A few months ago, a Reg Reader study told us that sorting out the user authentication and identity management challenge was pretty high on the list of IT priorities, especially for larger organisations. From this study, we learned that two thirds of enterprises were suffering from a proliferation of sign-on mechanisms, with …
Biometrics my ****
I think we all know the stunning fallability of biomteric technologies and their witless merchants - all now over funded to aid the war on terror, and all achieving fairly similar results.
So we're back to Single-sign-on. A nice idea, fundamentally flawed without tiered access and multi factor authentication. Agreed, multi-factor authentication is a pain and does somewhat fly in the face of conveniance, but that's life.
This is not a question of whether users can put up with multi-anything. It's whether the company requires this to be the case. I don't know about you but our company is not run as a social or charitable exercise. We hire people, we pay them and they do as they're told. Sure, we may all dress it up into nice touchy-feely work-balance discussions and give them free vending machines and stock options. But the hard and fast is - employess do what they're told, if they don't like it they don't work here.
I strongly believe this is the major problem with security of anything electronic. Organisatons work on the basis that the user is king, that productivity and conveniance must not suffer. It's crap - a painful hang-over from Project Management gurus (charlatans) making far too much money by Keynoting about user-centric projects and how they deliver the value. Rubbish. The user does as they're damned well told, they are a cog, nothing more and nothing less.
If you want to deliver a good secure environment - and run a project that delivers value - you start with what you want to achieve and work back. The user can be squeezed into any box you require, and the systems will run accordingly.
User convenience versus system security
One key issue that most systems ignore is that the real and living user is to be voluntarily identified, not his/her knowledge (i.e. password, etc) or belongings (i.e. card, etc).
Thus, a true authendication must include some sort of biometrics (e.g. reliable fingerprint, eye-scanning, etc.) AND some health proof (e.g. ECG) at the same time and during the whole session.
Neither of these shouldn't be obtrusive or inconvenient. Come on, inventors!
Tokens work well. We have them for our PDA's. I keep it on my key chain and it has become second nature/
Top poster has my vote. The article was written as if so many companies have to provide easy access almost like a social feelgood buzz is needed for people to keep interested in their workplace, make it too complex, and it's a turnoff. What about just putting up with a little bit of exertion ?
- Leaked screenshots show next Windows kernel to be a perfect 10
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK