How secure are application service providers (ASPs) — and is too much of that answer riding on customers’ usernames and passwords? A recent survey by organizers of the Infosecurity Europe conference showed that 90 percent of office workers would reveal their passwords to a stranger — in this case, an interviewer at the Waterloo Station in London.
As it turns out, an ASP’s own customers may in fact present a risk to subscription service providers, because they (and/or their employees) can all too easily abuse password sharing.
According to industry analyst firm Ovum Holway, the ASP model can reduce customers’ IT costs by 10 to 40 percent. Given that statistic, one might consider whether it is fair, when a license allows for, say, 50 users, that some licensed users are sharing passwords to the extent that 150 users could be accessing the “rented” software. As ASP leaders look to the future, they will be working to strengthen this area of vulnerability, which currently translates into lost revenue.
New technologies indicate it might not be long before software and hardware providers join forces to protect subscriptions through an alternative to passwords: biometrics.
Industry Support for Fighting Password Abuse?
The Business Software Alliance (BSA) supports ASPs as software providers but does not specifically single out password-sharing as a problematic practice. Even so, sharing of a password that provides access to a Web-hosted program is not much different from what the BSA defines as piracy, such as installing an unauthorized copy of a program on a centralized server. When an employee shares a password, after all, a user other than the licensed one plans unauthorized access.
Because there are now better ways of authenticating user passwords (which can protect users and their employers from even accidental “slips” in password abuse), software industry associations could encourage enterprise users to be aware of and protect themselves from the risks of password abuse. Furthermore, elevating password abuse to a fine-worthy trespass also could make those risks more real to employers and users.
Biometrics: From Kiosks to Web-Services Management
Biometrics already provides ideal authentication for subscription services in a few isolated instances. For example, a financial services subscription provider has made fingerprint biometrics a component of its hundreds of thousands of terminals used by analysts signing on to access its real-time financial news, market data and analysis. The company views this strategic use of biometrics as such a competitive advantage that it prefers to keep the news under wraps.
Many other companies also are taking steps to improve authentication and thereby protect personal data, network data and physical property. Here are a few examples:
- Tatungs biometrically enabled tablet PC, the Tangy 910, is distributed mainly to workers in the healthcare and education sectors, where protection of sensitive records has become a privacy imperative.
- Samsung last year launched the first notebook PC built on Intels Centrino technology that sports a biometric fingerprint sensor.
- Memory Experts International, a developer of portable USB memory devices — which can be used to store extremely valuable data, such as corporate intellectual capital — has installed a fingerprint sensor on its ClipDriveBio device.
- Fellowes, a prominent name in the mobile laptop accessory market, has introduced its SecureTouch USB optical mouse, the first such product to hit retail shelves with an integrated fingerprint sensor.
- APC recently has developed a password management device that uses a fingerprint sensor, allowing users to forget their multitude of usernames and passwords — at a $50 price point.
Companies that are serious about curbing abuse of their ASP subscriptions could easily solve the problem by outfitting their desktop hardware with biometrically enabled peripherals. However, most firms probably will wait for software industry associations to get more serious about this issue — and for a few ASP users to get slapped with fines for password abuse, in much the same way that companies didnt get serious about software piracy until their contemporaries were fined.
What the ASP Can Do Today
ASPs might consider protecting the integrity of their subscriptions by bundling fingerprint-sensor hardware together with the subscription. In other words, the ASP could send a biometrically enabled password manager to all desktops. Alternately, ASPs could offer a reduction in the fee for password maintenance support to customers that can show use of authentication devices on all desktops. This could be a money-saving scenario for both the ASP and the user: Forrester Research estimates the annual cost for password administration per user is between $340 and $800.
ASPs also could educate customers on the security benefits of biometrics solutions, such as helping customers to better protect their Web-hosted data.
Biometrics technology is coming to desktops for a variety of reasons. But what better reason, ASPs might now ask themselves, than to improve management of user licenses — and the bottom line?
Steve Mansfield is Vice President of Marketing at AuthenTec, Inc., a leading provider of semiconductor fingerprint sensors.