?
 
Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...
Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...
Taking a Strategic Approach to Unified Communications: Best of Breed vs. Sing...
 
Cloud vs. Cloud: Comparing the TCO of Office 365 and Private Clouds
Cloud vs. Cloud: Comparing the TCO of Office 365 and Private CloudsCloud vs. Cloud: Comparing the TCO of Office 365 and Private Clouds
Cloud vs. Cloud: Comparing the TCO of Office 365 and Private Clouds
 
Why You Need to Consider Cloud-Based Security in 2012
Why You Need to Consider Cloud-Based Security in 2012Why You Need to Consider Cloud-Based Security in 2012
Why You Need to Consider Cloud-Based Security in 2012
 
Important Issues for Federal Agencies to Consider When Using Social Media and...
Important Issues for Federal Agencies to Consider When Using Social Media and...Important Issues for Federal Agencies to Consider When Using Social Media and...
Important Issues for Federal Agencies to Consider When Using Social Media and...
 
Making File Transfer Easier, Compliant and More Secure
Making File Transfer Easier, Compliant and More SecureMaking File Transfer Easier, Compliant and More Secure
Making File Transfer Easier, Compliant and More Secure
 

Recently uploaded

ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book nowALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book nowKOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 

Recently uploaded (20)

Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Cuttack Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Cuttack Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableCuttack Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Cuttack Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book nowALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
ALWAR 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableBerhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
 
Berhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Chandrapur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Chandrapur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableChandrapur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Chandrapur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book nowKOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
KOTA 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
WheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond InsightsWheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond Insights
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 

