Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Strong Authentication
Identity and Authentication Blog

Secret Challenge Questions Offer Weak Authentication

According to Technology Review Microsoft and Carnegie Mellon University will present new research at the IEEE Symposium on Security and Privacy to show once again that secret questions used for password backup authentication are easy to guess and provide less than adequate security.

The new research found that:

28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

We have regularly argued here that passwords alone are very vulnerable, and not sufficient security. We have also believed that this was equally true for demonstrably simple questions, and this study clearly supports our beliefs. Despite all the effort and expense that goes into deploying and managing these complex and expensive identity management solutions, the fact remains that if someone really wants to gain access to your account they very likely will. And in most cases it may not be that difficult. There is clearly a need for a lower cost, less complex solution that provides the strong authentication required to prevent identity theft and reduce fraud.

The well publicized incident involving the breach of Republican VP Candidate Sarah Palin's Yahoo account highlighted this problem late last year. With a little effort any enterprising individual can gather the personal knowledge (e.g. mothers maiden name, high school name, pet name, street name) necessary to make some fairly targeted guesses, and eventually gain control of an account.


Delfigo Named as Finalist for the TiE50 Awards

Delfigo has been selected as a finalist for the TiE50 Awards, recognizing the hottest emerging startups.The winning companies will be announced on May 11, 2009.

Delfigo was selected from nearly 1,200 nominated companies, and is a finalist in the Internet Infrastructure Category. The selection process for TiE50 winners will be based on a combination of a public poll and private judges' vote. Voting is open to the public beginning Tuesday, April 28, 2009 and closes on Thursday, May 7, 2009.

Visit to cast your vote for Delfigo


Cloud Not Ready To Support Identity Management

Cloud Computing, where computing resources are delivered as a service over the Internet, continues to gain momentum. Microsoft recently announced its big push in SaaS with Microsoft Online Services. In the buzz driven discussion of life in the cloud, however, there is limited discussion of Identity Management. Martin Kuppinger recently addressed this, noting as security, privacy and minimal disclosure of personal information become more important, few SaaS providers are ready to support the Identity Management and GRC requirements of their customers. He states there are no standards for auditing and alerting, or for handling authorization management issues in the cloud.

"To become successful as a provider in the cloud, the 'externalization' of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can't afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today."


Cost Efficient Multi Factor Security

Matt Conroy does a great job of providing a clear description of multi factor security in his latest post Multi Factor Security Review. Matt clearly describes the key elements of multi factor - something you know (login credentials) something you have (token or smart card) and something you are (any form of biometric data). He is also spot on in pointing out the key challenge that prevents the majority of companies from  implementing biometric solutions - total cost of ownership.  Systems that utilize finger prints, retinal scans, and facial recognition are well beyond the typical security budget, and can be very challenging to deploy.

Where Matt's article falls short is by not mentioning keystroke dynamics as a biometric that is gaining acceptance in the market. The primary advantage of keystroke dynamics as a biometric option is that it directly addresses the two main challenges of cost and deployment logistics.  At Delfigo we have developed a zero footprint security platform that uses keystroke dynamics to deliver a multi factor authentication solution at very low cost. In addition, its novel architecture is web services based making it easier to deploy, integrates with existing security and network infrastructure, and does not require the installation of any hardware devices.

Bottom line, there is no reason why companies should defer or delay considering implementing a true multi factor security solution today.

Bharat Nair is Vice President of Business Development at Delfigo Security,, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501 


Gartners 2009 Identity And Access Management Predictions

Gartner's four predictions for Identity and Access Management 

  1. Hosted IAM and IAM as a service will account for twenty per cent of IAM revenue by 2011
  2. Twenty per cent of smart-card authentication projects will be abandoned and thirty per cent scaled back in favour of lower-cost, lower-assurance authentication methods.

    (Key comment: "Gartner recommends that organizations with a free choice of authentication methods for local access should take a scenario-based approach to selecting new authentication methods, based on risk, end-user needs and total cost of ownership (TCO). ")
  3. Thirty per cent of large corporate networks will become ‘identity aware' by controlling access to some resources via user-based policies by 2011
  4. Approximately fifteen per cent of global organizations storing or processing sensitive customer data will use out-of-band OOB authentication for high-risk transactions by 2010.

    (Key quote: "Organizations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions."  - Ant Allan, VP, Research at Gartner)


Authentication Factors In Identity Management

What is meant by authentication factors in identity management? Authentication factors are the characteristics or elements that are considered in determining whether the individual seeking access to information assets is authentic. It is a means of proving they are who they say they are, and not a fraudulent actor attempting to gain access to someone else's account.

