Versatile authentication is one of the hot topics in IT - more and more vendors start to support it in some way or another. Versatile, a not that common term, means the ability to flexibly switch between different authentication methods. In practice, versatile authentication solutions shall support at least the following features:

  • Flexible use of different authentication methods.
  • Simple plug-in of additional authentication methods, e.g. extensibility.
  • Flexible interfaces for applications OR integration with existing technologies which interface with other apps.
  • Support for step-up authentication and other more advanced approaches.
Other aspects like fallback methods, management support for handling the token logistics and so on are value-adds, depending on the implementation of the versatile authentication technology.

The business value is easy to describe: Reusing existing strong authentication technologies for more use cases makes things cheaper. Being able to use expensive very strong authentication where required but relying on other, cheaper, and appropriate technologies in other use cases reduces costs. Logistics for reused strong authentication technology is cheaper. All use cases, including external users like customers and suppliers, can be supported.

The interesting question is about where to add versatile authentication. There is an increasing number of approaches where we observe versatile approaches:

  • Specific platforms for versatile authentication: These tools frequently are provided by vendors of strong authentication technologies to enhance the flexibility of their solutions. Sometimes they are part of the context-/risk-based authentication market.
  • Enterprise SSO: Given that E-SSO is a point of authentication to many applications, it makes sense to support versatility there - to allow a strong, graded authentication to different applications.
  • Core OS: The primary authentication is another area. What has been common in Unix/Linux environments for a long time is well supported in Windows environments since Windows Vista as well, replacing the error-prone, inflexible GINA approach. In fact that is versatility built into the OS.
  • Web Access Management: Another SSO point, counterpart to E-SSO.
  • Context/Risk based authentication platforms: They usually support as well at least some degree of versatility.
Overall, supporting versatile authentication is more and more a standard feature and the "versatility" of platforms for authentication is, from my point of view, an important point when selecting vendors. Hard-coding strong authentication into applications doesn't really make sense anymore.

Going one step further and looking at the title of this post: Yes, I think that versatile authentication is the key to mass adoption for strong authentication because it allows for reuse and flexibility. Instead of deciding on one approach, which either is sort of "overkill" for many use cases and leads to high costs or isn't secure enough for other scenarios, there can be a mix of technologies. And, beyond that, there is a much easier fallback (think about forgotten/lost tokens) and step-up (think about high-value transactions and access to very sensitive information). Customers can be integrated easier with simpler approaches like soft-tokens, using stronger technologies only in specific scenarios. And new approaches like the upcoming German nPA (national electronic ID card) might be integrated easily as just another approach for strong authentication. And especially the upcoming eID cards in many countries are a strong authentication mechanism which will be widely available.

Thus: When thinking about any investment in strong authentication, don't forget to build this on a versatile approach.

We will discuss the topic at EIC 2010 - and there will be an interesting webinar as well soon.