Whether you want to place a bid at eBay, check your bank balance online or your credit rating at Schufa or Experian, or access your corporate SAP account: Instead of asking you to please enter your user name and password, chances are the system nowadays will demand some other method of authentication like a token or a smartcard, or it may offer to scan your finger or iris.
The procedures may differ, but the reasons behind them are the same: Companies want to protect themselves from rampant online fraud. And it's not just banks that are starting to deploy so-called "two-tier" or "redundant" security to their customers. The big question, though, remains: Are these systems really safer? Or to put it another way: Are two better than one in the complex world of IT security?Our gut feeling says yes, but theories sometimes misfire. Take for instance a customer with multiple bank accounts who wants to be able to access all of them while on the road. He may have to lug a load of authentication hardware around wherever he goes. Oh, and don't forget the corresponding reader devices!
On the other side, operators of an online shop or internet service often opt for proprietary solutions, forcing the user to go through the learning process every time he wants to use a new service. There may be safety in confusion, but don't bet on it.
As a rational person, one with an average sense of risk-awareness and an adequately developed understanding of the technology issues, you may sometimes ask yourself whether all this is strictly necessary. After a while, though, we all tend to just give up and submit to life's complexity.
But in fact, there are already alternatives available. Just take highly flexible authentication systems on the market today which generally run under the name "Versatile Authentication Service Platform", or VASP. Most of them allow for simultaneous use of various authentication mechanisms such as user name/password, one-time passwords, certificate-based verification via smartcards, grid cards, challenge-response systems, biometric systems or any combination of the above.
This goes especially for shared applications that perform transaction-based or context-based risk analysis during authentication, something that can be of great benefit to the companies involved. In this case, authentication aims at matching the level of access allowed to the individual transaction or task. True strong authentication is optional in such cases since slightly weaker (and cheaper) methods may suffice. Such systems are usually able to escalate the authentication process by requesting additional bonafides if more sensitive data is needed.
In order to successfully deploy this kind of system, organizations need to model risks and thresholds on experience from previous transactions. If they don't, helpdesks will be inundated with calls from frustrated users and customers complaining about being unable to read email while on vacation or access their corporate data from their home offices.
A sensible, well thought-out and above all highly flexible authentication strategy should be part of any responsible IT strategy. The tools and tokens are out there for IT departments and system integrators to create strong authentication systems that don't lead to new problems and generally make life miserable for the user. But since there is yet no universal system available, the best method seems to be to opt for end-point centralization using VASP. Choosing the right solution may depend on the number of users, the type of applications involved as well as on available budget, but once in place it can go far towards reducing complexity and increasing security - and that not just in theory, but in actual practice.