While it might seem fairly visible in today’s world why authentication measures should meet this standard, there is some expense to incorporate the practice. Alternatively, most private sector businesses still use single-factor (User, password) or non x.509 (Web of Trust a.k.a WoT) dual-factor authentication.
The idea of the Public Key Infrastructure (PKI) was formulated to delivery an authentication protocol that could provide two-factor authentication seamlessly and efficiently and deliver identity surety. Enter the x.509 certificate. This certification signature is connected to the most vetted government, military, and contractor support personnel by way of an identification which enumerates the individual through in-person biometrics and identifying vital statistics verified by a Trusted Agent (TA) by proxy for and delivered the Registration Authority (RA). Upon issuance the individual can be given access to specific resources via the associated certificate and personally established pin. While it might seem fairly visible in today’s world why authentication measures should meet this standard, there is some expense to incorporate the practice. Alternatively, most private sector businesses still use single-factor (User, password) or non x.509 (Web of Trust a.k.a WoT) dual-factor authentication. While this may seem to be adequate security, it hardly does anything to solidly identify who is behind the keyboard. Most of us understand how simple username and password (something you know / single-factor) can be hacked. It come as a bit of a surprise that (dual-factor /something you know and something you have) can also be hacked fairly easily by an experienced hacker. Hence, the move to x.509 PKI infrastructure mandated by the Federal Public Key Infrastructure Policy Authority (FPKIPA).
As mentioned previously, budgetary constraint can restrict the ability to provide this level of security. Additionally, not all data holds as much significance or sensitivity to require such a level of authentication. But it is clearly important to protect personally identifiable information (PII) and personal health information (PHI). However, many organizations fail to realize the importance to deliver this level of security to data protected within their boundary. And even as this introduces security through access management many other avenues of exploitation are still relevant. Accepting the risk for less sensitive data may not seem detrimental, but allowing the PII and or PHI of others that you are expected to protect fall below the benchmark of authentication is a disservice to your customer and potentially a huge problem to their way of life. When you hold humanity and the potential consequences to that humanity in the confines or your data it is your duty to protect that which is stored, transmitted, or processed. So the question is to use x.509 of not to? Ethics or Profit?