The OATH reference architecture relies on two-factor authentication. A number of second factors can be used, ranging from one-time passwords to hardware tokens, smart cards and SIM cards like those used in cell phones. The goal is an open architecture in which components, such as tokens, manufactured by one vendor will be usable to authenticate to a server created by another vendor. IBM and Aladdin have announced products supporting the standard, and the consortium says it will submit the proposed standard to the IETF for formalization. The prospect is intriguing.
Sign Me On
Although two-factor authentication gets a great deal of attention, strong passwords, safely stored and transported, can provide sufficient security for many environments. What makes a password strong? We've mentioned requiring a mix of numbers and other characters, with no component of the password matching a string found in a common dictionary. The password hash must be stored in a secure, encrypted database, and the password shouldn't be passed "in the clear" during remote access.
The problem of end users forgetting their passwords or recording them in an insecure fashion is compounded if the organization has multiple applications, each of which requires its own strong password. For these environments, SSO is a critical step forward in balancing security requirements with user needs. Indeed, as authentication becomes stronger and the possibilities for standards grow brighter, more companies are beginning to consider enterprise SSO--a system in which all networks (wired, wireless and VPN) and all applications are authenticated from user credentials stored during a single login at the beginning of the user session.
SSO's major stumbling block has been technological--how do you pass authentication information between networks and applications, and how do you securely store authentication information from a network login to be used for applications later in the session? SSO is one topic that quickly leads to discussions of dedicated security products. Computer Associate's e-Trust, for example, has an SSO module that works within the CA enterprise framework. Other vendors--including IBM, Novell and Sun--use the more expansive phrase "identity management" to build in SSO capabilities.
