Active Authentication: The Panacea of Access Control?
User authentication is an essential component of securing our electronic devices. It is the gatekeeper that enables subsequent access control and accountability mechanisms to operate successfully. Whilst technology and the way in which people use it has changed enormously, from the days of centralized mainframe computing (available to few), to a highly mobilized, personal and service orientated approach (utilized by (almost) all), the way in which people authenticate has barely changed â€“ with the password still the most popular technique implemented. This paper discusses the role of active authentication â€“ a fundamentally different approach to user authentication that moves away from point-of-entry Boolean decisions and provides a real-time measure of identity assurance that can be associated with each and every access control decision. Whilst active authentication can take many forms, the paper proposes the evolution of the technique into a centralized managed service that offers the opportunity to provide highly secure, robust, multi-device and intelligent handling of every authentication decision. Taking a device-independent approach to authentication removes the need for each and every device and service to make its own authentication decision and enable it to be incorporated in a true identity assurance federation system.Clarke NL, Li F