Two-Factor Authentication: When Passwords Aren't Enough

When you boil it down to basics, there are three ways to authenticate someone: something they know, something they have, or something they are. "Something they know"—also known as a password—will almost always be the first of the factors in a two-factor authentication solution. Most strong authentication business solutions rely on "things they have"—hardware tokens or software PKI certificates offered by vendors like RSA, VeriSign, Aladdin and CRYPTOcard. "Things they are," biometric solutions, include fingerprint, voice, face and iris recognition. Collectively, biometric technologies represent a small but growing percentage of strong authentication deployments; significant vendors include Bioscrypt, BioPassword, DigitalPersona, L-1 Identity Solutions, LG Electronics and NEC.

When PC maker Lenovo last year introduced built-in fingerprint scanners in ThinkPads, it brought into the mainstream a strong authentication option that once seemed unobtainable for most businesses. While still not the type of technology that's being embraced throughout the market, two-factor authentication is gathering steam, and finding its way into the conversation between solution providers and their customers.

"It is a growing area, particularly in health care and especially when a system has to be in a completely secure environment," said Sami Siddiqi, CEO of Zezan Data Center, a Naperville, Ill.-based solution provider. Siddiqi said he is delivering two-factor authentication solutions particularly to small and midsize customers in all aspects of their IT that reach well beyond the laptop. Siddiqi said a number of his clients are opting for this now because it's much more affordable than in the past, and compliance is more stringent.

Next: Define the Business Need

Define the Business Need
Just like any other effective IT solution, everything about a two-factor authentication system should be geared toward meeting a specific, identified business need. Given the variety of options available when building these solutions and the number of systems and functions they can touch, however, a clear definition of that business need often ends up lost in the shuffle. A solution originally intended to reduce costs by allowing for single sign-on can easily end up increasing those costs if the focus shifts to maximizing security. More subtle distinctions—for example, between securing existing network functionality and allowing new capabilities that would otherwise be too risky—are even more easily lost.

"It all starts with business," noted Shlomi Yanai, vice president of Aladdin Knowledge Systems' eToken Business Unit. "Nobody buys strong authentication because he wants to buy security. He does it because he wants to increase efficiency, reduce costs, comply with regulations. It's all business drivers."

This definition process is crucial for ensuring not only clear communication between the solution provider and the customer, but also a consensus among the appropriate decision-makers within the client organization.

"You need to uncover who's controlling the security policies, and you need to do that up front," according to Chris Clinton, RSA's Director of Worldwide Channels. "A lot of times the helpdesk guys will say, 'We really need two-factor authentication,' but that may not necessarily be tied to the overall security policies. A partner could get caught up in a cycle that doesn't allow them to see the longer-term strategy."

Define the Application Set
The size and complexity of a strong authentication solution is determined, to a large extent, by the applications. A solution intended to allow users to authenticate a local network logon from within a perimeter, for example, may look very different from one intended only to secure a VPN connection, which in turn may look very different from one that secures local access to a specific machine or a full disk encryption deployment.

"It's great to say that you want to do two-factor for everything, but in IT that's never really a sufficient answer," noted Eugene Ng, vice president of technical services at security solution provider NCI in Mississauga, Ontario.

The most obvious benefit of defining the set of applications to which the user will authenticate is the clarification of the different elements that must be integrated into the solution. One intended only to secure remote network access, for example, may call for a relatively simple extension to an existing VPN solution; a single-sign-on solution, however, may require integration with Active Directory and many other applications.

Moreover, the specific range of applications touched can place less obvious demands on the solution. It might make sense to do a local network access solution entirely in software, while a local notebook system logon would need not only hardware, but the capacity to authenticate with no network access at all.

Define the User Base
To a much greater degree than almost any other security solution, strong authentication has a clear and immediate impact on user interaction and workflow. As such, it's absolutely critical to have a clear understanding of the intended user base for a given solution, their expectations and their tolerance for changes in existing procedures. A small, tech-savvy workforce may have little or no problem, while a larger or less savvy one may require substantial education and support to avoid major disruptions. A consumer user base may simply refuse to use an authentication mechanism that causes even a minor inconvenience, and turn to a competitor.

Different types of users also impose different technical requirements and logistical costs on the system and the client. If the client does not directly administer the users' hardware and software, for example, the solution will have to allow for considerable flexibility; in such cases, it may make sense to avoid installing client software altogether.

Next: Select the Technology

Select the Technology
Once you've figured out the why, what, and who, it's time to decide how to authenticate the user. One of the more common authentication options is the one time password (OTP) token. These are small devices—usually designed to fit on a keychain—that generate "pseudo-random" passwords. As the name implies, each OTP can be used only once, and each can only be used within a short time period (say, 60 seconds). Since each password is exceedingly difficult to guess, a user can effectively prove that they possess the token by entering the OTP along with their standard password when authenticating. OTP tokens can also be implemented in software and installed on smartphones or PDAs, letting some users avoid carrying an additional device.

OTP tokens have a number of advantages, mostly that they don't necessarily require any software on the client end, or hardware other than the token themselves. This makes them fairly easy and inexpensive to deploy, at least initially. It also gives users a great deal of flexibility and mobility.

A smartcard is a credit-card-sized token with an embedded chip containing a PKI certificate identifying the user. Because they rely on heavily tested cryptographic standards, smartcard solutions can be made extremely secure, and can be implemented so as to comply with the Personal Identity Verification (PIV), Common Access Card (CAC), and HSPD-12 standards for federal agency or Department of Defense use.

A USB token is essentially a smartcard built into a USB flash drive form factor. They have many of the advantages of smartcards—security, multipurpose certificates. The near ubiquity of USB ports in modern systems means that they don't require a specialized reader, making them more flexible for the end user and cheaper to implement than smartcards in many cases. USB tokens can also offer much more storage capacity.

While fingerprints are probably the most common and well-known of biometric solutions, a variety of biometric options are currently available for authentication purposes, including voice, iris, retina and facial recognition. In spite of some very compelling advantages—no tokens to lose or break, for example—biometric technologies comprise a relatively small percentage of the strong authentication market.

"There is a lot of resistance, still, to registering your fingerprint or voice," said Fran Rosch, VeriSign's vice president of Authentication Solutions. "We talk to the Bank of Americas and the eBays and the Charles Schwabs of the world, and they're just like 'Whoa. There's no way we're going there.'"

Roll It Out
It's usually a good idea to roll out most kinds of new solutions in phases, beginning with small pilot programs and expanding outward as problems are identified and addressed. Because of the importance of usability and user response to strong authentication solutions, it's not just a good idea—it's crucial. Pilot programs should work with small cross-sections of the actual user base.

"People always think, 'Oh, I'm going to pilot with the IT folks,'" according to Steven Feinstein, senior manager of corporate sales engineering at RSA. "They're probably the wrong audience, the worst audience, because they're technical and they understand all of this. You really want to put yourself in the shoes of the real end user."