Friday, February 19, 2010

Step-Across Authentication

Martin Kuppinger’s blog post on “Simplifying or over-simplifying authentication” got me thinking about what I am calling “step-across” authentication. Many vendors have and bloggers have talked about “step up” authentication. That’s authentication where in one case a userid and password might be acceptable but in another case you need stronger authentication so you may have to “step-up” to a smartcard or a one-time password. Martin spiked this thought into my brain with his point:
My point is: It is not about choosing the authentication mechanism but it is about choosing the best mix of few mechanisms, depending on your use cases. That requires an authentication (and authorization) strategy. That requires platforms for versatile authentication like the ones offered by vendors like ActivIdentity, Entrust, Oracle, and others. That requires a clear understanding of the risk and thus the security requirements of different use cases. Than it is about choosing the appropriate mechanism or a mix of them, to use step-up authentication if required and so on.
The appropriate mechanism or a mix of them. Quite right. Rather than step-up you may also want to step-across the authentication barrier and go out-of-band. Late last year I blogged about the right authentication for the right risk and this is not that different. In one instance a userid and password might be fine. In another you may want to step-up to a smartcard or a one-time password or maybe you want to step-out of the normal channel and send the user an SMS one-time password on their phone? Or how about an email that they need to respond to on their phone? Martin is right, strong authentication could be easier if we had more choices.

No comments: