Missing Link in ENTERPRISE NETWORKING
By: David Strom | 29 June 2016
Perhaps the biggest surprise in our review of nine multi-factor authentication products is that physical tokens are making a comeback. Many IT managers were hoping that software-based tokens, which are easier to deploy and manage, would make hardware tokens extinct.
In our review three years ago of two-factor authentication products, the hot new approach was using smartphones as an authentication method via soft tokens, which could be a smartphone app, SMS message or telephony.
But no so fast. We found that vendors are now coming out with "smart" hardware tokens that have encryption keys or encryption engines embedded, rather than just displaying a changing series of numbers for users to type in the authentication dialog.
Vasco's latest Bluetooth tokens and Yubico's near-field tokens are rather innovative. And in February, Trusona announced a new form of hardware token. While still in beta, the idea is interesting. When you sign up for their service, they send you via a courier a device that fits on the end of your smartphone and looks like a payment-based credit card reader like Square or Amazon payments.
Instead, they are using this reader (and the chain of custody from their plant to your hands) to associate your credit card or other magnetically endowed items with your identity. We'll see if the notion catches on, but it's another example of where the hardware token world is going.
2. Baked-in authentication
The flip side of having more hardware in the MFA pipeline is a second trend whereby more apps are incorporating security and authentication methods directly into their code. This is the outcome of efforts by vendors such as Vasco, SafeNet and others that have very sophisticated APIs to construct the MFA routines as part of the app itself, whether it be a SaaS-based Web app or something for mobile phones.
What this means is that in a few years, traditional MFA vendors may become less important for enterprise IT managers as these toolkits take off and become more capable. While MFA vendors still have the lion's share of this part of the market, there are several upstarts trying to find their way in.
3. Built-in fingerprint readers
A third trend is to use built-in fingerprint readers on the latest Android and iOS phones to secure access to apps. Paypal (through NokNok's tools) has offered its fingerprint app for several years now on several Android devices, and other apps are slowly incorporating fingerprints as another or sole authentication factor, such as the mobile Bank of America app. Expect more of these apps to appear in the coming years.
Fingerprints as an additional authentication factor is just the latest of many biometric efforts. There are others such as Telesign, which uses a combination of behavioral factors including keystroke cadence and mouse movements.
But fingerprints aren't the only way to make MFA easier to use, and several device-specific authentication vendors are coming to the fore. Two examples of this are iOvation and PasswordlessApps.com' Tidas project. The latter uses the private encryption keys inside the more recent iPhones to sign and encrypt your data. The logins are handled by the SDK, so that users don't have to construct any passwords, and just use their fingerprint and the TouchID button on the phone. All private information is stored inside the iPhone and nothing is transmitted anywhere else.
Another authentication method is called "push OTP." Instead of asking a user to key in the OTP displayed in a token (hard or soft), the MFA notification is sent via SMS and all a user has to do is acknowledge its receipt with a text message. SafeNet, Vasco, RSA, PistolStar and Symantec all support this method.
4. FIDO sits in the doghouse
Three years ago, the Fast Identity Online (FIDO) Alliance seemed like a bright spot in the world of authentication. FIDO offered a way to eliminate carrying multiple authentication tokens to connect to a variety of resources. But FIDO-supported apps have been slow to appear.
We looked at two products that support FIDO standards, NokNok Labs S3 Authentication Suite and the Yubico tokens. But while the FIDO Alliance has grown to more than 100 members, Apple has not joined, further preventing progress with iPhones and iPads. Adding to its woes was the creation of two competing standards: Universal Authentication Framework (UAF) and Universal Two Factor (U2F). Only a few vendors support both, most have taken sides in their support.
Instead of FIDO, more progress has been made with single sign-on (SSO) tools that combine MFA methods as part of their logins. These vendors are increasing their market share in the MFA space. Ping, Okta, and SecureAuth are examples of SSO vendors that have beefed up their identity products in this fashion (see our SSO review). There are also new SSO vendors entering the market with strong authentication features such as Stormpath.com.PistolStar's PortalGuard also plays in this space.
5. Risk-based authentication
Finally, vendors are incorporating step-up or risk-based authentication to use more than a second factor for specific situations. This means a user has to pass increasingly more secure hurdles to gain access to sensitive accounts or riskier actions, such as bank wire transfers versus a balance inquiry. While still in its early stages, risk-based authentication can be purchased as options for both Vasco and Symantec and comes standard with the PistolStar product. Expect it to find its way into other MFA tools soon.
Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.