Robust and reliable authentication is the essential first line of security for any application or system. Make authentication too difficult and users won’t use your solution, make it too easy and bad guys will.
There are various flavors of authentication, from simple username/passwords solutions through multi-factor and risk-based authentication systems that provide very high levels of security. Here are a couple of noteworthy solutions – both of which have been available for quite some time – that should be on your short list if you’re trying to protect an application, a network or your data:
- TextPower offers an elegant solution called TextKey that provides an interesting twist on two-factor authentication. Many banks, cloud providers and others offer two-factor authentication that sends a code to your mobile phone and asks you to enter it after you’ve entered a username and password. While this scheme does provide an added layer of security, it’s still subject to man-in-the-middle or man-in-the-browser attacks and other hacking exploits. However, what TextKey does is reverse the process for using a mobile phone for authentication purposes: instead of receiving a code via mobile to enter into a browser, the secure application displays a code and asks the user to text it to the application. Because every mobile phone has a Unique Device Identifier (UDID), the mobile carrier will not send the SMS message if someone is trying to spoof the system because the sending mobile number (already stored in the application’s database) and the UDID must match. In short, authentication cannot take place simply because a bogus user cannot get their SMS through. TextKey also uses a number of other authentication criteria to provide very solid protection against hackers and others.
- Confident Technologies has developed an authentication solution that studies have proven to be quite secure despite its simplicity. Instead of a user entering a password, he or she will identify images within categories that have previously been memorized. For example, when setting up access to an application, a user will select three categories of images, such as planes, rockets and dogs. When he or she attempts to access a system, there will be a presentation of a grid of images from which the user will select the images that correspond to predetermined categories. The images will change each time access is attempted, but will always be consistent with their predetermined choices. The company also offers an image-based CAPTCHA system, far better than the text-based solutions that are widely deployed. Studies have shown that image-based authentication is easier to use than password-based systems and is more resistant to brute force attacks and dictionary attacks. In one study, users were asked to set up text-based passwords and image passwords. After 16 weeks, only 40% of users could remember the former, but 100% could remember the latter. When asked to change their passwords and images, 75% could remember their text-based passwords, but all of the subjects could remember the changed images. Add to this the fact that image-based systems are also more resistant to keystroke loggers, a serious problem for many.
Authentication is a necessary evil, but there are solutions that can offer greater security while not making life more difficult for users.