A Better Method of Authentication

  • 1. EXECUTIVE BRIEF A Better Method of Authentication SPON An Osterman Research Executive Brief Published June 2012 sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com www.ostermanresearch.com • twitter.com/mosterman
  • 2. A Better Method of Authentication EXECUTIVE SUMMARY Conventional authentication using passwords based on alphanumeric characters and punctuation is fraught with difficulties and security risks: • Users often will write down passwords and/or use the same password on multiple systems, increasing the risk to corporate application and data security. • When left to determine their own level of password strength, users often will opt for short or simple passwords that are easy to remember, increasing the likelihood that systems can be hacked. • Users forget passwords, prompting them to call a help desk or use password- reset systems, which can increase support costs and reduce user productivity. • The Bring-Your-Own-Device (BYOD) phenomenon is making the problem worse Conventional because IT has even less control over access to corporate systems and data – and the authentication methods used to access them. authentication using passwords Organizations need highly secure authentication under IT’s control, coupled with an access method that is very easy for users – especially users on mobile devices. This based on brief discusses the problem with current authentication systems and offers an alphanumeric overview of a more advanced and more secure system of authentication. characters and/or punctuation is THE NEED FOR IMPROVED AUTHENTICATION fraught with TRADITIONAL AUTHENTICATION WORKS REASONABLY WELL difficulties and FOR TRADITIONAL SYSTEMS security risks. The wide range of authentication methods currently used in most organizations runs the gamut from simple, inexpensive and relatively insecure to complex, expensive and highly secure: • Usernames and passwords are the most common approach and often used for relatively low-security systems. Although inexpensive to deploy and familiar for users, this method provides a fairly low level of security. This executive • Challenge/response systems that require answers to security questions that have brief offers an been previously populated in the system are often used as a second layer of authentication or for a higher level of access. overview of a more advanced • Even more secure systems may use one-time password tokens, out-of-band authentication, seals, and certificate-based authentication. and more secure system of • The highest security solutions may employ multiple factor or biometric authentication, such as a user’s fingerprint, face, iris, or some other physical authentication. attribute to grant access. The level of security that an organization selects for a particular system or application will depend on several factors, including the sensitivity or confidentiality of the data being accessed, the trustworthiness of the individual accessing the information, the venue from which the accessor is attempting to enter the system, the device from which the user is accessing a system, and other factors. For traditional access of a corporate system from a desktop or laptop computer from behind a corporate firewall using a standard keyboard, these access methods work reasonably well. ©2012 Osterman Research, Inc. 1
  • 3. A Better Method of Authentication EVEN SO, THERE ARE PROBLEMS Despite the relative ease with which users can access traditional systems using these authentication methods, there are problems with them: • Users often forget passwords and need to contact a help desk or automated system for a password reset, which increases support costs within the organization. • Users will typically employ the same passwords on multiple systems so they do not have to remember a unique username/password combination for each system they access, thereby degrading the overall security of access to corporate data. • Users will often remain permanently logged in to various systems to avoid the difficulties associated with traditional login procedures. • Many users write down passwords because they are too difficult or too numerous to remember. • Static, text passwords are susceptible to keylogger malware and dictionary style brute-force attacks. • Finally, a perennial problem is that users employ passwords that are far too Although users simple so that they can remember them more easily, making life for hackers that much less difficult. of traditional authentication DATA BREACHES ARE A SERIOUS PROBLEM find passwords to There have been numerous data breaches in which usernames and passwords have been stolen. According to the 2011 Data Breach Investigations Report by the US be a burden Secret Service and Verizon, the exploitation of default or guessable authentication when using credentials is one of the most common causes of corporate data breaches and was a factor in nearly 35% of the data breaches investigated in the report.i For example, desktop LinkedIn suffered a breach of 6.5 million passwords in mid-2012, hackers computers or compromised the account credentials and information for 24 million Zappos customers in early 2012ii, and in mid-2011 Sony suffered a leak of more than 100 laptops, the million user passwords and account information in a series of data breaches. It’s problems are estimated that the data breach cost Sony at least $171 million to clean up and users did not have access to their accounts for more than one month. much worse for mobile users. The Sony password breach, in particular, underscored one of the fundamental problems with a large proportion of current login credentials: weak passwords that are easy for hackers to guess. For example, an analysis of the Sony breachiii revealed that among the most commonly used passwords were “123456”, “password”, “seinfeld”, “winner” and “michael”. Moreover, the analysis found that some of the breached passwords had as few as four characters, with the two most common passwords lengths being six and eight characters. THE PROBLEMS ARE MUCH WORSE FOR MOBILE DEVICES Although users of traditional authentication find passwords to be a burden when using desktop computers or laptops, the problems are much worse for mobile users. Entering long strings of text and numbers using a mobile keyboard is not easy, particularly when a combination of upper and lower case characters must be entered. When “strong” passwords are required – involving eight or more characters including upper and lower case letters, numbers and symbols -- the problems for mobile users multiply, including mistakes entering characters that may lock users out after a limited number of retries. When authentication becomes too burdensome, users opt instead for weak passwords or they leave their devices permanently logged in, which puts data security at risk. ©2012 Osterman Research, Inc. 2
