Cost vs. Security
If you just look at authentication, and you ignore hardware-based solutions and look at cost (where cost means the hard dollar cost per user that an organziation will have to pay including help desk, user education, systems integration, operating costs, fees, etc.) plotted against the level of security required, my intuition is that the tradeoffs look roughly like this:
3 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
i would love to see Google (specifically Google Apps Premier Edition) become an OpenID provider with StrongAuth for enterprises.
[Reply]
paul Reply:
June 23rd, 2010 at 1:16 pm
By StrongAuth do you mean http://www.strongauth.com/ ?
[Reply]
Comment by Saqib Ali — June 22, 2010 @ 10:49 pm
(1) Why are client certificates no more secure than I-cards? If a transaction requires a signature (or the lasting binding of authority information) then certificates are uniquely more secure than any other option.
If the I-card can create a signature, then I guess it has a certificate under the covers. In which case I would not expect the certficate to be more costly.
(2) I’d like to know if your cost estimates include the consequential costs associated with breaking down silos when an I-card issued in one domain is recognised in another. The hidden and usually fatal cost in federated ID systems (or reduced sign on systems) comes from the legal and risk analysis needed firstly by credential issuers when faced with unexpected uses for their credentials, and secondly by relying parties when faced with accepting credentials they have less control over.
[Reply]
Comment by Stephen Wilson — August 16, 2010 @ 10:42 pm