Feldman says he's investigated almost everything under the sun. He's not bullish on biometric tools because he's seen too many of them fail. He's not keen on key fobs (which display a one-time access code after the user enters a PIN) because they have to be discarded after a few years, and because he doubts that users would report lost key fobs. And after the breach of EMC's RSA security division last year, he's not convinced that the vendor's method of displaying access codes -- on a USB-based hardware token -- is viable either.
Cellphones to the Rescue?
That doesn't mean Feldman is down entirely on device authentication, which strengthens the password updating process by using a second trusted channel of communication in addition to a primary network connection. Feldman is looking at using cellphones as the secondary channel. "Everyone's got a phone," he reasons.
Instead of an access code displaying on a hardware token, it would appear in an SMS or text message on a phone. Users wanting to log in to a data center, then, would enter both their password and the randomly generated access code received via their phone.
Forrester's Maler also likes this idea. "IT generates a new, one-time password and provisions it to the enterprise user by means of an alternate channel -- in this case, the carrier network. That's really powerful, because it's part of a password policy that forces change, and it's strong authentication because it involves something you know -- the password -- and something you have -- the computing device."
Case Western's Siu is even more enthusiastic about device authentication. "It'll keep people from sharing credentials, because for that to work, someone has to hand over their phone, and no one wants to do that," he says. The increasing popularity of smartphones improves the feasibility of this method.
Ponemon agrees, and adds that devices even smarter than smartphones may improve security. He believes device recognition technology, where the system recognizes your computer based on its IP address and other recognizable factors, will take hold, especially with security capabilities being built into processors. "It's technology that will get people in and out of systems safely," he says. "Computers with these chips will be low cost, but they'll be useful in a wide array of scenarios."