Trilight Zone

[tricore]

The weaknesses of the username/password paradigm that rules authentication for public Internet commerce are well-known and severe. Users are not inclined to choose strong passwords or to change them frequently. They too easily give their passwords up out of carelessness, or to social engineering attacks such as phishing.

Enterprise IT is willing to go a step further, implementing two-factor authentication. The second factors, other than a password, are usually a device such as a one-time password (OTP) token, but many options for strong authentication exist, such as tokens with digital certificates and smart cards.

But even those Internet-facing sites with the most to lose have been reluctant to employ these proven devices, despite years of trial programs and promises. And the reluctance is understandable.

Multi-factor authentication is expensive to deploy and maintain. A company has to physically ship tokens to users, train users to use the tokens properly, and change their own applications to require and work correctly with the tokens. They can expect a wave of new support questions from users who have never dealt with such devices before, as well as those whose tokens are lost or run through the washing machine.

Even if you're nice to your employees, there's a big difference between how you treat them as compared to your customers. If company policy is that you go to your training at an appointed time and use an OTP token, then that's the way it is. Service organizations like banks and e-commerce sites don't want to order customers around, and customers may feel intimidated and ill-treated by such systems.

But the worst part of it all is that they could end up needing a different token and procedures for their bank, their brokerage, and every e-commerce site. Contrast this situation with that of credit cards, which work the same way from card to card no matter where you go.

Clearly, standards in Web-based authentication are very weak and diffuse—until recently.

This latter device independence has the potential to make matters much more convenient for consumers. Any device compatible with the OATH standard, from the Initiative for Open Authentication, can be used. A strong public standard will likely mean that users will be able to use cell phones, PDAs, MP3 players, and other common devices as authentication tokens. This convenience and familiarity should minimize the intimidation factor.

VIP is a major convenience and cost savings for the authenticating sites as well. Sites can operate the authentication infrastructure themselves if they wish, or outsource the function to VeriSign. This allows even relatively small commerce sites to have first-class security on user authentication without having to worry about difficult support issues, token fulfillment, and distribution. They can integrate their own sites into VIP through HTTP redirects or AJAX methods, and administer the system through a portal provided by VeriSign.

VIP also consists of a service called the VIP Fraud Detection Service (FDS). This is a background service that monitors transactions, using business rules and machine learning to detect suspicious behaviors. FDS looks at IP addresses, browser headers, and even geographic locations of systems. When something fishy is going on, it can block a site or challenge the user for additional information.

There's still a lot of work to be done to beef up authentication security for Internet-facing sites, but VIP takes us much of the way there. Coordination with PC security companies such as Symantec, which announced support for VIP in its latest line of products in the Norton products as part of the company's Security 2.0 effort, will help too.