Streamlining an authentication solution

The marketplace for authentication services is a multi-billion dollar market (Bonderud, 2014). Organizations such as the U.S. Department of Homeland security are purportedly spending $7 billion dollars on the implementation of authentication systems. The National Institute of Standards and Technology (NIST) has highlighted the availability of these services as worth consideration for federal agencies (NIST, 2011). Authentication systems contain a mix of password, biometric, token and encryption key options that enable flexibility in choice of solutions. The difficulty for many organizations is defining authentication needs given the complexity of information systems, assets and users. With appropriate consideration of organizational requirements, the process of authentication management can be streamlined. This process however can be an arduous process (Bonneau, Herley, Van Oorschot, & Stajano, 2015).

Authentication System Requirements

Design of an authentication system may include the following criteria which are often discussed in context of biometric authentication, but may apply to analysis of an organization’s overall authentication requirements (Sharma, Kapoor, & Dhillion, 2013; Goodrich & Tamassia, 2011). The goal of appropriate analysis should be the definition of a sustainable authentication system that permits efficient management and adaption for technological change. Through consideration of multiple criteria in defining requirements, a multi-dimensional authentication system could be identified (Oltsik, 2014).

  • The method or biometric attribute should be global. For example, it is assumed that all individuals have fingerprint. The ability to enter passwords could also be considered global.
  • Authentication attributes must be unique. Again the fingerprint is an example of uniqueness. Another example would be the assumed uniqueness of phone numbers or mobile device physical IDs.
  • An attribute does not change. For biometrics such as an iris scan, this attribute may apply, but mobile devices and passwords are not permanent.
  • An attribute should be reasonable to obtain. An example would be the Apple iPhone’s button-based fingerprint scanner. The scanner matches a provided fingerprint to a stored copy within seconds as a means to unlock the phone for access.
  • A characteristic can be measured without inconveniencing a user. An example would be a biometric scanner for an electronic health records system (EHR). Authentication would not interfere with medical staff use of EHR.
  • An attribute should contain the necessary accuracy.
  • Alternatives should exist to accommodate human impairment or inability to comply with existing authentication (e.g., lack of a fingerprint).

Watch-outs

Streamlining and automating authentication have risks that should be evaluated and addressed as part of authentication implementations. Listed below are several factors to consider for a secure authentication process.

An organization is still responsible, even with outsourcing. Service providers such as Amazon Web Services (AWS) address requirements definition in the context of a shared responsibility model (Todorov & Ozkan, 2013). AWS clients are responsible for defining and managing their systems within the AWS architecture. When additional layers of security such as authentication are required, AWS or other vendors’ services are the client’s responsibility. Whether an organization has full control over their physical computing assets or utilizes cloud computing, an organization has ultimate responsibility for authentication.  This includes policies, administration, monitoring, and risk assessment.

Do not build a home-grown system. Open-source web application vulnerability group OWASP (2013) has identified authentication bypass and session management as a top security vulnerability for web applications. Authentication services are available in may forms that permit ease of access and management. For example, the software development framework Ruby on Rails (n.d.) has several programmatic options for use authentication. External options should be thoroughly vetted, but external options have a higher likelihood of proper development by individuals who understand authentication. A home-grown solution should only be considered if there is sufficient capability and skill to create a system.  External testing and validation should be required for securing authentication.

Authentication may require a mix of providers and managed solution(s). Passwords are a significant form of authentication, but users are increasingly interested in other options due to data breaches such as Yahoo (NCSA, 2016). Since passwords were first used, authentication by password management has developed substantial systemic complexity (Vacca, 2013). As users have become open to more options and newer avenues to authentication have evolved, organizations have the opportunity to examine many options including vendors known as managed authentication service vendors that streamline the authentication management challenge (ILS Technology, 2008).  It is important to centrally align and manage authentication policies , procedures, and technology choices.

References

Bonderud, D. (2014, August). Multifactor authentication market to be worth $10 billion by 2017 — But is the model all wrong? Security Intelligence. Retrieved from https://securityintelligence.com/news/multifactor-authentication-market-worth-10-billion-2017-model-wrong/

Bonneau, J., Herley, C., Van Oorschot, P. C., & Stajano, F. (2015). Passwords and the evolution of imperfect authentication. Communications Of The ACM, 58(7), 78-87. doi:10.1145/269939

Goodrich, M. T., & Tamassia, R. (2011). Introduction to computer security. Boston: Pearson

ILS Technology. (2008). ILS technology releases authentication managed service enhancement for secureWISE. Business Wire. Retrieved from http://www.businesswire.com/news/home/20081202005560/en/ILS-Technology-Releases-Authentication-Managed-Service-Enhancement

National Cybersecurity Alliance (NCSA). (2016). Lock down your login. Retrieved from https://stopthinkconnect.org/campaigns/lock-down-your-login

National Institute of Standards and Technology (NIST). (2011, December 21). NIST special publication expands government authentication options. ScienceDaily. Retrieved October 6, 2016 from www.sciencedaily.com/releases/2011/12/111221105829.htm

Oltsik, J. (2014). BYOA: Bring your own authentication (opinion). Network World. Retrieved from http://www.networkworld.com/article/2458760/security0/byoa-bring-your-own-authentication.html

OWASP. (2013). Top 10 2013. Retrieved from https://www.owasp.org/index.php/Top_10_2013-Top_10

Ruby on Rails [computer software]. (n.d.) Rails authentication. Retrieved from https://www.ruby-toolbox.com/categories/rails_authentication

Sharma, Kapoor, & Dhillon. (2013). Design of biometric authentication system using three basic human traits. International Journal of Science and Research (IJSR).  Retrieved from http://www.ijsr.net/archive/v5i1/12011602.pdf

Todorov & Ozkan. (2013). Amazon Web Services – AWS security best practices (white paper). Retrieved from http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf