Two-Factor Authentication: When Passwords Aren't Enough

Define the Business Need
Just like any other effective IT solution, everything about a two-factor authentication system should be geared toward meeting a specific, identified business need. Given the variety of options available when building these solutions and the number of systems and functions they can touch, however, a clear definition of that business need often ends up lost in the shuffle. A solution originally intended to reduce costs by allowing for single sign-on can easily end up increasing those costs if the focus shifts to maximizing security. More subtle distinctions—for example, between securing existing network functionality and allowing new capabilities that would otherwise be too risky—are even more easily lost.

"It all starts with business," noted Shlomi Yanai, vice president of Aladdin Knowledge Systems' eToken Business Unit. "Nobody buys strong authentication because he wants to buy security. He does it because he wants to increase efficiency, reduce costs, comply with regulations. It's all business drivers."

This definition process is crucial for ensuring not only clear communication between the solution provider and the customer, but also a consensus among the appropriate decision-makers within the client organization.

"You need to uncover who's controlling the security policies, and you need to do that up front," according to Chris Clinton, RSA's Director of Worldwide Channels. "A lot of times the helpdesk guys will say, 'We really need two-factor authentication,' but that may not necessarily be tied to the overall security policies. A partner could get caught up in a cycle that doesn't allow them to see the longer-term strategy."

Define the Application Set
The size and complexity of a strong authentication solution is determined, to a large extent, by the applications. A solution intended to allow users to authenticate a local network logon from within a perimeter, for example, may look very different from one intended only to secure a VPN connection, which in turn may look very different from one that secures local access to a specific machine or a full disk encryption deployment.

"It's great to say that you want to do two-factor for everything, but in IT that's never really a sufficient answer," noted Eugene Ng, vice president of technical services at security solution provider NCI in Mississauga, Ontario.

The most obvious benefit of defining the set of applications to which the user will authenticate is the clarification of the different elements that must be integrated into the solution. One intended only to secure remote network access, for example, may call for a relatively simple extension to an existing VPN solution; a single-sign-on solution, however, may require integration with Active Directory and many other applications.

Moreover, the specific range of applications touched can place less obvious demands on the solution. It might make sense to do a local network access solution entirely in software, while a local notebook system logon would need not only hardware, but the capacity to authenticate with no network access at all.

Define the User Base
To a much greater degree than almost any other security solution, strong authentication has a clear and immediate impact on user interaction and workflow. As such, it's absolutely critical to have a clear understanding of the intended user base for a given solution, their expectations and their tolerance for changes in existing procedures. A small, tech-savvy workforce may have little or no problem, while a larger or less savvy one may require substantial education and support to avoid major disruptions. A consumer user base may simply refuse to use an authentication mechanism that causes even a minor inconvenience, and turn to a competitor.

Different types of users also impose different technical requirements and logistical costs on the system and the client. If the client does not directly administer the users' hardware and software, for example, the solution will have to allow for considerable flexibility; in such cases, it may make sense to avoid installing client software altogether.

Next: Select the Technology