Security Products

By Eric Linxwiler · August 2007

Using five-factor authentication might be the best choice in protecting your identity

IDENTITY theft is a global problem that's getting worse. More than 100 million records have been stolen in just the past two years. The cost of dealing with an enterprise corporate data breach rose this year by 30 percent to $4.8 million per incident, and payment card fraud resulting from identity theft is estimated at $60 billion per year and is growing annually.

Most security solutions available today attempt to hide the true problem of identity theft by distracting customers and users from actual security vulnerabilities. Instead, they attempt to provide security by touting the power of encryption, security of connection tunnels and safety offered by zero-footprint technologies. While these all provide a level of security that is far beyond a system running without said protections, most security companies address issues and breaches not often used by the developers of malicious programs to capture sensitive data. For example, encryption may protect hard-drive content from someone attempting to access the files without permission, but it does nothing to prevent the capture of those same files when protected data is accessed and decrypted for use by the end user.

Further, secure communication tunnels may protect the transmission of data from endpoint to endpoint, making it nearly impossible to intercept the communication as it traverses the Internet. Though some security companies do nothing to prevent the same communication from being caught by a logging application as it is sent or received.

Zero footprint applications work well to prevent information from being gathered with the use of computer forensics techniques and tools, but they do nothing to stop live, active monitoring programs from capturing the information in real time.

Simply put, there are easier ways to capture information, and the solutions in the marketplace today focus primarily on promoting security services and systems that address issues that are important, but are not the most common point of data loss. These systems do little to protect the simplest, easiest-to-exploit security gap—an end-user's computer. It would be reasonable to assume then that the problem of absolute user authentication and ultimate data protection can only truly be achieved with the complete use of encryption, communication tunneling, zero-footprint technologies and a secure, protected operating system that bypasses the innate weakness in a host computer's system.

Two is Better than One
Multi-factor authentication has served as a security cornerstone for several years; however, the leading solutions today revolve primarily around two or, at most, three factor levels. Indeed, a truly innovative approach to increasing user authentication has not advanced.

Security industry innovators are constantly striving to deliver two fundamental benefits:

• True user authentication: a near-absolute guarantee of identity verification (to a greater degree of certainty than a DNA test).

• Pervasive user data protection: totally secure storage, transport and access to personal and corporate data via any desktop or laptop by anyone, at any time and anywhere.

This combination of benefits would solve critical security issues of identity theft and data loss and would enable, for the first time, applications such as a true digital wallet containing both company employee identity data and vital consumer data, such as a Social Security card, driver license, credit cards and personal health records.

Improving Multi-Factor Authentication If the industry is going to succeed delivering these benefits, it is going to require a near paradigm shift in how multi-factor authentication is made available and delivered. Five-factor authentication is on the near term horizon as a potential solution. Industry leaders can deliver user identity verification to a level of probability equal to 323 x 1048, a number that far exceeds even DNA-based probabilities. Five-factor authentication can be achieved by using long-time accepted methodologies like usernames, passwords and unique electronic tokens, incorporating a vehicle for symbol selection—similar to the Bank of America site key concept—and adding biometric identifiers.

While the EncryptaKey solution offers five-factor authentication, user verification alone does not provide a true quantum leap for the industry in terms of protecting against the technological sophistication of attackers and hackers today. For example, new methods of attack include a Web site that has been hacked to host malicious code, an increasingly common trap on the Internet. If a user visits one of the sites with an unpatched machine, it's possible that the computer can become automatically infected with code that can record keystrokes and steal financial data typed into forms.

EncryptaKey, provider of identity protection and information security technologies, believes that a single device can meet multiple requirements and the demands of corporate employers, e-commerce consumers and casual Internet users alike and can restore the confidence and trust required to permit efficient communication and commerce.

Improving ID Technology
Industry leaders must strive to provide a secure end-user environment based on a combination of true identity verification and secure end-user computing and data exchanges. One solution could be created by plugging a five-factor authenticated USB device into the USB port on any computer connected to the Internet. This causes the computer to reboot and run from a fully protected operating system that cannot be written to, thus creating a secure environment on that computer and establishing a secure connection with the server and with any authorized agents on third-party servers.

Functionality such as this allows users of the mobile communication device to conduct online data transactions and access, view and transmit sensitive personal or corporate data with complete confidence.

About the author

Eric Linxwiler
Eric Linxwiler is the executive vice president of business development at EncryptaKey.