Managed Security Services

Beyond Passwords: Stronger Authentication — continued

by Lisa Phifer VP Core Competence, Inc. [April 4, 2005]

Why go to this trouble? You get what you pay for. These stronger authentication alternatives are virtually immune to social engineering and password crackers. While passwords are easily shared, tokens and biometrics are very difficult to abuse in that fashion. There's no need to update these credentials at regular intervals to deter compromise. Although education may be required at the start, users may eventually find stronger credentials simpler to use (and remember and store) than the long, complex, frequently changed passwords.

To avoid compromise due to loss or replay, it is safer to combine two or more factors. For example, users are often required to enter a simple PIN when authenticating by token. If the user's PIN is captured by a keystroke logger, that PIN is of no value without the corresponding token. Conversely, if a token is left in a hotel room, it is little more than colorful piece of plastic without the user's PIN. Two-factor authentication solutions like this are widely regarded as robust and routinely employed by many security-conscious organizations.

Show Me The Money
If you opt to deploy two-factor authentication, your services and systems will be better protected against unauthorized access and resulting theft or attack. But savings associated with improved authentication are notoriously difficult to quantify—after all, how do you measure the potential cost of something that didn't happen?

Consider this example: According to the 2004 CSI/FBI Computer Crime and Security Survey, 4 out of 10 organizations experienced unauthorized access to information last year, resulting in an average loss of $42K per survey respondent.

Truthfully, stronger authentication may save your company more, or nothing at all, depending upon asset value and business risk. However, ISPs can cost-justify their investment in stronger authentication in another way: generating new revenue by offering value-added services.

For example, in September 2004, America Online introduced AOL PassCode, a premium authentication service for AOL members. Members who sign up for PassCode pay a modest one-time fee ($9.95) to be issued an RSA Security hardware token. When logging into their AOL account, premium members are prompted for both a password and a six-digit number displayed on their token. AOL earns up to $4.95 more per month per PassCode subscriber, depending on number of logins (screen names). If you think this figure sounds small, multiply it by just a fraction of AOL's 29 million members. Or consider that just this one premium service represents a 10 to 20 percent increase over AOL's basic unlimited dial-up fee.

Providers that sell Managed Security Services have further revenue opportunities. For example, Managed VPN Services are often based on IPsec. Standard IPsec authentication employs pre-shared secrets or digital certificates. Remote Access VPN services usually add Extended Authentication (XAUTH) so that users can authenticate interactively. IPsec with pre-shared secrets and XAUTH/passwords are both vulnerable to cracking with readily-available shareware. Many businesses would prefer stronger alternatives, like digital certificates or XAUTH/tokens. However, only 30 percent of companies have a Public Key Infrastructure (PKI) to issue their own user certificates. Just a fraction more have token or smart card authentication infrastructure. In ISP-Planet's last Managed Security Service Provider Survey, we saw a growing number of MSSPs seizing this opportunity by up-selling Managed Authentication or PKI services to Managed VPN customers.

These are just two of many network services that could thus benefit from stronger authentication as a value-added offering. Other potential revenue opportunities include stronger administrative logins to hosted e-commerce, e-mail, and other application servers. The same authentication infrastructure can be leveraged to deliver premium services to many customers, and to improve the authentication used to safeguard internal network devices and servers. From the ISP's perspective, offering premium authentication services can help defray upgrade cost, create new revenue opportunities, and help to differentiate offerings. From the customer's perspective, there's no capital outlay or security expertise required—this is particularly attractive to SMBs that might otherwise consider strong authentication beyond their reach.

—End

< Back to page one

Coming tomorrow, Part 2: Implementing The Vision