Strong, two-factor authentication in itself is nothing new. It has long been used for providing a higher level of assurance that a person accessing computer resources is who they say they are than would be provided by a username and password alone. This is because it is based on the use of an additional factor of authentication-generally something the user has in their possession, such as a security token, or something that is unique to them, such as a biometric identifier.

The most commonly used form factor is a hardware token, the majority of which generate a one-time password at the touch of a button-making it useless for anyone to try to crack that password as it is good for just one event. However, the costs of distributing and managing hardware tokens for all users and the hidden costs of administration, such as users calling the helpdesk every time a token is broken or lost, have made such deployments costly and cumbersome.

That is changing as strong authentication technologies are evolving to include a wider range of token types. Software tokens, incorporated into smartphones, smartcards or USB devices, help to reduce the costs of procuring and distributing authentication tokens and can offer additional security benefits over and above authentication. For example, smartcards can be fitted with radio frequency identification chips so that they can also function as physical access authentication mechanisms when integrated with door access control systems. And USB sticks can be equipped with encryption technologies that lock down all data at a device level so that the computer is blocked immediately for use when the USB stick is removed.

One further new development is that of software tokens for mobile phones that are pushed to users when they are needed via SMS. For many people, mobile phones are central to their personal life and are highly valued. They are also being used for an increasing range of applications, including mobile banking and payments. By providing on-demand tokens via SMS they can now be extended to be a form of identification, avoiding the need to carry an extra piece of equipment such as a token or smart card. By using these types of tokens, users can authenticate to the network any time required and from anywhere, with no requirements for installing software on the devices or management of tokens.

For any strong, two-factor authentication deployment to be successful, it requires an efficient system to automate the processes involved in deploying and managing implementations. This is done through a central management console that automates tasks such as provisioning users with accounts and credentials and that integrates with other technology controls in use in the organisation to ensure that secure access can be provided to all computing resources used. Through centralised management, much of the complexity and hidden administration costs are removed. And, by tying authentication controls into security policies set and through reporting on all events that occur, organisations can more effectively determine that security controls are working as required.

As with types of tokens, such management systems are also evolving. Whereas management systems have to this point been provided as server-based systems managed on an organisation's premises, new cloud-based authentication management services are coming onto the market, provided on a utility subscription model. Rather than the traditional upfront purchasing of software and necessary hardware to run it on, organisations using a cloud-based service just pay for the amount that they use in a particular month, and can scale their requirement up or down as necessary. This means that strong authentication services can now be procured at lower cost, making their use affordable for even the smallest or most distributed of organisations.

The evolution does not stop there. As cloud-computing authentication services continue to develop, they will evolve into open authentication platforms, accepting authentication mechanisms from multiple vendors. This will allow an organisation to sign up to the services and then provide two-factor authentication tokens to employees, customers and suppliers that are not limited just to the specific services that they offer, but that could be used for accessing services offered by other organisations that are business partners. When combined with industry standards such as the security markup assertion language specification developed by the OASIS Security Services Technical Committee, the promise of identities being seamlessly federated among multiple service providers will be possible. The commercial attractiveness of this is that a company can offer a wide portfolio of services under a single brand, where the services are actually delivered using a white label arrangement by third parties.

The themes outlined in this article are discussed in greater detail in a new report from Quocirca, commissioned by CRYPTOCard, that is freely available for download here: The evolution of strong authentication.