Authentication will move to be more of a cloud-based solution, and specifically offered in a service-based model.
Speaking to IT Security Guru, Jason Hart, vice president of cloud solutions at SafeNet, said that the adoption of cloud is happening as users want to use context-based authentication. “There are different authentication mechanisms, it is about being able to mix and match,” he said.
“The software is there, and I think we will see an integration of software tokens that can be used with any application. The client is using the application; they synchronise with the cloud and request a two-factor authentication to generate a one-time password. They enter a PIN and it authenticates them. This is opposed to a static password.”
Asked how far off this concept is, Hart said that it can be done now and, with the increase in BAD (Bring Any Device), it is all about authenticating the user via their device.
“Essentially, as the adoption of cloud continues to increase, more and more companies are going to move towards cloud-based authentication. As a result, we can expect to see more enhancements of cloud SaaS based services moving forwards, such as the inclusion of single sign-on.”
Wendy Nather, research director of the enterprise security practice at 451 Research, said: “There are a lot of vendors coming out of the woodwork with a single sign-on for cloud — either as an on-premise application or appliance, or actually hosted by them in the cloud. Fewer are offering identity and access management as a SaaS; some are doing the provisioning part but not the authentication.”
Paul Simmonds, CEO of the Global Identity Foundation, said that he felt that Hart’s view was along the right lines, especially given the current available technology. “The banks are doing a lot of this right now – augmenting weak authentication with a lot of other attributes and behaviours to ensure it’s not fraudulent,” he said.
“The banks are being responsible in trying to get their risk calculation to an acceptable level by augmenting (for the most part) Chip and PIN with a whole load of heuristics and other checks. Chip and PIN is probably better than passwords; probably down to the fact that they are not passwords; and thus the user has to use something different.”