What’s proper strong authentication?

Everybody knows the answer: strong authentication involves more than one factor, usually something you know and something you have. Yet it doesn’t cease to amaze me how wild interpretations of strong authentication go.

Strong authentication is one where multiple factors have interdependency, and one of the factors cannot be issued without full knowledge of the system administrators or cloned (easily).

Take GSM mobile telephone. The telephone’s SIM, when protected with PIN, is strong authentication: no one can easily clone the SIM. However, the telephone number assigned to that subscriber via the SIM, isn’t: it is quite easy to misrepresent the source phone number when placing calls (there are DIY solutions, process exploits, and services; same applies to SMS). A Java applet that is loaded to the phone and requires a password to run, is not strong either – it can be copied.

I would discard biometrics for one cannot replace those authentication factors easily. Plus, one’s fingerprints, voice or DNA aren’t kept strictly private. Cloning is always an option – some fingerprint scanners, including one marketed by Microsoft, happily accept artificial fingers made of lollies.

Smart card is, by far, the best strong authentication solution. the technology is available in Windows since 1999, and is quite mature by now. There are no excuses for living with passwords, especially when you see passwords as a risk.

Leave a Reply

Your email address will not be published. Required fields are marked *