Heartbleed is a Wake-Up Call

— May 09, 2014

SecureKey said that user names and passwords present huge risks to individuals and businesses. The trusted network provider called the Heartbleed bug an “earthquake” that has rocked the trust in user names and passwords for controlling access to a broad range of online services and websites that store personal information.

The company said it is time for business leaders to reduce risk by using the more robust network and data security offered through the use of dynamic authentication technology that is anchored in users’ trusted devices.
 
“Heartbleed is proof that systems based solely on static secrets—like user names and passwords or knowledge-based questions—are not adequate to keep people and businesses safe,” said Andre Boysen, executive vice president of marketing at SecureKey. “Strong authentication has been transformed from a complex and cumbersome technology to a frictionless, user-friendly solution that keeps data vastly safer and virtually eliminates the after effects of vulnerabilities like the Heartbleed Bug and other data breaches because every authentication is unique.”

Secrets are Safe
According to Boysen, there are several problems with authenticating solely with secrets such as user names and passwords. First, they are easily copied. In addition, once passwords become known through a vulnerability like Heartbleed, they can be used by anyone to access user accounts. Worse, there is often no smoking gun to point to where leaks have actually occurred. Finally, even if the user does everything correctly, passwords can still be compromised by some other defect in the network.

Strong authentication solves this problem by linking a secret—something the user knows, like a PIN—to a unique physical device, like a smartphone, smartcard or a unique physical attribute of the user, like a fingerprint—something the user has or is. With strong authentication, both factors must be present before the user is granted access.

Additionally, strong authentication solutions can hide actual user credentials and instead utilize cryptographically secure anonymous tokens. Unlike passwords, each access using strong authentication presents a new and unique proof of user authenticity. This creates a new challenge for attackers, further reducing any possibility that the credentials could be compromised. And all of this is accomplished while hiding the complexity from the user.

“The industry is at a critical juncture that requires changing the nature of online
authentication, and strong authentication that’s easy to use will play a central role in that change,” said Sebastien Taveau, BPD chief evangelist at Synaptics, a founding member of the FIDO Alliance. “With password fatigue reaching new heights, it’s time to adopt stronger authentication methods that make it easier and more secure for people to access their online services and e-commerce sites from all their devices.”

Uninterested User
Until recently, most strong authentication solutions had been quite cumbersome to use and required too much effort on the part of the user. They were also based on proprietary smartcards, dongles or fobs users had to carry, often with different ones required for each system accessed.

All of this created very high resistance on the part of users and very high cost to deploy on a per-app or per-organization basis. What is required is a solution that delivers high business assurance and a better user experience, without introducing new devices or requiring users to learn new things.

“Trust is an essential part of doing business, and with the increasing pace of major breaches and vulnerabilities, consumer trust is eroding,” said Joni Brennan, executive director of Kantara Initiative. “Innovative businesses will evolve beyond password-based systems to provide their users with the proven security afforded by multifactor authentication.”

SecurKey’s Solution
SecureKey’s briidge.net Connect strong, password-free authentication solution hides the cryptographic complexity usually associated with this technology, and links the user’s identity to a smartphone, tablet or other device they already carry. Accessing a service or site with this technology can be as simple for the user as entering a short PIN on their smartphone, and the same PIN can be used on any other devices the user has registered.

The briidge.net Connect platform is designed to support all in-market devices today, enabling dynamic authentication anchored in devices across all delivery channels. SecureKey Partners are ready to help any enterprise implement simple, strong authentication solutions that utilize SecureKey’s cloud-based strong authentication platform, or enterprises can develop their own solutions using the SecureKey Connect Mobile SDK, tools and documentation available through the dedicated Developer Portal.

POST A COMMENT

comments powered by Disqus

RATE THIS CONTENT (5 Being the Best)

12345
Current rating: 0 (0 ratings)

MOST READ STORIES

topics

Must See


FEATURED REPORT

Who Owns Mobility

Less than one decade ago, smartphones and tablets changed workplace technology—virtually overnight. IT lost "control" and users became decision makers. Is it any wonder we are still trying to figure things out, and that the question of  "who owns mobility" remains? This research examines the current state of mobility in an attempt to answer that question.