Title: Two factor authentication is not the answer
1Two factor authentication is not the answer
Why are most websites insecure? Many years ago, I
heard that the best bang for your buck was to
adopt two-factor authentication. Why is
two-factor authentication not the answer? And
does implementing two factor authentication
actually have a high ROI? I certainly agree
that weak authentication costs money. Compromised
passwords can result in serious financial damages
for both the person and the organization. In
addition to the direct resource cost of
mitigating a security breach, one has to
calculate the opportunity cost of the work not
done, and the potential damage to your personal
or organizational reputation. I also agree that
password-only authentication is a big part of the
reason websites are insecure. Hackers have a long
list of tactics to find passwords. Some programs
dont encrypt passwords stored on the disk.
Hackers setup fake wifi access points to capture
passwords. People get tricked to login to phony
web sites after reading increasingly
sophisticated phishing emails. The list goes on.
Combine this with a persons tendency to re-use
passwords. If a hacker gets access a persons
email account, all sorts of havoc may ensue.
2So its seems logical that implementing two-factor
authentication would be a good place to start.
However, implementing strong authentication
hasnt been the silver bullet for organizational
security. Why not? The reason is simple the
breadth of applications that can use the strong
authentication has been limited. Although your
VPN and company portal might be protected with
strong authentication, today people use so many
websites and SaaS services that they use (and
re-use) passwords anyway. So maybe this is
splitting hairs, but I would posit that the
answer to website insecurity is Internet
standards for authentication. This was something
that no one company could solve alone. Happily,
that standard is almost here OpenID Connect.
This standard will enable any website, even one
previously unknown to your company, to use that
strong authentication service you spent so much
time and effort launching, and enable two-factor
authentication to become the best bang for your
buck that it was rumored to be more than a
decade ago. Article Resourse
http//thegluu.weebly.com/1/post/2013/10/two-facto
r-authentication-is-not-the-answer.html
3Think about the front door Businesses are
advised to invest in the part of their facility
that the customer sees. With access management
systems, this is the login experience, and the
authorization experience. Frequently I remind
Gluu customers to consider the authentication
triangle, the vertices are (1) security, (2)
price and (3) usability. Each authentication
mechanism has its own unique triangle. Much
attention lately has been focused on security.
But many of the advancements have been to enable
stronger security, while at the same time
improving usability. The best kind of
authentication is the one you never see! Consumer
IDPs are looking at many contextual indicators to
figure out if an interactive authentication is
needed. Organizations should follow suit. Try
your best, but be flexible. If a certain
application cant use OAuth2, its ok to fallback.
There might be an old version of IIS you need to
support. Or the SaaS provider just supports SAML
its ok! Dont worry. You want to guide
applications to use open standards. SAML or even
SiteMinder is a lot better than for the website
to store credentials for the person. Is
SiteMinder Dead Granted SiteMinder is Dead
is sensationalist. Old SSO protocols hang around
until you disconnect the last site. That can be
some time, which is why we want the standards to
be well tested. Thats why the title of the
previous blog said Decline, not Dead. If you
have a sizable organization, and are looking at a
green field, are you installing a commercial IAM
Suite, an IDaaS, or open source? The last two
didnt even exist until a few years ago. No
matter how you slice it, monolithic IAM Suites
like CA SiteMinder are going to get a smaller
percentage of the market, and reducing prices to
get a small number of new customers might not be
offset by revenue loss from existing customers.
In rapidly growing markets, the price goes down,
the total size of the market increases, and the
initial suppliers are challenged to make a very
difficult pivot.
4In any case, at Gluu, we think there is a bigger
opportunity to provide service to the market that
doesnt yet have a SiteMinder, than disrupting
current monolithic IAM customers. Most current
solutions are hub and spoke usually a big IDP
and lots of internal websites, some external SaaS
services, and partner sites. How many inbound
SAML connections does your average organization
support? The answer is frequently not many. Big
companies can afford commercial Access Management
/ Federation software, but their partners usually
cannot. Net-net, this means the cost of
extranet user management is either too high or
even worse, its insecure. Organizations want open
source because there is a benefit if their
partners can cost effectively upgrade their
IAM. You can substitute SiteMinder with the IAM
product of your choice, for example Oracle Access
Manager (OAM), RSA Cleartrust, or IBM Tivoli
Access Manager (TAM). Although some IAM products
also use HTTP reverse proxies, the idea is
generally the same align with the old until you
migrate existing apps. Notice in this diagram,
there are two OAuth2 Authorization Servers.
OAuth2 enables federated authorization sometimes
many parent organizations make different
policies, and application developers need to
ensure all the policies are considered. Article
Source - http//www.gluu.org/blog/how-to-move-away
-from-ca-siteminder-to-open-source-authn-authz/