This is supposed to be a big year for identity management. IDC thinks we might all be logging onto the corporate network with our Facebook logins. Wired Magazine has declared passwords dead. BYOD is forcing IT to integrate personal devices that are used outside of the office by multiple parties. And every hardware vendor seems to offer its own proprietary biometric scanner that no one ever uses.
Identity management is a mess, but it's an important mess. There's just too much sensitive data being aggregated online for criminals to ignore. So what does this mean to you in 2013?
Let's start with IDC. In late 2012, the company predicted "that many more enterprises, and the security software and services vendors that serve them, will use the identity management systems of Facebook, Google, Yahoo!, Microsoft, and other consumer social networks and cloud services as a new foundation for enterprise authentication." While this makes an interesting conversation starter, it's a non-issue for most enterprises. To be fair, the OAuth standard used by social networks has some pretty interesting features, but migrating to such a system doesn't solve the primary problem of keeping your data safe. This one is safe to ignore.
So what does keep your data safe? Passwords, the long-time bedrock of identity management. Wired Magazine's article brought up some important concerns about them. Faster computers, lazy users, and more efficient data sharing among criminals have made passwords almost trivial to circumvent. If bad guys with enough resources want in, nearly all consumer-accessible systems and the majority of corporate systems can be compromised. Forrester Research has some excellent ideas about mitigating risk without throwing the system away, but even they admit that, ultimately, passwords are insufficient. But are passwords going away? Not a chance. Users understand them, IT departments know how to manage them, and they're hardware-independent. Passwords are fine. They just need a boost.
And there's the real problem: single-factor authentication. Any system that relies on only one device is easy to dupe -- fake IDs have worked for decades. Adding a second authentication factor provides exponential security improvements, and forces criminals to expend a tremendous amount of effort. That's why bank cards require a PIN or a visual ID check at the point of sale. Two-factor authentication isn't perfect, as we learned from the Verizon employee who shipped his ID dongle to Chinese outsourcers. Still, it's a huge upgrade to traditional passwords, and if you're not using two-factor authentication (2FA), this is the year you should start.
What should your 2FA system look like? It's a bit murky, but think low-tech. Biometrics are out. Biometric scanners work reasonably well in retail locations (my gym has used a thumb print scan for more than a year now), but the economics of distributing hardware to a diverse workforce, syncing multiple device types, addressing privacy concerns, and supporting the whole system are a nightmare. For access to highly specific resources (e.g., a government lab or a specific piece of hardware), biometrics can make sense, but as an enterprise standard, don't expect to see it for years. There's also been a lot of talk about smart IDs. If you're based in Europe, this shows some promise, but the US is far from a solution. The federal government is working on a voluntary ID system, but it could be years before any products based on the standard hit the market, and a wave of privacy lawsuits is on its way.
Your security firm will have recommendations for what vets your situation best, but you're probably looking at distributing physical or virtual devices that generate unique, secondary passwords at user login. Activision Blizzard uses both physical and virtual (Android and iOS apps) 2FA for its Blizzard Authenticator program. Is there any reason a video game should have better security than your enterprise?