Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication
Strong Authentication

OASIS Identity in the Cloud (IDCloud) Technical Committee

An Identity in the Cloud (IDCloud) Technical Committee has been formed by the non-profit OASIS group. They are charged with identifying "gaps in existing identity management standards and investigate the need for profiles to achieve interoperability within current standards. Committee members will perform risk and threat analyses on collected use cases and produce guidelines for mitigating vulnerabilities."

Hopefully, the establishment of this committee will produce positive outcomes. Standards for policy management, authentication services and security tokens  (XACML, SAML, WS-Security, WS-Trust) are essential to to the acceptence and success of cloud computing.  

Who is OASIS?

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for the Smart Grid, security, Web services, XML conformance, business transactions, electronic publishing, and other applications.


Bruce Schneier on Risk Analysis

Bruce Schneier comments on the value of properly calculating probabilities when performing risk assessment. He cautions on focusing too much of risk assessment on "worst case" thinking. 

My nightmare scenario is that people keep talking about their nightmare scenarios....There's a certain blindness that comes from worst-case thinking. An extension of the precautionary principle, it involves imagining the worst possible outcome and then acting as if it were a certainty. It substitutes imagination for thinking, speculation for risk analysis, and fear for reason."

"Worst-case thinking leads to bad decisions, bad systems design, and bad security."


Cloud Security and Strong Authentication

I wholeheartedly agree with Fran Rosch's comment that the industry must move to stronger authentication technologies. There is no doubt in anyone's mind that simple User ID and Password (including strong passwords) offer very little to no security when it comes to protecting digital assets. 

The complexity and frequency of cyber threats today call for companies to consider a new breed of strong authentication - one that strives to validate the user and not just the device. One-time-passwords (OTP) delivered through unique (individually assigned) tokens have been around for a while. Fran argues correctly that infrastructure costs limited the wide spread use of such token based OTP. The infrastructure costs may have been addressed with a Cloud based offering of OTP, but what about the usability of such token based OTP? People lose or forget physical devices. People damage physical devices. I speak from personal experience having learned from my own internal customer base. 

Why not rely of technology that requires no tokens what so ever? No Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices. A strong authentication solution that is more than two-factor and delivers true multifactor authentication with zero distribution and end user management costs is what enterprises should look for when having to scale solutions globally and across a large user base.

Bharat Nair is Vice President of Business Development at Delfigo Security,, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).


RSA Survey on Budget, Cost and Strong Authentication

A recent RSA survey, Tight Budgets Harm IT Security, once again reaffirms that the biggest complaint IT security executives have is having less money to handle increasing threats. When Delfigo started out just over a year ago we knew from years of experience managing IT departments that cost, both fixed and operating, were the top concerns for identity and access management. That was a key element that drove early decisions to develop a solution that utilized open standards, easily integrated with existing technologies and back-end systems, and most importantly is simple to use and does not require end users to change their access routines or behaviors. There are no tokens or software downloads required. One of our key objectives was  to eliminate the very things that create the majority of integration and management challenges, and drive up the total cost of ownership of the second factor or strong authentication solutions in the market today.


What Is "Intelligent Authentication"?

Intelligent authentication is the future of data security. It is the next step in the ongoing effort to authenticate or confirm users accessing and executing transactions with protected information assets, by providing real-time risk assessment and event driven security response during each user session.

Authentication in the networked world is directly tied to your digital identity. For security purposes it has traditionally been the initial interaction between systems and user where you prove you are who you say you are.[1] The user is typically required to provide the system with one or more "authentication factors". In simple terms authentication factors are technical - something you have (id card or security token), personal - something you know (password, phrase or pin number) or human - something you are (fingerprint, retinal scan or other biometric identifier).

First factor authentication is normally username / password. However, this has proven to be of limited value for security. Passwords, even when properly enforced are a security vulnerability, as they can be easily shared, copied or stolen. Second factor authentication was devised to provide stronger authentication given the inherent weakness of single factor authentication. In two factor authentication, the standard login (username/ password) is combined with a second factor, usually in the form of a security token. But implementing many second factor authentication solutions usually requires expensive tokens, smart cards or other devices, and can prove cost prohibitive both in terms of initial distribution and overall management.


Page 9 of 12