With thousands of cloud services proliferating on the Internet, managing identity becomes a real challenge for most of us. Each provider has its own user and password policy. For users, it's almost impossible to safely record dozens of log-in credentials. Most people try to keep a maximum of three or four passwords. The consequence of this approach is obvious: If someone has stolen your information for one service, they will probably compromise your identity for several others.
Solutions to solve this problem are not new. Microsoft tried to implement a Web single sign-on with Passport (now called Windows Live ID). To compete with Microsoft, Sun Microsystems launched the Liberty Alliance, with the goal of creating a de facto standard for Internet Web applications. Unfortunately, both initiatives had limited adoption, and both applications are now nearly dead.
A few years later, at the RSA conference in 2006, Bill Gates gave a keynote address on the end of passwords for the Internet by using CardSpace (i.e., Information Cards), which was introduced with Microsoft Windows Vista. However, five years later, just a few services on the Internet have adopted the "standard." In fact, it is really hard to change user behavior. Nowadays, users are accessing their services from several devices, such as PCs at the office and home, smartphones, tablets, TVs, etc.; a trend that contributed to a low-rate of adoption for CardSpace.
Passport, Liberty Alliance and CardSpace were designed for user convenience, but in reality didn't increase the security level. Service providers have valid concerns about these technologies, which can lead to low adoption rates. That's why most Internet banking systems around the globe never adopted them. Instead, banking systems added mechanisms to confirm user identity, while at the same time providing ways for people to utilize Web-based services.
Usually, a user has a login and password as authentication, but it's not enough to guarantee the user's identity since his or her credentials could have been stolen. Some efforts have been made to protect users against this kind of attack. For example, today many financial institutions use virtual keyboards that change the position of the numbers and letters with each new session.
However, attackers can potentially circumvent this process by adding the capability of taking screen snapshots at every mouse click. An improvement from this basic approach would be to put together two characters in a single button:
It increases the security, but not for long periods of time. The more someone uses this interface and the more character clusters change, the more data the attacker can gather. The attacker can also obtain more clues about the user's password in this way. Therefore, adding a second factor for authentication (i.e., two-factor authentication) can improve security and mitigate attacks of a stolen login and password. To make it work, the system should go beyond what the user knows (login and password) and incorporate into the system what the user has (e.g., a One-Time Password token, or OTP).
However, giving something to a user is not an inexpensive approach. There are many logistics to deploy and maintain a solution like this. There are many technologies out there that companies can use. One of the cheapest methods available is the token table. The token table is a rudimentary OTP challenge/response solution where the service not only provides a login and password, but also a request for the user to insert, for example, the code 10 of his token table.
I can't say that this method is ineffective, but of course it has its limitations because of the limited number of codes, the fact that the table is easy to scan, etc. Some Internet Banking services use OTP tokens. OTP tokens are six-digit codes that are time-based. You generate an OTP and the resulting token is valid for some period of time (i.e., usually 1 minute). As you can imagine, it's not a cheap solution, and from a user's perspective, it doesn't scale. Take my own example: I have an account in two different banks. Each bank offered me these tokens. Can you imagine one for each bank, one for Facebook, one for Twitter, one for Amazon, etc.? In the end, l would carry dozens of these tokens. It's an ineffective approach that's inconvenient for users.
There are a variety of possible solutions. Facebook and Google have adopted an approach that uses mobile phones to retrieve a password or to unlock an account. Some banks even use a similar approach to authorize a transaction. This approach relies on a third-party device to attest to the user's identity, but at the same time it does not use a reliable medium - SMS, for example, is not very reliable (at least not globally).
To unify and simplify this process, in 2011 Intel launched an initiative called Identity Protection Technology (IPT), which is an umbrella term for a number of building block components, such as OTP authentication embedded into the chipset. By centralizing the technology in a single device, Intel lets users access their services while also decreasing concerns about men-in-the-middle- or men-in-the-browser-style attacks. There are many solutions to the identity issue. From a service provider's standpoint, the most pragmatic approach may be to adopt many technologies to support authentication - thereby providing the least path of resistance and hassle for the user. For example, I hate the idea of carrying an OTP token.
Bruno Domingues is a senior enterprise solution architect at Intel Corporation, focused on capacity planning and performance tuning, mission-critical planning and design, large-scale vPro deployment, and alternative computer models and infrastructures. Prior to joining Intel in 2007, Bruno worked for Microsoft and has more than 10 years of experience in the industry. Bruno holds a mathematics degree and has attained various technical certifications with Novell and Microsoft.
The above cloud computing insights were provided to InformationWeek by Intel Corporation as part of a sponsored content program. The information and opinions expressed in this content are those of Intel Corporation and its partners and not InformationWeek or its parent, UBM TechWeb.