Recently, CIO magazine published an article “Will Tech Industry Ever Fix Passwords?”, pointing out that “…in this age of cloud computing, SaaS and increased mobility, users are spreading their credentials everywhere. Passwords are inherently weak. Dictionary attacks are standard and rainbow tables can be used to crack more sophisticated passwords.”
Rather than trying to come up with more complicated and difficult-to-manage password management rules and procedures, the industry needs to come up with an approach to eliminate the need for passwords altogether – that approach is single sign-on (SSO). Standards-based federated SSO that depends on the exchange of tokens between an identity provider and a service provider has proven itself as the best alternative to user ID/password-based authentication.
SAML (Security Assertion Markup Language) is a widely used federated SSO industry standard, but it is typically used for B2B access management. OpenID has become popular for reusing credentials from social media providers (e.g., Facebook and Google), but, as the article points out, it contains some security holes that need to be plugged.
While there is no single panacea available today—especially for consumers—eventually the industry will settle on a single, widely accepted standard, such as SAML, as the basis for authentication. Two-factor authentication will also achieve greater prominence as a way of securely identifying an individual using more than a user ID/password combination. The good news is that 2-factor authentication, using a variety of approaches, such as delivering a one-time password to a mobile device, or facial recognition using standard webcams and mobile cameras, is readily available today and is becoming increasingly consumer-friendly.
Businesses are already deploying SSO portals, either inside the firewall or in the cloud as a service, for their employees, contractors, business partners and customers. It is likely that a consumer-oriented service will emerge that provides a personalized portal that will allow consumers to create a customized web page—protected by 2-factor authentication tools—that they can use to quickly and easily federate their identity with all the various SaaS apps and web sites they want to access.
The technology exists today to provide both business users and consumers with secure access to any web app, from any device, without needing to remember dozens of user ID/password combinations. Now, it’s mostly a question of defining the business model and making a solution available that ordinary consumers will find useful. To find out more, visit McAfee.com or intelcloudsso.com and be sure to follow @IntelSec_Biz on Twitter.