Multi-Factor Authentication: Building the Case for Change
By Jared Pfost

For some time now, evidence has been stacking up to validate security experts’ warnings to the dangers of protecting computer accounts with weak passwords. Unfortunately, simply adding complexity to existing passwords isn’t what the experts have in mind when it comes to mitigating risk to important IT assets. By themselves, even the strongest passwords cannot properly protect an account from intrusion.

Today’s threat landscape poses many dangers for those businesses still protecting access to their most critical assets using only the antiquated combination of username and password. There is a myriad of ways to obtain the password from an organization’s users, leaving gaping holes and a false sense of security. You’re already familiar with the usual suspects of password compromise through malware, social engineering, and even users themselves.

Hackers have developed many stealthy tools such as keystroke loggers and Trojan horses to harvest passwords from machines they’ve infected. Low-tech criminals can achieve the same ends by social engineering measures, some as simple as picking up the phone and posing as a tech support representative. And insiders within the organization are often easily able to obtain the passwords of co-workers, either by eavesdropping, glancing at sticky notes or even through intentional password sharing.

According to a recent study done by Trusted Strategies, more than 84 percent of network attacks reported to the Department of Justice between March 1999 and February 2006 could have been prevented had the victims used additional authentication methods beyond username and passwords.

Beyond the direct customer and monetary impacts of malicious breaches, organizations that only use username and passwords are also in jeopardy when it comes to securing the chain of custody and integrity of their financial records and other sensitive documents. These words send chills down the spines of even the most confident Chief Financial Officers in the world of Sarbanes Oxley and other regulations related to data integrity and security.

Organizations Slow to Adopt Multifactor Authentication
The evidence that organizations should require multiple factors of authentication to access network assets is overwhelming. In spite of these facts, and even though many organizations are starting to be prodded by regulations such as the Federal Financial Institutions Examination Council’s guidance on strong authentication for online banking, pickup is still slow. If the motivation and benefits to adopt strong authentication are clear, why aren’t more companies stepping up to mitigate authentication risks?

One of the biggest stumbling blocks to faster acceptance has been the multi-factor authentication technology itself. While there are a range of different multifactor authentication products, many of them are expensive and unwieldy to deploy. Also, they commonly require users to change their sign-in behavior in drastic ways. Any IT project is a tough sell. Good luck with projects that are expensive and increase headaches to users and support staff.

For example, one of the best-known methods of multifactor authentication on the market today is the hardware-based USB token. This class of product requires an organization to provide each of its users with a physical token, which must then be plugged into the machine when a user wishes to sign in.

Not only must the organization pay for the infrastructure and software to support this method, it must also buy tokens and any replacements when the inevitable happens and users lose them. Users must have physical possession of the token no matter when or where they want to get work done. The situation gets even uglier for large, fragmented organizations that have not yet migrated to a single sign-on arrangement. High-level users with permission to enter multiple systems requiring strong authentication might even be required to carry more than one token in order to access all of the resources they need.

Worst of all, should the tokens be stolen by someone that knows the user’s login credentials, or in many cases the credentials that are etched on the token itself, the organization is still at risk of account abuse. This risk illustrates the need to authenticate users themselves, rather than security devices which may be lost, stolen, or counterfeited.

Finding the Best Solution
Luckily there are alternatives to these first-generation multifactor authentication products. Ideally, organizations searching for a product to bolster their sign-in methods should look for a solution that balances cost, usability and security.

From a cost perspective, there are a number of TCO issues to think about beyond the product cost. Chief among these is the cost of deployment, especially the cost of the necessary infrastructure to support the product. Similarly important is the cost of maintenance and administration. If a product is easier to deploy and maintain, the savings on the back end can be significant.

Usability is obviously a critical concern to users and support organizations. Logging into system resources is a universal fact of life for all of an enterprise’s users, be they employees, partners or customers. Most of these people do not bleed with the cutting edge of technophiles, nor would they ever want to. Clearly, then, there is a strong need for a solution that doesn’t require much technical jargon, is transparent, and is as easy-to-use as possible.

In order to ensure the best user experience, businesses should consider the portability of the solution and how much users will need to change their sign-on behavior to use it. Some solutions, such as tokens and smart cards, offer good portability but are so intrusive that the likelihood of user pushback is high. Other solutions such as built-in fingerprint readers are easy-to-use but are tied to a specific machine.

Finally, a great deal of attention must be paid to the actual level of security provided by the product. Are there any known risks that come from using the product? For example, some token products may display plain text keys on the computer’s drive, allowing savvy techies to find ID and PIN information. Better yet, when users lose their token, how secure is the exception process to logon.

Some organizations may be willing to take on the risk of such a scenario given their cost concerns and logistical situations. However, it’s better to be aware of the risks beforehand than to be potentially blindsided should they rear their heads after a solution has been installed.

Evaluating Asset Value and Risks
Another reason some organizations believe that a multifactor authentication solution is out of reach is because they are thinking of the staggering total cost of rolling out the solution on all of their systems at once. However, this kind of sweeping deployment might not be necessary.

Instead, enterprises should match the level of authentication to the assets being protected and a consideration of the risks, should those assets be compromised. In order to optimize a multifactor authentication deployment, an organization should begin with the tried and true risk assessment. Every IT project, especially security related, should be defined in the context of the business.

This process involves performing an evaluation of the systems and information most critical to the business. Systems critical to business operations and sensitive databases containing high-value intellectual property or financial records must both be assessed. It’s straightforward to develop a ranking system to aggregate these assets into high, medium and low priorities. From there, the organization should be able to take the high and medium priority systems and evaluate the risk of account abuse. What would the business impact be if an account was breached? What is the likelihood of this happening, has it happened before? How many users are permitted to access these systems?

Working through this risk assessment will help business leaders form targeted strategies to address the most immediate needs for improved authentication. Doing so will better allow them to come up with a graduated timetable for a long-term rollout of multifactor authentication. Those systems that have the highest value and are at the most risk should be protected first. In this way, IT managers can begin solving the problem right away without blowing their entire budget or alienating their user base.

Asking the right questions: A checklist for finding the right multifactor authentication tool

Cost
How much will it cost to cover your highest value assets that are most at risk? What are the costs associated with maintenance and administration?

Ease of Deployment
How long will it take to roll out the solution? How many infrastructure changes or additions will be needed for support? What kind of training will IT staff and users require?

End-user
How portable is the tool — can it be used by mobile workers with multiple devices? Is the tool intrusive or difficult to use? What are the options when my second factor of authentication fails? How often will that occur?

Risk
How much risk does the tool mitigate? And most importantly, can the tool evolve over time as the risk climate changes?

About the Author:
Jared Pfost is Vice President of Security and Product Strategy for BioPassword.

<< Previous Page