Thursday, September 27, 2007

Strong Authentication

In today's world when more and more applications are getting consolidated in enterprise portals we have to have a solution to protect secure applications with extra layer of protection. Strong authentication or multilayer authentication is the solution for this problem. Let me give a brief introduction about different ways in which we can authenticate ourselves

1) What we Know : UserId, "secure PIN", Password, Security question/answer

2) What we Have : "Secure token", "Bank ATM card"

3) What we Are : Biometrics

Normally we use userid/password combination to get into any secure site. That authentication mechanism is secure but only to certain extent.

Take an example where you are authenticating to a bank site using userid/password combination and someone on the network (Man in the Middle) captures your userid/password. He can use those credentials to get into the banking network .....(you know what I am thinking here). It seems to be very complicated on the board but people have done it and our goal is to reduce those attacks to the maximum possible extent.

If we introduce one more layer of authentication in the authentication logic by adding 2) or 3) from the above, we will make the system more secure because Man in the Middle will not have what you have and definitely he can not be You. This is called strong authentication.

There are various ways to introduce second factor, one such mechanism is One Time Password (OTP). In OTP system generated password can be used only once so even if that password is trapped over the network it can not be used again.

Refer to RFC for getting more inside of OTP. There are many products available in the market for OTP. Apache is also working to build one such system under the name of triplesec

Technorati : ,

No comments: