The 'best' authentication technology?

I work in the field for Imprivata, working with customers day in, day out. And the single most heard question I get relating to our products is: 'which authentication technology should I use'. Fingerprint? Yeah that's good, I will never forget my finger, right? Or a prox card? Even better, because I can use that to open doors, pay at the lunch cashier, and so forth. Nah - maybe a smartcard is better. Or a one-time-password token. Or ...

And then the discussion usually derails. It's hard to choose a strong authentication token. There is so much choice. And it can cost a *lot* of budget to acquire and implement. So let's think about this for a while? What is the 'best' authentication technique? Is there such a thing?

Of all of the suggestions I made above, none of them is ideal. All of them have pros and cons, and really, all of them have very different characteristics. In my mind, there are three/four things to ask yourself when choosing an authentication technique:

  1. Does it meet your security objectives? Is the tool as secure as you want it to be? Can you use if for other security initiatives (eg. encryption, pre-boot auth...)? Does it feature login AND logout functionality?
  2. Does it meet your productivity objectives? Does it work as fast and as reliably as you want it to, always?
  3. Does it fit into your budget? Anything is possible - but it all comes at a price...
  4. Most importantly (in my opinion): will your users ACCEPT it. At the end of the day, any authentication tool can be compromised, on purpose or by accident. But the likelihood that it will be compromised really depends on how well your users will take care of it. If they leave their token lingering around, with a small piece of sticker tape glued to it with the pin code on it, then what have you really achieved? User Acceptance is everything.

Therefore, my recommendation to my customers always is to test and retest any authentication technology, at a small yet significant scale, and to get the end-user buy-in before you roll out any authentication technology to your users. And luckily for you, Imprivata OneSign has built-in support for almost any type of authentication technique out there. That's just another reason why OneSign stands out - it allows you the freedom of choice among authentication technologies, it allows you the one that matches your organisation, not the reverse.