I can't find a consistent definition.
Secure Computing says,
"Strong authentication refers to systems that require multiple factors to identify users when they access private networks and applications. These authentication systems use advanced technology, such as token-generated one-time passcodes, to verify (authenticate) a user's identity."
Fermi National Labs says,
"Strong authentication is a form of computer security in which the identities of networked users, clients and servers are verified without transmitting passwords over the network.
Chris Ceppi implies tow factor and "other" forms of strong authentication;
"Users establish their identity using two factor or other forms of strong authentication and then their identity is asserted on their behalf from these strong authentication points."
So, Strong Authentication must be offer:
- An authentication method must be strong, no it must offer a virtually undeniable method of Authentication.
- Strong authentication must be able to be used by onsite employees, but also to remote employees, business partners and customers.
- Easy for the users remembering The Law of Human Integration. This is vital as if it is difficult, users will do "cheat sheets" to get around the difficulty.
What are the options?
If we insist on tokens it is a problem. I have a couple bank cards and too many credit cards. As I access most of my account through some form of electronic access, I am often ask to provide a pin for the bank cards. Now I do use two pins, but if I had ten different bankcards, I would not be able to remember ten different pins.
Likewise, as a consultant that works with many different organizations, I have many different "token" devices. Not only is it difficult to make sure these tokens are secure, but it is also getting to be a problem remembering which token is used for which organization.
Worse, some of the organizations have more than one token. Okay, many have more than one token.
So what is the answer ?