With identity fraud and phishing out of control – and with tougher industry standards and laws to comply with – the user name and password system is not enough to meet security requirements. Thankfully, there are lots of new technological options out there.

Recent studies show that identity fraud has claimed at least 8.4 million adult victims in the US alone in 2007 and that the total one-year fraud amount was $49.3 billion. Meanwhile, a study by Gartner reveals that 57 million Internet users in the US have received a phishing email, and 1.7 million of these have fallen victim to the scam. And recent reports from anti-phishing have uncovered a major spike in the number of hijacked brands, unique phishing websites, and urls due to one particular brand getting phished more than usual. Financial services continue to be the most targeted sector.

Should the Identity Theft Enforcement and Restitution Act (ITERAct) of 2007, passed the Senate by unanimous consent, be enacted as law, it will amend Title 18 of the US Code to address conspiracy to commit what our Congress terms “cybercrime”. This will close loopholes in current law against extortion, give victims of identity theft increased ability to seek restitution, and specifically address the phenomenon of botnets. However, an article in the Tech Republic blog quoted Tim Bennett, the president of the CSIA (Cyber Security Industry Alliance), as saying, “This cybercrime bill is an integral part of the cybercrime fight, but it is also imperative that this Congress address through legislation other aspects of the problem, such as data security, to prevent criminals from getting sensitive personal information in the first place.”

Bottom line, if you can’t fight it with legislation, you must fight it with technology. Today, businesses are increasingly relying on two-factor identification, a system wherein two different methods are used to authenticate or verify a person’s identity for security purposes. Using two factors as opposed to one delivers a higher level of authentication assurance. Here are some of the new technologies in the market today.

CRYPTOCard, the leading authentication technology developer for heterogeneous environments, provides resellers with the flexible and robust solutions required to help healthcare organizations achieve Health Insurance Portability and Accountability Act (HIPAA) compliance. CRYPTOCard's two-factor authentication technology enables resellers to tailor identity management to a customer's security policies rather than having to change the security policy to accommodate the technology. Its KT-1 keychain token positively authenticates remote laptop users, while its SC-1 smart card is utilized by office staff for both HID door access and desktop authentication - ensuring that strict HIPAA security requirements are met.

RSA SecurID® two-factor authentication is based on something you know (a password or PIN) and something you have (an authenticator)—providing a much more reliable level of user authentication than reusable passwords. RSA SecurID authentication offers a unique, time-synchronous solution that automatically changes the user’s password every 60 seconds. This makes it more secure than event-synchronous systems with passwords that can be valid for an indefinite period of time and easier to use than challenge-response systems that require multiple steps to generate a valid code.

Entrust delivers two-factor authentication solutions using the Entrust IdentityGuard and Entrust USB Tokens.

The IdentityGuard, a two factor authentication solution that is stronger and less expensive than competing solutions, can be used with existing usernames and passwords for online identity theft protection or integrated with Microsoft Windows for secure desktop and network login.

Based on a collaboration with SafeNet to distribute SafeNet iKey 2032 tokens, Entrust USB Tokens are designed to securely store an individual's digital identity (digital ID), specifically their Entrust digital certificates and keys. These portable tokens plug into a computer's USB port either directly or using a USB extension cable. When users attempt to login to applications via the desktop, VPN/WLAN or Web portal, they will be prompted to enter their unique PIN number. If the entered PIN number matches the PIN within the Entrust USB Token, the appropriate digital credentials are passed to the network and access is granted. PIN numbers stored on the token are encrypted for added security.

Another two-factor solution is COMODO’s S.A.F.E. (Secure & Authentic Finanical Engagements). In this highly secure solution, a server application and PKI service automatically issues/manages Client Digital Certificates for financial institutions to authenticate the user – a system that provides ease of customer adoption, no bank-side integration, ease of configuration and low cost. The second factor is Content Verification Certificates (CVC) – Digital Certificates that protect content so the user can irrefutably authenticate the financial institution’s legitimate website.

In an article in Networkworld, writer Neal Weinberg examines even newer technologies. Among them:

Secure Computing's SafeWord provides proof-positive user identity for all types of remote access systems. With tokens that generate new pass codes for each user login, SafeWord allows you to easily and cost-effectively eliminate the password risk.

VeriSign’s One-Time Password Token supports either a time-based algorithm or an event-based algorithm, depending on your business and security needs, and issues a new numeric password every thirty seconds. It is available for customization and can carry your corporate logo, branding, and custom colors to suit your business.

Creative approaches to two-factor authentication also abound, including Positive Network’s Phone Factor feature in which users dial up a designated phone number when trying to log in. Users key in a particular number or letter or a PIN. If they do so successfully, Phone Factor then triggers access to the network or application they are trying to use.

With ever more sophisticated scammers trying to worm into your site, it just might be time to put your user name/password system to rest and give all these state-of-the-art technologies a try.