There are several important characteristics that authentication systems should have. These properties can be used to create an evaluation process for authentication systems in your organization. The most effective method is to prioritize these properties based on design criteria for the overall system and then evaluate different designs against the prioritized list. The following sections describe these characteristics.
Practicality is probably the most important feature that any authentication system can have. From the user's standpoint, the authentication system should be easy to use and non-intrusive. No one likes an authentication system that asserts itself too frequently or asks for authentication when none is needed. Users also dislike multiple authentication systems for multiple resources when the user sees those resources as related. For example, from the users' standpoint, email lives on the desktop computer, and once they've signed on to their computers, they don't want to reauthenticate to read their email.
From the enterprise's viewpoint, the authentication system should scale well, provide the appropriate level of protection, and be cost effective. Enterprises want easy-to-use systems as well, due to high support costs. Enterprises need to manage authentication by large, diverse groups. For example, customers, employees, and the employees of partners and suppliers all need access to resources that the enterprise controls. Each of these groups has unique needs, and the authentication system should adapt to those needs.
Systems that require new software to be installed on user computers or, worse yet, require new hardware (like biometric devices and smart card readers) are difficult to deploy and maintain. This adds to the ongoing operating cost of the solution.
Different applications require different levels of security. As we've seen, there are many different ways to authenticate credentials with varying combinations of authentication factors. The security of an authentication scheme is directly dependent on the number and type of authentication factors used. So is the cost. Good design will match the level of authentication to security requirements.
The overall evaluation of authentication strength is subjective. Expert knowledge is needed to evaluate the weaknesses of complex systems like cryptographic key systems. Comparing two systems and judging their relative strength is easier, provided they are not too similar. Deciding that a system built on digital certificates is more secure than one based on user IDs and passwords is easy. Deciding the relative strength of two different ID and password systems that differ only in policy details, such as password length and type, is nearly impossible.
Mobility is an important factor in modern IT systems and users require access at multiple locations, some of which are not predictable or under the control of the enterprise. Locationally, transparent authentication systems can authenticate user credentials regardless of where the user may be located.
Protocol-insensitive authentication systems can be used on top of multiple transport and application protocols and to access resources. Servers for HTTP, FTP, POP, SMTP, and other protocols all incorporate some kind of authentication system. Take care to ensure that the authentication system and various servers interoperate. New tools offer the developer easy access to authentication, but it may not be as easy to create systems that interoperate. Web services, J2EE, .NET, and other regimes offer authentication methodologies, but they are not necessarily compatible without effort by the enterprise.
The extent to which user data is kept private depends on the enterprise and the resources being protected. For example, in the U.S. at least, employee access to company resources, such as desktop computers and email, can be logged and tracked to whatever extent the employer feels is appropriate. On the other hand, an authentication mechanism on a system that allows patients at a medical center to view their treatment records must provide more privacy protection because of laws and regulations such as HIPPA.
Reliability is crucial, because the authentication system can be the foundation for access to mission-critical resources. Reliability requires appropriate redundancy, operational excellence, configuration management, close monitoring, and proactive capacity planning. When the authentication system is used by other organizations, they may require a service-level agreement that stipulates specific uptimes and penalties for failing to meet them.
Accountability requires that the system be auditable. Transactions logs make it possible to review and track user actions and are the heart of an auditable system.
Logs can be made at various levels. Aggregate logs do not track individual transactions, but rather they aggregate data such as totals, averages, and trends. These can be useful for capacity planning and understanding the overall operation of the system.
Detailed logs track individual actions and are required for some problems like security breeches. Authentication system logs provide an important resource for dealing with system intrusions, but may be subject to legal and other restrictions and policies.
If not properly protected, detailed logs can raise privacy and security concerns, even when the data they contain seems relatively innocuous. Traffic analysis is the art of deducing information from the patterns in messages. For example, if I know that the CFO always accesses certain company investor resources before a big deal is announced and I have access to the authentication logs for those resources, I may be able to use that information to trade ahead of the market.
Manageability means that the operator of the authentication system can easily add, update, or delete users. The system should allow new classes of users and provide for different configurations among groups. Operators will add, renew, and delete certificates; maintain licenses; and update the system as new releases of the software become available. The interfaces to the authentication system should be well documented and easy to integrate into new and legacy systems. We'll talk about directories in Chapter 9; they can provide a repository for much of the information that would be used in an authentication system. In many cases, the manageability of the authentication system will be a factor of the user interface and features of the directory systems employed by the enterprise.
Today's enterprise has resources that must be accessed by the employees of its partners and suppliers as well as by their customers or constituents. An authentication system that supports federation will allow those entities to be managed by their respective organizations. This requires confidence in the partner organization and significant planning.
One of the crucial factors will be agreeing with partner policies about resource access and how the partner is verifying identity when it issues credentials. If the partner's authentication system is going to be trusted to make authentication assertions, then the policies surrounding that system and the relative strength of its authentication system will need to be understood.
We'll discuss federation in more detail in Chapter 12.