While OTP from an authentication standpoint is a significant step-up from used name and password, certificate-based authentication raises the bar even further. For users who by position (executive or board member) or by function (IT administrator, finance, and human resources) have access to a business’s most sensitive information, require authentication technology that can provide verified access and a full audit trail of access events. Certificate based authentication provides this level of security and enables a wide range of security services in the process (document or transaction signing, email encryption, etc.). With a solid identity foundation (consolidated ID repository, good data sources, mature ID provisioning system, etc.), deploying certificate based authentication is easy and can be done at a minimal cost.
Gemalto’s Protiva smart card-based solutions leverage public key infrastructure (PKI) to provide certificate-based strong authentication. This ensures two-factors of authentication by leveraging the smart card product (card or token) for something you have combined with a user selected PIN for something you know to provide two factors of authentication. With proper security controls in place to verify the identity of the user before smart card issuance and certificate provisioning provided the assurance that only the legitimate user is the one accessing the corporate network and sensitive data.
One a certificate based identity solution has been deployed; there are several additional security features that can be added. Some of the notable features include:
Email Encryption – Ensure the security of sensitive information through email. Leveraging the cryptographic process within the smart card deployment, email is encrypted and can only be decrypted by the intended recipient –keeping your email safe from prying eyes.
Digital Signature – Using the Internet for business processes is cheaper and faster but these savings can be negated by having to rely on “wet” signatures for validation and approval. Digital Signatures created using Protiva smart card devices with PKI can securely authenticate virtual documents saving both time and money.
Mutual Authentication – As hosted applications become more prevalent, there is a need for stronger controls both from the system to authenticate the user and also the user being able to authenticate the system. This provides an additional layer of security to ensure that information exchanged online is secure and the user is interacting only with the legitimate application.
There are two basic options when deploying a certificate based identity solution: .NET or Java based identity credentials. Both provide a high level of assurance of the identity of the user attempting to gain logical access to then network. These smart card based products can be combined with proximity technology to provide for physical access and with security printing processes can serve as visual identity as well.
.NET based smart cards leverages the built in card management capabilities in Microsoft Server and Windows OS. This deployment requires no additional middleware for card management. Fully contained within Microsoft Forefront Identity Manager (FIM) a .NET certificate based authentication solution is virtually plug and play. .NET Bio adds a further level of security with the addition of fingerprint match-on-card user authentication as an alternative or complement to PIN verification. This functionality is supported by Windows Biometric Framework in Windows 7.
Java based smart cards are build using open standards to ensure interoperability with leading middleware providing a simple and straight forward integration process. This solution was selected by the U.S. Department of Defense and is the identity card base for both the Common Access Card (CAC) used by millions of military personnel and the Personal Identity Verification (PIV) identity credential used by non military federal agencies. Based upon the secure yet open nature of the platform, other applications have been added to this identity credential including payment and digital wallet.
In today’s competitive business environment where information can circumnavigate the globe in seconds, protecting sensitive information from unauthorized access should be a top concern of every company. Username and passwords is simply not a secure way to protect any level of information within a company. The past year has been filled with stories of companies that did not implement strong authentication which resulted not only in a breach of sensitive information, but the exposure of the breach to the global population. All of this should lead us to one conclusion – strong authentication is required.