Authentication is arguably the most important element of any organisation's security infrastructure.
Without effective authentication, the wrong people may be granted access to the wrong systems or valid users may be shut out.
But although authentication has traditionally been the least exciting sector of the security software market – and the slowest growing – it is set to be shaken up by the introduction of web services.
Web services are a collection of protocols for discovering software components, data and services over the Internet. The concept promises tighter and more intimate integration between different organisation's systems, and brings with it a number of new security challenges.
What systems and components will be opened up to web services? How will the organisation ensure that only the right people can use those systems? How can this be done in a way that does not put users off? And how easy will it be to integrate disparate authentication systems?
A number of technologies and standards have been developed to help organisations address these key issues.
First, there is single sign-on (SSO) software, which is designed to integrate multiple authentication systems. Vendors such as Oblix are already adapting their SSO software for web services.
Second, is the development of the security assertion mark-up language (SAML). SAML is an emerging XML-based standard intended to enable organisations to securely exchange authentication and other data between customers and partners regardless of the security systems or trading platforms that they use.
Finally, Microsoft and Sun Microsystems are leading competing projects to provide a global, monolithic authentication system. Although initially aimed at consumers, analysts foresee the two groups increasingly offering it to corporates as an outsourced authentication service.
The purpose of passport
What if users only had to remember one password to access all their Internet-based services, to identify themselves, pay for goods online and to access their own business' corporate software? That is Microsoft's vision of 'single sign-on' authentication, articulated through the company's Passport authentication system.
Passport began life as an authentication system for users of Hotmail, a free online email application that Microsoft acquired in 1997. Since then, many Microsoft applications and services have been tied into Passport.
Passport will eventually become a universal gateway to a variety of Internet-based applications and web services provided under the banner of Microsoft's .Net initiative. However, to really convince Internet users of its value, Microsoft wants to make applications and services from other companies accessible through Passport authentication.
In September 2001, Microsoft said it would create a federated authentication system, based on the Kerberos authentication standard. By joining such a system, Internet-based retailers and corporate businesses could eventually use Passport to authenticate both customers and employees.
But it has yet to be widely embraced. Microsoft has yet to outline how such a system would be administered, and the company's infamous security gaffes have made many wary of adopting the system. There is also a suspicion about the amount of control and information that this would mean handing over to the software giant.
The problem with passwords
“As bad as passwords are, users will go out of the way to make it worse. If you ask them to choose a password, they'll choose a lousy one. If you force them to choose a good one, they'll write it on a Post-it note and stick it on their monitor. If you ask them to change it, they'll change it back to the password they changed it from last month.”
— Security expert Bruce Schneier, of Counterpane Internet Security, reveals how users undermine secure password-based authentication.
Liberty's bid for freedom from Microsoft
Microsoft faces a challenge to Passport in the form of the Liberty Alliance, an independent federated authentication initiative set up in September 2001 by some of Microsoft's bitterest rivals. It is led by Unix hardware maker Sun Microsystems and Internet service provider AOL.
Liberty has yet to disseminate any useful information about its strategy and technical architecture, although it has already garnered much wider industry support than Passport. There are 40 ‘charter members', including Nokia, American Express, RSA Security, Hewlett-Packard, Cisco Systems and Vodafone.
Unfortunately, there is currently more doubt about both initiatives than support. Neither have a clear direction or technical specification to work towards and questions remain over inherent security problems and privacy and trust issues.
Furthermore, analysts question the value that such single sign-on systems will bring. Nevertheless, some sources believe that one of these systems will eventually form the basis of a next generation identity card. But for now, both represent bravado more than business.
The European authentication software market is growing rapidly and will be worth $400 million (€450m) by 2005, from $150 million (€168m) in 2000, according to market analyst company IDC.
Growth is expected because authentication technology has yet to fulfil its market potential, according to IDC analyst Thomas Raschke, due to difficulty in marketing such expensive and complicated solutions.
However, these barriers are falling away as more experienced vendors improve their offerings. The vendor environment is fairly mature, with market leaders RSA and Evidian claiming 30% and 20% of the market respectively.
Raschke does, however, foresee some further consolidation between vendors, and cites Baltimore Technologies of Ireland, which has been struggling financially since mid-2001, as a possible acquisition target.
According to IDC, the authentication software market represents 20% of the total European security software market. The total market will be worth $2.4 billion (€2.7bn) by 2005, according to IDC.
Who are the players?
- Vendor: Baltimore Technologies
Flagship product: SelectAccess. Authorisation and access control that defines where users can go in the infrastructure and what actions they can perform. Baltimore also supplies PKI software.
- Vendor: Entrust
Flagship product: Entrust GetAccess. Provides web single sign-on (SSO) and personalisation. Targeted at web portals and can be integrated with the Entrust Authority PKI software product, which Entrust claims has a 38% share of the PKI market.
- Vendor: Evidian (formerly BullSoft)
Flagship product: AccessMaster. Provides security policy management, including single sign-on (SSO) and PKI management.
- Vendor: Novell
Flagship product: Novell Modular Authentication Service (NMAS). Combines password, token and biometric authentication. Also offers graded authentication according to the organisation's security policy.
- Vendor: RSA Security
Flagship product: SecurID. Arguably the most widely used token-based authentication system. The tokens generate a new, apparently random number every minute, which matches a number held on the RSA ACE/Server when it is keyed in.
- Vendor: VeriSign
Flagship product: Authentication Service Bureau. VeriSign provides two outsourced PKI services. VeriSign Consumer ASB is primarily aimed at financial institutions that need to authenticate users of their services. VeriSign Business ASB is aimed at corporate extranets and trading exchanges.
Glossary and standards
- Access tokens
- Access tokens such as smart cards or RSA Security's SecurID tokens provide an extra layer of authentication, based on something in a users' possession.
- The process of establishing the legitimacy of a given user.
- Authentication that can be directly linked to a unique, biological feature of an individual, such as a thumbprint or a user's retinal pattern.
- Digital signature
- A means of ‘signing' a document by performing a mathematical calculation involving the document and a private encryption key. The signature can be verified on receipt by performing a different mathematical calculation on the digital signature with the user's public encryption key.
- Federated authentication
- A single system used by several different organisations that maintain their own (and their users) data.
- PKI – Public key infrastructure
- PKI provides the infrastructure in which encryption and digital certificate-based authentication can be implemented.
- SAML – Security assertion mark-up language
- An emerging XML-based standard intended to enable organisations to securely exchange authentication and other data between customers and partners regardless of the security or ecommerce systems they use.
- Shared secret
- Name given to authentication system based on a log-in name and password, the password being the secret shared between end-user and the system.
- Two-factor authentication
- Based on something a user knows, such as a password, plus something the user has, such as an RSA SecurID token or a smart card.
Authentication will always be a problem for organisations. The easier it is for end-users, the easier it is for an attacker to crack. Toughening up authentication procedures can only make it more difficult for end-users, which either prevents work being done or trade being conducted.
Approaches such as access tokens and biometrics can help, but do not provide a universal panacea for many reasons. For example, biometrics can provide highly personalised identification of an individual, but if the data string that makes up their retinal scan or thumb-print is stolen, a new one can not be issued and the authentication system is permanently broken.
And biometrics and token-based authentication cannot be used for machine-to-machine authentication. For that, public key infrastructure (PKI) systems need to be adopted, but these can be complicated to set-up and expensive to run. The challenge for vendors is to make authentication both easier and cheaper, but this can reduce security.