Over the years we have written a number of secure web systems for clients that require client user authentication. The technically ideal pattern for this is a "Multi Factor Authentication" (MFA) model which requires that the system interrogate the user on login for:
A System's authentication process needs to validate these before authorising further system access to a user.
In practice the costs of developing and supporting a solution that covers all these factors soon makes the operational process for some businesses prohibitive. For example, the distribution costs of hardware (tokens, smart cards or biometric readers) or the logistical costs involved in the biometric enrolment process. Support costs must also be assessed as there will unquestionably be an increase in support calls due to technical issues and dealing with understandably confused (non-technical) customers. These costs are often either under-estimated or are not taken into account at all during system design.
The management of client certificates is complex and therefore expensive as:
User Certificates can work well, but they do so at the expense of adding a multitude of implementation and deployment issues, which make them expensive and inherently unstable due to the inevitable involvement of multiple 3rd party systems.
Simple password-based authentication is easy to integrate just about everywhere and remains more in reach of SME budgets. Provided users are encouraged to use sensible passwords that are sufficiently complex to avoid being hacked but easy enough to remember. These systems are cheaper, easier to implement, bypass technical platform and third party software changes and are easier for the average user to understand and manage.
When faced with a choice as to whether to implement user certificates, a serious costs/benefits review should take place. A good and thorough understanding of the development, support, licencing and hardware costs involved is imperative during the solution design stages of product development.