  • 4. A Better Method of Authentication The BYOD phenomenon that is prevalent in just about every organization today is exacerbating the problem. Because users often employ their own devices to access corporate data, IT has less control over the devices and, in some cases, the authentication methods that are used for access. Among the problems introduced by the BYOD phenomenon are: • Few users – only about 30% according to a Sophos studyiv – employ passwords on their mobile devices because typing multiple, non-alphanumeric characters on a miniature keyboard introduces yet another difficulty when using the device. • A large number of mobile devices are lost or stolen – two million per year according to one sourcev. Adding to the problem of lost devices is the propensity of those who find lost devices to search through them. For example, the Symantec Smartphone Honey Stick Project found that when a phone is lost, 89% of those recovering it will search through the phone for the owner’s personal informationvi. Tablets, in particular, represent another problem because these devices are • increasingly becoming multi-user devices, often shared among the employee’s Organizations family members. This emphasizes the critical importance of protecting corporate need a better way applications or data using password protection to ensure that family members do not inadvertently access, delete or modify important information or unknowingly to authenticate introduce spyware or key loggers onto the device. users to corp- orate systems. THE RISKS OF POOR AUTHENTICATION ARE SIGNIFICANT Cumbersome authentication methods for mobile access tempt users to choose weak They need an passwords or stay logged into corporate systems. This creates some potentially approach that is serious consequences, including a greater likelihood of losing intellectual property if someone loses a device or if a hacker can determine one’s username/password much easier for combination. Data breaches can also result, triggering expensive mitigation efforts users to as a result of statutory notification requirements: 46 of the 50 US states now have data breach notification laws that require notification of affected parties in the event remember than personal data is lost or stolen. traditional passwords, and A NEW APPROACH TO AUTHENTICATION easier to enter on Organizations need a better way to authenticate users to corporate systems and mobile devices, applications in order to protect against the problems discussed above. They need an one that is approach that is much easier for users to remember than traditional passwords, and easier to enter on mobile devices, one that is inherently more secure than text inherently more passwords, and one that will motivate users to follow best practices for strong secure than text authentication on every device and for every application. passwords. One way to do this is to use dynamic, image-based authentication instead of static alphanumeric characters. Confident Technologies offers a unique authentication technology in which users pre-select authorization categories that will be used to generate a one-time password. For example, a user may select “dogs”, “fish” and “cars” as the categories they will have to identify. When a user needs to authenticate – on a mobile phone, in a desktop application or on an iPad, for example – a randomly generated grid of images is presented to the user. The user simply selects the appropriate images that correspond to his or her pre-determined categories, which only he or she knows, and access is granted as if a conventional password had been entered. The specific pictures presented to the user are different every time, which allows the technology to create a unique, one-time access code. Although the pictures are different every time, the user will always look for their same categories (dogs, fish and cars, in this example). THE BENEFITS OF USING IMAGES Using dynamic, image-based authentication offers a number of advantages over the use of conventional passwords: ©2012 Osterman Research, Inc. 3
  • 5. A Better Method of Authentication • Because humans think in pictures, it is far easier for people to remember categories and recognize images than remember passwords, particularly complex passwords consisting of long strings of alphanumeric characters and symbols. For example, one studyvii found that image-based authentication resulted in 100% recall even after 16 weeks, compared to lower recall for Personal Identification Numbers (PINs) or passwords after the same length of time. This reduces password resets and eliminates the motivation for people to choose weak passwords or use the same password on multiple systems. • When users are presented with a grid of images, the display can jog users’ memories of which categories they initially selected as their authentication categories. In essence, the authentication secret is hidden in plain sight and only the user knows how to recognize it. • Authentication using images is much easier than entering characters on a mobile device keyboard, particularly a smartphone. With images, the user can simply tap a few pictures – no need to type on a tiny keypad or switch back and forth among multiple keypads. • The level of authentication required can easily be matched to the security or sensitivity of the application or data being accessed without the problems inherent in making users remember multiple passwords. For example, a system or data repository that requires minimal security might present a user with a grid of nine images from which he or she must identify two of their predetermined categories. A more secure system might require the user to identify three of their categories on a grid of 16 images, while a highly secure system might Authentication require identification