Authentication: Password Alternatives

Passwords are ubiquitous as a means of authentication. Passwords are one of the most straightforward methods of authentication. However, in the current IT environment, passwords often are not strong enough. Alternative authentication methods can provide greater security and possibly simplify authentication for users.

So what's wrong with passwords? Passwords must be long enough and complex enough to prevent guessing or brute force attacks. Account lock-out after a number of incorrect attempts will help prevent brute force attacks, but with complex passwords users may forget, make mistakes, and then need to use a secure means to reset their password. In some cases policy may require users to speak with support staff, increasing support costs and delaying use by valid users. Single Sign On (SSO) solutions can prevent the problems caused by numerous passwords for various systems, applications, and platforms. SSO can be expensive or difficult to accomplish for small businesses.

So, what are our alternatives to passwords? Means of authentication are grouped into three categories. Something a user knows, something a user has, or something a user is. Passwords fall into the first category, because they are something a user knows. Biometric systems use physical characteristics of a user, including solutions that check fingerprints, handprints, hand geometry, or retinal scans. So, biometric authentication is based on something a user is. Authentication systems that rely on something a user has include key cards, smart cards, or USB tokens, or certificates (often via public key infrastructure / PKI). Usually, card and token systems also rely on something a user knows as well, such as a PIN.

Best is only a meaningful term in context. What's best for an enterprise financial application is usually not a sensible solution for a small business collaboration platform! Where best means "hardest to hack", retina scans and certificates with large keys will be at the top of the list. If best means, "biggest bang for the buck", there are PKI solutions that are open-source/free, so the cost is limited to implementation, training, and support. Most modern business applications support Active Directory or LDAP for integration with the OS platform & SSO. So, choosing an alternative authentication system also depends on both the application, and the main OS authentication platform.

Determine the risk, the value of what's being protected, and the potential cost of an incident. Compare this with your budget and the cost of various alternative authentication solutions. Be sure to consider the ease-of-use, training, and support costs in this equation. My advice is: don't just use an alternative means of authentication just for the sake of using it. Alternatives have weaknesses, just like passwords do. Not understanding the risks versus the value, or your business goals when implementing security solutions, are critical mistakes.