Passwords, in conjunction with user names, remain the most common means of authenticating user access. But, as has been proven time and time again, they are inherently insecure.
Too often they are easy to guess or are left unchanged from default settings. And as users struggle to remember multiple sign-on codes, the temptation is to either adopt the same password for all systems or to write them down and leave them visible to all.
The problem has become more acute as businesses have opened up their infrastructures to customers and supply chain partners, leading IT managers to explore new options for securing enterprise applications. One area that has generated much interest has been single sign-on. This approach involves building accurate user profiles that sit behind an authentication engine. These profiles then dictate which applications and data a user can access.
But while single sign-on systems reduce the problems associated with having multiple passwords, they are still relatively vulnerable: if a password is compromised several systems are at risk.
"Whoever is accessing your systems, be it employees on your LAN, partners on your extranet or customers on your commerce sites, simple passwords no longer suffice as a reliable means of authentication," says Jonathan Penn of market watcher Forrester Research. He suggests that stronger forms, such as tokens (devices that generate a sign-on code in response to a user PIN number, with the code automatically changed every few minutes) or smart cards, may be needed.
Increasingly businesses are using the combination of single sign-on and strong authentication to simplify and strengthen access controls, says Marc Boroditsky, CEO of security software vendor Passlogix. For example, Passlogix has coupled its single sign-on software with biometrics for Clarian Health Partners, an Indianapolis hospital operator. Doctors use smart cards to sign in at their desks and retinal scanners to access operating theatres where latex gloves prevent them using fingerprint recognition.
Using unique physical characteristics to confirm identity removes the problem of having to remember passwords, carry smartcards and provide a robust level of authentication. However, there are still concerns over biometrics, notes Clare Hirst, principal analyst at research group Gartner: "Biometric systems are still viewed as the most immature of authentication technologies because of concerns about cost, accuracy, reliability and ease of use."
Businesses should choose authentication methods to fit the form factor, says Tim Pickard, European marketing manager at IT security company RSA. "Token-based solutions are suited to remote access. Smartcards fit well inside the enterprise," he says.