Typical authentication factors fall under the following categories:

  1. Personal - something you know (password, phrase or pin number)
  2. Human - something you are (fingerprint, retinal scan or other biometric identifier)
  3. Technical - something you have (id card or security token)


Should Startups Be Thinking About Strong Authentication?

Multi-factor strong authentication simply makes good business sense

I recently attended The Wharton Entrepreneurs Conference (WEC25) in Philadelphia, PA. I took time to visit several companies that were part of the exposition.

The concepts and ideas were interesting and wide ranging. The atmosphere in the exhibition hall was one of optimism, hope, and grand visions. There were companies that had advanced algorithms to shake you out of bed just at the right time, shopping mall for kids, collecting money for good grades, finding and communicating with business associates more efficiently, electronic class room for teachers, and finding authentic sneakers for sale, among others. I felt odd and somewhat out of place (and it had nothing to do with my age!) but the fact that several of the companies I spoke to had not yet fully thought through a revenue model (some were even brash about not having the need to make money).  Several of the ideas I listened to were member based services hoping to attract flocks of users and then collect on ad revenues or a percent value of the transaction.

If there is one advice I would like to offer these startups it is they do more for identity protection and fraud prevention. The notion that I have to provide personal information when I sign up for anything these days is an inconvenience, but clearly more of a risk of identity theft. This advice is especially important to those startups that are specifically targeting members below the 18-year age group. Let me be very clear. I am not implying these companies hadn't thought of security (they all had user ID and password). Today, that is inadequate. It is important that these early stage companies bake in strong authentication solutions from the beginning. It is a lot easier to do it now rather than wait until something really bad happens and you have to rethink the entire notion of secure access to your platform. After all, as responsible citizens and entrepreneurs we owe it to our future generation, to protect them and keep them from harm's way. Have you seen this CNN clip about a recent Facebook identity theft?

Strong authentication is not about strong passwords (look for an interesting experiment I did on this topic using my Facebook account in an upcoming post) Strong authentication solutions should leapfrog, in my opinion, the old paradigm of "what you know" or "what you have" and leverage new technologies and computing capabilities to authenticate and authorize users using a new paradigm of "who you are" and "what you do". The benefits of this approach is not just in being able to sleep well at night knowing you have done the right thing. By integrating these concepts into the platform, companies can build solutions that are risk-based and manage media and content rendering based on user preference and behaviors.

We at Delfigo Security have been thinking about this for several years and have developed an interesting and proven artificial intelligence based capability that does just that. We welcome the opportunity to have discussions with entrepreneurs and seasoned executives alike on how you can leverage these concepts and our research to improve your product and provide peace of mind to your members and their parents.

Bharat Nair is Vice President of Business Development at Delfigo Security,, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501


Real Time Actionable Intelligence Is Goal Of Information Security

Matt Flynn reviewed a recent moderated discussion on ESM (Enterprise Security Management) and SEM (Security Event Management).  His conclusion - "The consensus seemed to be that vendors do a good job of gathering and storing logs to meet compliance requirements that mandate storage of those logs. What customers really need and want from these vendors, however, is actionable intelligence."

From the actual session he quotes Armit Williams, CTO of BigiFix, who offers a  definition of the goal of information security:

"to limit the possibility of an incident from occurring... and when it does occur, to limit its impact (by identifying it quickly and responding)......what the ultimate goal of an intelligence system would be is that it's able to detect what are seemingly innocuous events and provide some actionable level of intelligence that shows that that's actually an incident occurring and you can respond to it and limit its impact on the environment - that's what they'd like to be, but they're not that."

Sounds like real time, multi-factor, risk based authentication to me. 


What is Dynamic Authorization Management?

What is dynamic authorization management?

"authorization management defines the approaches to centrally manage authorizations in underlying systems. In best case it ends up with the management of specific entitlements (that would really be "Entitlement Management"), in most cases it is only the capability to map users (using roles and so on) to system-level roles or groups or profiles"

However, recognizing the need to close the "big gap in provisioning", Martin Kuppinger of Kuppinger Cole adds the term "dynamic" to describe -

" authorization engines which are used as part of an externalization strategy (externalizing authentication, authorization, auditing and so on from applications) which provide the results of a dynamic authorization decision, according to defined rules, on the fly. "


Page 6 of 7