Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication
Strong Authentication

Secret Challenge Questions Offer Weak Authentication

According to Technology Review Microsoft and Carnegie Mellon University will present new research at the IEEE Symposium on Security and Privacy to show once again that secret questions used for password backup authentication are easy to guess and provide less than adequate security.

The new research found that:

28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

We have regularly argued here that passwords alone are very vulnerable, and not sufficient security. We have also believed that this was equally true for demonstrably simple questions, and this study clearly supports our beliefs. Despite all the effort and expense that goes into deploying and managing these complex and expensive identity management solutions, the fact remains that if someone really wants to gain access to your account they very likely will. And in most cases it may not be that difficult. There is clearly a need for a lower cost, less complex solution that provides the strong authentication required to prevent identity theft and reduce fraud.

The well publicized incident involving the breach of Republican VP Candidate Sarah Palin's Yahoo account highlighted this problem late last year. With a little effort any enterprising individual can gather the personal knowledge (e.g. mothers maiden name, high school name, pet name, street name) necessary to make some fairly targeted guesses, and eventually gain control of an account.


Delfigo Named as Finalist for the TiE50 Awards

Delfigo has been selected as a finalist for the TiE50 Awards, recognizing the hottest emerging startups.The winning companies will be announced on May 11, 2009.

Delfigo was selected from nearly 1,200 nominated companies, and is a finalist in the Internet Infrastructure Category. The selection process for TiE50 winners will be based on a combination of a public poll and private judges' vote. Voting is open to the public beginning Tuesday, April 28, 2009 and closes on Thursday, May 7, 2009.

Visit to cast your vote for Delfigo


Cloud Not Ready To Support Identity Management

Cloud Computing, where computing resources are delivered as a service over the Internet, continues to gain momentum. Microsoft recently announced its big push in SaaS with Microsoft Online Services. In the buzz driven discussion of life in the cloud, however, there is limited discussion of Identity Management. Martin Kuppinger recently addressed this, noting as security, privacy and minimal disclosure of personal information become more important, few SaaS providers are ready to support the Identity Management and GRC requirements of their customers. He states there are no standards for auditing and alerting, or for handling authorization management issues in the cloud.

"To become successful as a provider in the cloud, the 'externalization' of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can't afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today."


Cost Efficient Multi Factor Security

Matt Conroy does a great job of providing a clear description of multi factor security in his latest post Multi Factor Security Review. Matt clearly describes the key elements of multi factor - something you know (login credentials) something you have (token or smart card) and something you are (any form of biometric data). He is also spot on in pointing out the key challenge that prevents the majority of companies from  implementing biometric solutions - total cost of ownership.  Systems that utilize finger prints, retinal scans, and facial recognition are well beyond the typical security budget, and can be very challenging to deploy.

Where Matt's article falls short is by not mentioning keystroke dynamics as a biometric that is gaining acceptance in the market. The primary advantage of keystroke dynamics as a biometric option is that it directly addresses the two main challenges of cost and deployment logistics.  At Delfigo we have developed a zero footprint security platform that uses keystroke dynamics to deliver a multi factor authentication solution at very low cost. In addition, its novel architecture is web services based making it easier to deploy, integrates with existing security and network infrastructure, and does not require the installation of any hardware devices.

Bottom line, there is no reason why companies should defer or delay considering implementing a true multi factor security solution today.

Bharat Nair is Vice President of Business Development at Delfigo Security,, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501 


Gartners 2009 Identity And Access Management Predictions

Gartner's four predictions for Identity and Access Management 

  1. Hosted IAM and IAM as a service will account for twenty per cent of IAM revenue by 2011
  2. Twenty per cent of smart-card authentication projects will be abandoned and thirty per cent scaled back in favour of lower-cost, lower-assurance authentication methods.

    (Key comment: "Gartner recommends that organizations with a free choice of authentication methods for local access should take a scenario-based approach to selecting new authentication methods, based on risk, end-user needs and total cost of ownership (TCO). ")
  3. Thirty per cent of large corporate networks will become ‘identity aware' by controlling access to some resources via user-based policies by 2011
  4. Approximately fifteen per cent of global organizations storing or processing sensitive customer data will use out-of-band OOB authentication for high-risk transactions by 2010.

    (Key quote: "Organizations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions."  - Ant Allan, VP, Research at Gartner)


Page 10 of 12