Arcot Advisor
THE AUTHENTICATION AUTHORITY™ OCTOBER 2007
   

The Better Solution

GlobeExperts agree that stronger authentication is needed to replace standard username-password authentication. But how do you decide what type of strong authentication is required? Some organizations have chosen hardware strong authentication because it appears to be the most secure option available. However, when you look deeper into human behavior, the answer becomes clear. In order for strong authentication to be effective, it has to be easy to use! Hardware authentication solutions introduce complexity into the equation and let's face it, people don't like to carry multiple hardware authentication devices with them wherever they go.

The trouble with hardware tokens

Unlike a password, security tokens are encoded physical objects. It's easy for users to protect a token, because it's in their possession. Should a user lose a token, a criminal can't gain access without a PIN that only the legitimate user knows. Or so goes the theory. That's nice, but how do you make sure the user doesn't lose or accidentally destroy the token?

Hardware tokens may be simple or complex and can include multiple authentication methods. While there are many token vendors, each uses a different approach. One-time-password tokens are the most commonly used hardware authentication device however they can't prevent man-in-the-middle attacks. Tokens without an on-board keyboard or similar input device cannot be used with some sign-in processes, for example, confirming a bank transaction based on a bank account number that you want funds distributed to.

Smart cards

Another type of hardware token, smart cards, are more cost-effective than their fob-like counterparts. They also allow individuals to digitally sign documents and gain physical building access. However, smart cards also offer numerous disadvantages, such as:

  • The friction on the cards can cause significant wear and tear, potentially shortening their life.
  • Users can damage their cards by accidentally bending or abusing them.
  • Unusually high voltages can erase or modify the EEPROMs. Criminals can heat the controller to a high temperature or focus ultraviolet light on the EEPROM to remove security locks. They can even take the processor out of a smart card to reverse engineer it.

The Right Balance of Cost, Convenience and Strength

Arcot focuses on internet authentication solutions for B2B and B2C portal access and online shopping applications. Its products satisfy needs for risk-based authentication, strong authentication, ePayment cardholder authentication and digital signing. Its products also help you manage, issue, renew and revoke certificates to halt access by someone with expired credentials.

Arcot's software-only solutions do everything hardware smart cards do (minus the building access), only simpler. Primary benefits include:

  • Arcot software solutions are easy for customers to use and significantly reduce total cost of ownership by removing the need for expensive hardware or troublesome tokens to purchase, distribute, and maintain.
  • Arcot's authentication solutions combine the best of both worlds—the strength of PKI with the simplicity of a username-password interface employing a secure software credential to protect user identity.
  • With Arcot technology user's do not have to change the way they access their online accounts and portals.
  • Arcot authentication solutions can eliminate paper in business processes by providing the ability to digitally sign contracts and other legal documents and also deliver secure eStatements.

Arcot's authentication products provide layered authentication and can be used together to give companies the right degree of security for any application, or complexity of transaction. A company can start with a behind the scenes, risk-based authentication that checks parameters including device ID, geo-location, IP address and transaction velocity.

If the company needs greater authentication assurance, it can add Arcot's Strong Authentication by issuing its customers an encrypted software "smart card" that customers can download to their desktop or carry on a USB token. This same software smart card, combined with Arcot's digital signing software, can also be used to legally sign electronic documents.

For further information about Arcot's software-based security solutions, contact Arcot at 408-969-6100 or visit www.arcot.com.


Click here for a printable version of this page.