of four categories on a grid of 25 images. using images is • An image-based authentication system is more resistant against dictionary much easier than attacks and keystroke-logging malware. Because the specific images and their entering location on the grid are different each time, keystroke-logging malware is not useful to potential hackers, and because text passwords are not used, dictionary characters on a attacks simply don’t apply. mobile device • The creation of a one-time password – more difficult in conventional password keyboard, schemes, but much easier with an image-based system – provides a greater level particularly a of security than any static password. smartphone. • As with conventional authentication systems, a lockout feature can be enabled if the user enters the wrong images in a certain number of attempts. A “KillSwitch” feature can also be enabled, where a user can designate a specific image category as an automatic lockout. If a hacker or a bot selects an image associated with the KillSwitch category, the account would be immediately locked and/or it would trigger a security alert. These features prevent brute-force attacks and can dramatically reduce the impact of losing a mobile device or having an unauthorized user attempt to hack into the corporate network to steal data. USE CASES There are a number of use cases for image-based authentication of the type discussed above. For example: • Physicians and clinicians can use image-based authentication as a secondary form of authentication for single sign-on systems when accessing patient records or hospital records on their personal iPads or other mobile devices they bring into the organization. This is much easier and faster than using passwords on mobile devices and allows access to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Because a physician or clinician may need to log into patient or other records 50 or more times per day as they make their rounds, the speed and convenience offered by image-based authentication is very beneficial. ©2012 Osterman Research, Inc. 4
  • 6. A Better Method of Authentication • Users who must access corporate systems frequently – salespeople, police officers, warehouse managers, etc. – can use image-based authentication as their primary authentication system, as a secondary method for single sign-on systems, or as a means of easily regaining access to a system after it has timed out. • Corporate IT departments could partition employee-owned mobile devices in order to separate corporate applications and data from personal apps and data, granting access to the former using image-based authentication. This would allow IT to manage access to the corporate partition and remotely wipe it if the device was lost, eliminating most of the consequences of a data breach. • The use of image-based authentication can be integrated with geolocation data, triggering the use of an image grid for authentication only when a user was in an insecure location, such as when accessing a corporate application via a public Wi-Fi hotspot or elsewhere beyond the corporate firewall. • Looking down the road a bit, image-based authentication could also be an effective method of preventing unauthorized purchases from a mobile device when used as an “e-wallet”, a practice increasingly common in Scandinavia and elsewhere. The use of WHO SHOULD BE THINKING ABOUT THIS? Better authentication benefits everyone: image-based authentication • Users, who will find it easier to access corporate systems without having to remember complicated, strong passwords; and who will be more motivated not can be integrated to bypass secure access to corporate systems and data. with geolocation • Their employers, who will run less risk of users bypassing authentication data, triggering methods for the sake of convenience or otherwise engaging in poor security the use of an practices, such as choosing weak passwords, writing down passwords or using the same password on multiple systems. Stronger authentication practices help image grid for businesses to reduce the risk of security breaches, data loss, privacy violations, authentication etc. only when a user • Mobile application developers, who can build greater security into their was in an applications without imposing burdensome authentication processes on end users. insecure location. ABOUT CONFIDENT TECHNOLOGIES Confident Technologies, Inc. provides intuitive and secure, image-based authentication solutions for websites, Web applications, mobile applications and mobile devices. The company’s image-based authentication solutions enable organizations to increase security without sacrificing ease-of-use. Using patented, image-based authentication technology, Confident Technologies helps organizations: • Improve the ease-of-use for user authentication on websites, applications and enterprise systems. • Protect confidential data and online accounts. • Improve the customer's online experience, driving loyalty and increased revenue. • Decrease IT costs and support costs related to authentication and password issues. ©2012 Osterman Research, Inc. 5
  • 7. A Better Method of Authentication • Meet compliance with regulatory requirements for strong authentication Image- based authentication can be used as a stand-alone replacement for traditional authentication methods including as passwords, tokens, smart cards and security challenge questions. Confident Technologies' solutions can also be used in conjunction with other authentication tools to provide a layer of strong, multifactor authentication and out-of-band authentication. © 2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report- 2011_en_xg.pdf ii http://www.usatoday.com/tech/news/story/2012-01-16/mark-smith-zappos- breach-tips/52593484/1 iii http://flowingdata.com/2011/06/13/analysis-of-passwords-in-sony-pictures-security-breach/ iv http://www.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1 v http://www.infosecisland.com/blogview/13078-The-Rise-of-Smartphones-and- Related-Security-Issues.html vi http://www.symantec.com/content/en/us/about/presskits/b-symantec-smartphone- honey-stick-project.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_ linkedin_2012Mar_worldwide_honeystick vii http://www.netaro.info/~zetaka/publications/papers/awasee-UBICOMP2005.pdf ©2012 Osterman Research, Inc. 6