Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Many Authentication Systems

The current information systems landscape is cluttered with individual authentication systems. Even though many systems existing in a distinct management domain utilize single sign-on as well as multi-system authentication mechanisms, multiple systems within disparate management domains are likely to be utilized regularly by users. Even users at the most casual level of involvement in information systems can be expected to interface with a half a dozen or more individual authentication systems within a single day. On-line banking systems, corporate intranet web and database systems, e-mail systems, and social networking web sites are a few of the many systems that may require their own method of user authentication.

Due to the abundance of authentication systems, many end users are required to manage the large numbers of passwords needed to authenticate with these various systems. This issue has given rise to many common insecurities related to selection and management of passwords.

In addition to the prevalence of insecurities in password selection and management, advances in authentication and cryptography assemblages have instigated a shift in attack methodologies against authentication systems. While recent headway in computing power have made shorter passwords such as six characters or less (regardless of the complexity of their content) vulnerable to cracking by brute force[5], common attack methodologies are moving away from cryptanalytic and brute force methods against the password storage or authentication system in favor of intelligent guessing of passwords such as. This intelligent guessing might involved optimized dictionary attacks and user context guesses, attacks against other credentials required by the authentication system such as key-cards and password token devices, and attacks against the interaction between the user and the systems themselves.

Due to all of the aforementioned factors, the user's password is commonly the weakest link in any given authentication system.