ADVANTAGES AND DISADVANTAGES OF DIFFERENT AUTHENTICATION TOOLS

Once organizations evaluate their different user and regulatory compliance needs, they are ready to
determine which authentication solution best meets the organization's identity management requirements.
Below is a brief summary of the pros and cons of different authentication tools and controls.

User ID and Password

Advantages Disadvantages
Least expensive authentication method to use. Weak and susceptible to numerous attacks.
No need to carry any extra hardware device. Security depends on the users' ability to maintain
the user ID and password secret.
No need to install extra software. Not fully reliable when used for making financial
transactions remotely, such as fund transfers and
bill payments through an Internet banking channel.
User IDs and passwords can be changed at the user's choice, Cost of support increases with user ID and
and most users know how to use them. password complexity (i.e., help support or IT staff
may need to spend extra time dealing with
authentication problems, such as helping staff reset
passwords that are locked after a certain number of
failed entry attempts).

Hardware Tokens
Advantages Disadvantages
More secure to use than user ID or passwords. Involves additional costs, such as the cost of the
token and any replacement fees.
Enhance the image of the organization by securing user Users always need to carry the token with them.
credentials more effectively.
Users don't need to remember complex passwords. Users need multiple tokens for multiple Web sites
and devices.
Can be used for login and transaction authentication. Does not protect fully from man-in-the-middle
attacks (i.e., attacks where an intruder intercepts a
user's session and steals the user's credentials by
acting as a proxy between the user and the
authentication device without the user's knowledge).

Software Tokens
Advantages Disadvantages
No need to carry any extra hardware or device. Requires some amount of user training.
It is more secure to use than a user ID or password and can Deployment needs a controlled environment.
coexist with both.
No need to remember complex and multiple passwords. Requires reinstallation and configuration in case
there is an operating system corruption or problem.
Can be held on multiple media, such as a hard disk, floppy Needs a protected environment (e.g., should not be
disk, and flash drive. used from a public kiosk).

Out-of-band Authentication
Advantages Disadvantages
Can act as an additional layer of security. Recurring expense of SMS or telephone calls.
Many ways to convey out-of-band messages, such as e-mail, Risk of unauthorized access and interception of
short message services (SMS) (e.g., text messages), or messages.
phone calls.
Can be integrated to the user's choice (i.e., the user may opt Limited coverage and low security.
to receive the out-of-band message).
Users don't need to remember complex or multiple Susceptible to man-in-the-middle attacks.
passwords.
Digital Certificates on Smart Cards and USB Tokens
Advantages Disadvantages
More secure to use than the normal user ID or password. Requires users to carry an additional smart card
reading device or USB so that they can log in.
A third-party certifying authority authenticates and distributes Involves additional cost, such as the certifying
the digital certificates, thus helping to increase user trust. authority's subscription cost for issuing the digital
certificates.
Can take care of non-repudiation (i.e., the act of denying an Needs multiple certificates for different sites or
action after the fact). For instance, once someone uses a devices.
digital certificate and private key, the user cannot deny his
action, because the private key resides with the user only.
Difficult for non-authorized users to extract the private key Requires user training for certificate generation and
when stored on a smart card. use.

Biometrics
Advantages Disadvantages
Can be used for accessing high-security systems and sites. Involves additional hardware costs such as
scanners.
Takes care of non-repudiation because biometric factors are Involves cost for support and maintenance.
specific to the user only.
Different options are available, such as fingerprint, iris, or High deployment costs.
retina scanner authentication.
Difficult to compromise. May not be suitable for mass-consumer
deployment.

Challenge Response
Advantages Disadvantages
Simple method that can be used with texts and graphics, in Low security against man-in-the-middle attacks.
which the authentication system randomly sends a pre-
recorded question to which the user provides a response.
Offers more security than a user ID or password. Higher customer support cost. This is because
users often forget the correct answer to a challenge
response question and must seek the support from
the help desk for a locked user ID to authenticate
into the system.
Types of questions for the challenge response can be pre- Users need to remember multiple pieces of
determined. information, such as answers to multiple secret
questions.
No need to carry any extra device such as hardware to
authenticate into the system.

Besides paying attention to the different advantages and disadvantages listed above, auditors should
recommend that senior and IT managers consider the tool's ease of use, integration with the existing
software platform, the company's product architecture, the security of the tool (e.g., the strength of the
algorithm used), vendor support, cost, and future flexibility before deciding which tool to implement.