Authentication gets an upgrade

A host of new technologies give enterprises authentication options way beyond user names and passwords

It wasn’t all that long ago that the market for strong authentication products was the tech industry’s equivalent of “Coke or Pepsi?” Companies had just a few choices, including secure tokens such as RSA’s popular SecurID and chip-enabled smart cards from companies such as Axalto and Gemplus.

Cards and tokens are still the name of the game for many companies, and the smart-card industry expects 2007 to be one of their best years ever. But behind the scenes, there’s plenty going on in the once-staid market for user authentication technology.

Why? Pick your reason. Phishing attacks and targeted “spear phishing” make it easy for fraudsters to get the credentials they need to penetrate sensitive systems such as online banking and e-commerce sites, not to mention enterprise applications. Wi-Fi makes it possible to drop into enterprise networks behind the firewall, and evolving rootkit techniques make malicious code detection so difficult that it’s almost worth forgetting about. And let’s not forget: PKI solutions are expensive! In any case, the free-for-all on enterprise networks and enterprise data has spurred rapid evolution in the industry and raised an army of startup companies with new takes on the old authentication problem. Among the trends to watch:

Biometrics. Biometrics have been the “next big thing” for more than a decade, but a combination of factors has recently spurred enterprise adoption. Major PC makers such as Lenovo have integrated biometric scanners into their devices, and USB-enabled scanners are more affordable. A new generation of behavioral biometrics is also gaining traction. Financial risk management vendor Fair Isaac recently introduced a new product called Falcon One for Online Access, which monitors customer behaviors, such as typing and mouse pad patterns. RSA, soon to be part of storage giant EMC, acquired voice recognition technology vendor PassMark Security in April; and BioPassword, another behavioral biometric vendor, says its typing analysis technology can weed out fraudsters even after they’ve stolen your user name and password.

More form factors. One of the biggest challenges of strong authentication solutions was the cost of purchasing and deploying the additional factor. Key fobs and smart cards get lost or damaged, and vendors never had a good answer for how to manage handfuls of tokens for different companies. In recent years Diversinet, RSA, Saflink, and VeriSign have all developed technologies that can deliver tokens wirelessly to cell phones or PDAs.

Risk-based authentication. Everybody wants to strengthen access controls, but not every customer or transaction warrants strong, two-factor authentication. The result: Enterprises are taking a more nuanced approach to authentication, applying strong security to high-risk, high-value transactions, and lighter security to low-risk behavior.  In addition to RSA and VeriSign, smaller companies such as Entrust and TriCipher offer solutions that combine support for strong, two-factor authentication with soft authentication methods such as challenge/response questions, as well as hardware and software to analyze fraud risk data.

Reputation services. With rootkits, drive-by downloads, and other stealth technology proliferating, having the right log-in credentials just doesn’t mean what it used to. Companies also want to monitor online behavior to develop profiles of who users are and what they do, to prevent critical security lapses even after users have authenticated. Companies such as Cydelity, Cyveillance, IdenTrust, RSA, and VeriSign are integrating anti-fraud and phishing data with behavioral analysis to spot compromised machines and rogue employees.