Either they are simple and easy to crack. Or difficult to remember and get written down. They are surprisingly easy to steal. If a Windows authentication dialog pops up, how many of us would just type our password into it without thinking? Are we sure it’s not a web page displaying something that looks like a legitimate prompt but is secretly capturing input?
This isn’t news. Organizations like the Federal Government and PCI (Payment Card Industry) Security Standards Council have mandated what’s call Multi-Factor Authentication. This is often expressed as:
- Something you know (e.g. a password).
- Something you have (e.g. a smartcard or phone).
- Something you are (e.g a fingerprint, or other biometric).
Passwords alone are no longer enough. We’re getting used to multi-factor through consumer sites like Google and Facebook – sometime they SMS us a PIN to use. This is multi-factor. It means that a bad guy must have intercepted your phone as well as obtained your password to get into the application ‘as you’. It’s a lot more secure. There are even some organizations which have removed passwords altogether and just rely on strong authentication.
What does this mean for Applications Developers?
Many applications over a few years old used their own user login screens. It’s pretty simple – display a dialog with username and password; look up the username in LDAP, etc. but in the Multi-Factor world it’s not so simple. Every application has to handle the myriad of different inputs and requests required – from finger prints to one-time passwords, from smart cards to image gestures. It’s just not practical, and it definitely wouldn’t be consistent from each application.
Authentication methods are evolving fast. One of the many vendors Micro Focus is working with is Nymi (nymi.com). Their wristband device uses an ECG to authenticate (and in future it could double as fitness band).
One thing for sure is that “logging in” is going to become more involved for users which will annoy the hell out of them! Biometrics may look like a great solution, but so far nothing is 100% reliable, and a back-up is always needed. We want the burden on normal users to be as small as possible.
Some things that help:
Single Single On (SSO).
Once Authenticated, user should stay authenticated for their “session” – long enough to accomplish their tasks. Other applications should not ask the user to log in again. This means real SSO, not just synchronizing your CRM application logins with your LDAP server and sharing passwords.
Not all log ins are equal. Do all these scenarios carry the same risk?
- User was logged in an hour ago, and wants to log in now to the same application, from the same location.
- A user is logging in at 2am to an application they’ve never used before, and previously they’ve only worked office hours.
- A user is logging on from a device (e.g. a phone), which they’ve never used before.
- User is logging in from China, and they are already logged in from Brazil.
What we’re really talking about here is abstracting the notion of authentication & authorization from the application itself. We’ve known this is good practice for years, but just not always done it. With multi-factor it’s no longer an option. This is a win-win situation: our applications become more secure for users and as Developers, we no longer have to care. That means I’ll never need to implement another login screen again…….
Don’t forget to find out more about the leading Internet Access and Security solutions from Micro Focus by visiting the NetIQ website