Skip to main content

Hitachi ID Systems Blogs

Posts Tagged ‘Credential Management’

Strong authentication adoptions

Thursday, February 23rd, 2012

Interesting article about student using their personal mobile device to replace traditional keys for physical access. As the article points out…

“The line between corporate-owned and personal devices is blurring, according to a recent survey by Information Systems Audit and Control Association. Two-thirds of employees between the ages of 18 and 34 in the survey said they use a personal device that they also use for work, ISACA found”

The world is quickly gravitating toward consumerization of IT. The traditional IT desktop provisioning process is quickly been replaced by “How do we enable employee access on their smart device?” and “How do we authenticate user on their smart device?”.

The finding does raise an interesting question, “What if the student lost their device?”. Or what if the student dropped their phone? What is the alternate method to regain access. Last thing anyone wants is to have a student to stay outside the dorm in a -30 degree Celsius temperature because he/she forgot the phone at the library.

For many, the term “Password Management” implies password issuance, reset, and synchronization. However, the term “Password Management” is an over simplification for credential life cycle management. And in this case, how do you recover your dorm access   at 12:30am in the morning with -30degree Celsius temperature.

The problem is not new, but seemed to have been overlooked by many. The solution is often fall back to the most accessible mean of communication (although the student may decide to throw a rock at his roommate’s window to have him/her open the door).

Most likely, what many people usually end up doing is calling someone for help. In this case, that someone you’re calling could be a computer that recognizes your voice signature on the other side of the phone to provide you with an access code for the next 30 minute.  And by the caller id or GPS coordinates, the system recognize the proximity location of the caller is located as a second form of authentication. The system could also lookup the student residency database to make sure the student actually staying at that particular dorm. Perhaps the system could also notify the Resident Assistant of the student floor to let the person assist the stranded student.

How would you design your strong authentication solution today?

No authentication is free of risk

Tuesday, January 10th, 2012

Interesting news bits. Not many people realize what is a root certificate or what does it do on a day to day basis. Think of a root certificate as the master key to unlock all the bank safe in the world. That effectively is what happening when Trustwave a trusted Certificate provider on major browser platform decided to profit off the certificate that enables a company claims to be only using it for the purpose of ear dropping on their own employee.

Wasn’t that long ago when I had to remove the digiNotar from my trusted list of certificate provider from all of my browsers. Not long after that I have to remove the trust from “Trustwave”.

This news was interesting to me because many methods of exchange for authentication token is based on trust of certificate. The lack of trust of secure communication implies a broken exchange of authentication model going from Certificate authentication to SAML assertion exchange. How do service provider today validate against the rogue certificate provider? How would anyone know if any other certificate provider has been compromised either willingly or unwillingly.

It wasn’t that long ago when the world is trying to gravitate toward certificate authentication scheme as a mean to move away from password authentication. Then an incident   like this comes out severely break the chain of trust using certificate authentication. How many enterprise has implemented some type of certificate authentication and what would it cost for them to update the trusted certificate store.

As an observation, while the security industry is pushing towards for more advanced authentication,  each new method of authentication not only creates more identity silos and breaks business process around the use of these advanced authentications. Few years ago I looked at the requirement for advanced credential management platform, where at that time I did not see anyone come out with the capability to manage different forms of authentications in a consistent approach.

How would you update the credential stores? How about reset the password on the certificate store? How about encrypting the hard drive that storing the certificate store? What if you lost the encryption on the hard drive, how would you recover the encryption key? How do you manage the administrator access to the certificate store? Who is tracking the privileged user access to these credential stores?

Having yet another stronger authentication without address these processes first only incurs more problem downstream with more integration scripting, cost to maintain, and audit nightmares.

page top page top