My colleague Jörg Resch recently blogged a lot about approaches for "lightweight" authentication and the risks associated with them. There are many companies out there with new or claimed-to-be-new approaches on more or less strong and more or less valid authentication. Whether that's the approach of isec, of GrIDsure, of Yubikey or one of the many other vendors out there, I doubt that there is the holy grail of authentication amongst. Some of them are definitely interesting, some of them not. Many of them are interesting as one element in an authentication strategy - like GrIDsure, which is OEMed by other vendors as part of their solutions. There is no doubt that many of these solutions can provide value in specific use cases - Multifactor Corp. provides something for and from the cloud, Yubikey is lightweight, GrIDsure as well. There are other approaches where I doubt that they really provide the required usability. I'm not a friend of approaches where you have to recognize pictures or faces, but they appear to have their market as well.
However, what's really important around all these approaches for strong authentication are two other aspects:
- How do they integrate and work together?
- Are they adequate to protect the transactions and interactions within a specific use case?
The biggest risk is that authentication is either not usable or to simple. That might happen when relying on a single mechanism. By mixing several ones, things become muh easier.
To learn more about that, you definitely should visit the European Identity Conference in Munich, May 4th to 7th. And there will be a market overview on the strong authentication market by KuppingerCole within the next few days - have a look at www.kuppingercole.com/reports.