Cloud Computing Should Drive Demand for Multi-factor Authentication

It was gratifying to see this post by Tim Hastings in ReadWriteWeb, addressing “multi-factor authentication in the cloud”. I was especially interested to note that the dynamic duo of VMWare and Intel are sponsors of the ReadWrite Cloud “channel”, which I guess makes RWW a network of sorts.

Hastings correctly notes that many recent high-profile phishing attacks started by overcoming weak security technologies and protocols surrounding GMail passords. He correctly points out that the most common security mechanisms employed to control access to information “that’s out there” are woefully lacking. Both username and password are a single factor – something you know. So the word is spreading that “stronger authentication” is sorely needed.

In the article Hastings also cites the multi-factor approaches of two of the leading e-commerce cloud operators, Amazon.com and Google Apps. Amazon goes to the expense of distributing token key-fobs that display limited time, single use passwords. That’s got to be music for technology provider Gemalto.

There was also this link to an enticing menu of “identity management add-ons” for Google Apps, from the likes of Ping Identity, TriCipher, SADA Systems, MultiFactor Corporation, eForcers, Yubico and others. Some of the technologies highlight the convenience of “single sign-on” access to a multiplicity of Web services. Others build their value proposition on “tokenless” authentication – primarily treating a browser as something you have and info in an enterprise directory (such as Microsoft’s ActiveDirectory) as the basis for managing something you know, such as username and password.

The move to IP-Telephony has opened the door to more interesting voice applications and the “virtualization” of telecommunications infrastructure. The corresponding popularization of cloud computing and distriubuted apps, including support of mobile devices, heightens the need for stronger authentication. Based on the pricing in the Google Marketplace, the rack rate for tokenless authentication infrastructure is about $3 per month per protected account, which can be discounted to as little as $30 per year. Turning the phone or browser into a soft token authenticates the device being used, not the individual using it. For the growing number of use cases where strong authentication is mandatory, an approach that uses biometrics (fingerprints, voiceprints or retinal scans) will also be mandatory. For mobile phones – indeed all phones – voice is the most natural biometric.

There’s the chain of causality. Communications apps are moving inexorably into “the cloud”. The cloud has become conspicuously vulnerable to hacker attacks and malicious access. At the same time, a multiplicity of applications and use cases call for stronger authentication of the individuals who are gaining access to cloud-based data and other resources. Today’s solutions, that emphasize the convenience of single sign on while touting the strength of their multi-factor approach, are much better at authenticating devices or browsers, not individuals. Only a biometric is associated with “something you are” (as opposed to “something you have” or “something you know”, which are fairly easily compromised). Add the fact that voice “makes sense” for phone based applications, and I rest my case.



Categories: Articles

Tags: , , ,