Delfigo Security - Strong Authentication

A recent RSA survey, Tight Budgets Harm IT Security, once again reaffirms that the biggest complaint IT security executives have is having less money to handle increasing threats. When Delfigo started out just over a year ago we knew from years of experience managing IT departments that cost, both fixed and operating, were the top concerns for identity and access management. That was a key element that drove early decisions to develop a solution that utilized open standards, easily integrated with existing technologies and back-end systems, and most importantly is simple to use and does not require end users to change their access routines or behaviors. There are no tokens or software downloads required. One of our key objectives was  to eliminate the very things that create the majority of integration and management challenges, and drive up the total cost of ownership of the second factor or strong authentication solutions in the market today.

Intelligent authentication is the future of data security. It is the next step in the ongoing effort to authenticate or confirm users accessing and executing transactions with protected information assets, by providing real-time risk assessment and event driven security response during each user session.

Authentication in the networked world is directly tied to your digital identity. For security purposes it has traditionally been the initial interaction between systems and user where you prove you are who you say you are.[1] The user is typically required to provide the system with one or more "authentication factors". In simple terms authentication factors are technical - something you have (id card or security token), personal - something you know (password, phrase or pin number) or human - something you are (fingerprint, retinal scan or other biometric identifier).

First factor authentication is normally username / password. However, this has proven to be of limited value for security. Passwords, even when properly enforced are a security vulnerability, as they can be easily shared, copied or stolen. Second factor authentication was devised to provide stronger authentication given the inherent weakness of single factor authentication. In two factor authentication, the standard login (username/ password) is combined with a second factor, usually in the form of a security token. But implementing many second factor authentication solutions usually requires expensive tokens, smart cards or other devices, and can prove cost prohibitive both in terms of initial distribution and overall management.

According to Technology Review Microsoft and Carnegie Mellon University will present new research at the IEEE Symposium on Security and Privacy to show once again that secret questions used for password backup authentication are easy to guess and provide less than adequate security.

The new research found that:

28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

We have regularly argued here that passwords alone are very vulnerable, and not sufficient security. We have also believed that this was equally true for demonstrably simple questions, and this study clearly supports our beliefs. Despite all the effort and expense that goes into deploying and managing these complex and expensive identity management solutions, the fact remains that if someone really wants to gain access to your account they very likely will. And in most cases it may not be that difficult. There is clearly a need for a lower cost, less complex solution that provides the strong authentication required to prevent identity theft and reduce fraud.

The well publicized incident involving the breach of Republican VP Candidate Sarah Palin's Yahoo account highlighted this problem late last year. With a little effort any enterprising individual can gather the personal knowledge (e.g. mothers maiden name, high school name, pet name, street name) necessary to make some fairly targeted guesses, and eventually gain control of an account.

Delfigo has been selected as a finalist for the TiE50 Awards, recognizing the hottest emerging startups.The winning companies will be announced on May 11, 2009.

Delfigo was selected from nearly 1,200 nominated companies, and is a finalist in the Internet Infrastructure Category. The selection process for TiE50 winners will be based on a combination of a public poll and private judges' vote. Voting is open to the public beginning Tuesday, April 28, 2009 and closes on Thursday, May 7, 2009.

Visit www.tie50.net/polling to cast your vote for Delfigo.