Two-Factor Authentication: When Passwords Aren't Enough

Select the Technology
Once you've figured out the why, what, and who, it's time to decide how to authenticate the user. One of the more common authentication options is the one time password (OTP) token. These are small devices—usually designed to fit on a keychain—that generate "pseudo-random" passwords. As the name implies, each OTP can be used only once, and each can only be used within a short time period (say, 60 seconds). Since each password is exceedingly difficult to guess, a user can effectively prove that they possess the token by entering the OTP along with their standard password when authenticating. OTP tokens can also be implemented in software and installed on smartphones or PDAs, letting some users avoid carrying an additional device.

OTP tokens have a number of advantages, mostly that they don't necessarily require any software on the client end, or hardware other than the token themselves. This makes them fairly easy and inexpensive to deploy, at least initially. It also gives users a great deal of flexibility and mobility.

A smartcard is a credit-card-sized token with an embedded chip containing a PKI certificate identifying the user. Because they rely on heavily tested cryptographic standards, smartcard solutions can be made extremely secure, and can be implemented so as to comply with the Personal Identity Verification (PIV), Common Access Card (CAC), and HSPD-12 standards for federal agency or Department of Defense use.

A USB token is essentially a smartcard built into a USB flash drive form factor. They have many of the advantages of smartcards—security, multipurpose certificates. The near ubiquity of USB ports in modern systems means that they don't require a specialized reader, making them more flexible for the end user and cheaper to implement than smartcards in many cases. USB tokens can also offer much more storage capacity.

While fingerprints are probably the most common and well-known of biometric solutions, a variety of biometric options are currently available for authentication purposes, including voice, iris, retina and facial recognition. In spite of some very compelling advantages—no tokens to lose or break, for example—biometric technologies comprise a relatively small percentage of the strong authentication market.

"There is a lot of resistance, still, to registering your fingerprint or voice," said Fran Rosch, VeriSign's vice president of Authentication Solutions. "We talk to the Bank of Americas and the eBays and the Charles Schwabs of the world, and they're just like 'Whoa. There's no way we're going there.'"

Roll It Out
It's usually a good idea to roll out most kinds of new solutions in phases, beginning with small pilot programs and expanding outward as problems are identified and addressed. Because of the importance of usability and user response to strong authentication solutions, it's not just a good idea—it's crucial. Pilot programs should work with small cross-sections of the actual user base.

"People always think, 'Oh, I'm going to pilot with the IT folks,'" according to Steven Feinstein, senior manager of corporate sales engineering at RSA. "They're probably the wrong audience, the worst audience, because they're technical and they understand all of this. You really want to put yourself in the shoes of the real end user."